search

plooshi / plooshra1n

3 stars 0 forks source link

Not work for old ios 12-14.8.1 #2

Closed mon0208 closed 1 year ago

mon0208 commented 1 year ago

i test on iphone 6 plus send payload all done but phone not jailbreak?

mon0208 commented 1 year ago

if phone jailbreak with checkra1n 0.12.4 and re jailbreak with plooshra1n it work. but if i format iphone and jailbreak with plooshra1n it not work.

plooshi commented 1 year ago

it is made for booting 0.12.4 on those versions. i can try to fix setting up if you tell me what the issue is (stuck in verbose, pongoOS, etc)

mon0208 commented 1 year ago

no stuck bro, run all step done, after jailbreak phone boot in to home screen but jailbreak unsuccessful. no apps checkra1n and can't connect ssh.

plooshi commented 1 year ago

connect to SSH on port 44. checkra1n app needs a uicache which you can get by running 0.12.4 with the -c flag

mon0208 commented 1 year ago
mon0208 commented 1 year ago

C:\Users\nguye\Desktop\plooshra1n>plooshra1n.exe -c [Error] src/options.c:130 (parse_options) --> Cannot setup rootful when rootless is requested. Use -f to enable rootful mode. [Debug] src/wait_device.c:24 (wait_usb_handles) --> Waiting for devices... [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 1 succeeded [Info] openra1n.c:1027 (openra1n_checkm8) --> Setting up the exploit (this is the heap spray) [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 2 succeeded [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 3 succeeded [Info] openra1n.c:1034 (openra1n_checkm8) --> Right before trigger (this is the real bug setup) [Debug] openra1n.c:890 (checkm8_stage_patch) --> setting up stage 2 for t7000 [Debug] openra1n.c:929 (checkm8_stage_patch) --> successfully leaked data [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 0 succeeded [Info] openra1n.c:961 (checkm8_boot_pongo) --> Booting pongoOS [Debug] openra1n.c:962 (checkm8_boot_pongo) --> Appending shellcode to the top of pongoOS (512 bytes) [Debug] openra1n.c:965 (checkm8_boot_pongo) --> Compressing pongoOS [Debug] openra1n.c:969 (checkm8_boot_pongo) --> Compressed pongoOS from 254224 to 148253 bytes [Debug] openra1n.c:977 (checkm8_boot_pongo) --> Setting the compressed size into the shellcode [Debug] openra1n.c:982 (checkm8_boot_pongo) --> Reconnecting to device [Debug] openra1n.c:984 (checkm8_boot_pongo) --> Waiting for device to be ready [Debug] openra1n.c:1003 (checkm8_boot_pongo) --> Sent pongoOS (148765 bytes) [Debug] openra1n.c:1006 (checkm8_boot_pongo) --> pongoOS sent, should be booting [Debug] src/main.c:23 (main) --> Waiting for device to reconnect in pongoOS mode... [Debug] src/main.c:31 (main) --> Device connected in pongoOS mode! [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'fuse lock' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'sep auto' [Debug] src/pongo.c:162 (upload_pongo_file) --> Uploaded 118440 bytes [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'modload' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'darwin' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'plshrain' [Debug] src/pongo.c:162 (upload_pongo_file) --> Uploaded 1048576 bytes [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'ramdisk' [Debug] src/pongo.c:162 (upload_pongo_file) --> Uploaded 5209403 bytes [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'overlay' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'xargs wdt=-1 rootdev=md0' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'bootx' [Info] src/pongo.c:67 (boot_device) --> Device should now be booting! [Info] src/pongo.c:72 (boot_device) --> Please wait up to 10 minutes for the fakefs to be created. [Info] src/pongo.c:73 (boot_device) --> Once the device boots up to iOS, run again without the -c (Create FakeFS) option to jailbreak.

This Log when i run plooshra1n on windows bro. after phone reboot phone still not jailbreak

mon0208 commented 1 year ago

C:\Users\nguye\Desktop\plooshra1n>plooshra1n.exe -c [Error] src/options.c:130 (parse_options) --> Cannot setup rootful when rootless is requested. Use -f to enable rootful mode. [Debug] src/wait_device.c:24 (wait_usb_handles) --> Waiting for devices... [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 1 succeeded [Info] openra1n.c:1027 (openra1n_checkm8) --> Setting up the exploit (this is the heap spray) [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 2 succeeded [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 3 succeeded [Info] openra1n.c:1034 (openra1n_checkm8) --> Right before trigger (this is the real bug setup) [Debug] openra1n.c:890 (checkm8_stage_patch) --> setting up stage 2 for t7000 [Debug] openra1n.c:929 (checkm8_stage_patch) --> successfully leaked data [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 0 succeeded [Info] openra1n.c:961 (checkm8_boot_pongo) --> Booting pongoOS [Debug] openra1n.c:962 (checkm8_boot_pongo) --> Appending shellcode to the top of pongoOS (512 bytes) [Debug] openra1n.c:965 (checkm8_boot_pongo) --> Compressing pongoOS [Debug] openra1n.c:969 (checkm8_boot_pongo) --> Compressed pongoOS from 254224 to 148253 bytes [Debug] openra1n.c:977 (checkm8_boot_pongo) --> Setting the compressed size into the shellcode [Debug] openra1n.c:982 (checkm8_boot_pongo) --> Reconnecting to device [Debug] openra1n.c:984 (checkm8_boot_pongo) --> Waiting for device to be ready [Debug] openra1n.c:1003 (checkm8_boot_pongo) --> Sent pongoOS (148765 bytes) [Debug] openra1n.c:1006 (checkm8_boot_pongo) --> pongoOS sent, should be booting [Debug] src/main.c:23 (main) --> Waiting for device to reconnect in pongoOS mode... [Debug] src/main.c:31 (main) --> Device connected in pongoOS mode! [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'fuse lock' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'sep auto' [Debug] src/pongo.c:162 (upload_pongo_file) --> Uploaded 118440 bytes [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'modload' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'darwin' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'plshrain' [Debug] src/pongo.c:162 (upload_pongo_file) --> Uploaded 1048576 bytes [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'ramdisk' [Debug] src/pongo.c:162 (upload_pongo_file) --> Uploaded 5209403 bytes [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'overlay' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'xargs wdt=-1 rootdev=md0' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'bootx' [Info] src/pongo.c:67 (boot_device) --> Device should now be booting! [Info] src/pongo.c:72 (boot_device) --> Please wait up to 10 minutes for the fakefs to be created. [Info] src/pongo.c:73 (boot_device) --> Once the device boots up to iOS, run again without the -c (Create FakeFS) option to jailbreak.

This Log when i run plooshra1n on windows bro. after phone reboot phone still not jailbreak

this i run with flag -c

plooshi commented 1 year ago

run with -f -c

mon0208 commented 1 year ago

Same result sir

plooshi commented 1 year ago

remove -c after it reboots

mon0208 commented 1 year ago

remove -c after it reboots

i don't understand bro.

first run plooshra1n -f -c second run plooshra1n -f again ?

plooshi commented 1 year ago

yep

mon0208 commented 1 year ago

yep

C:\Users\nguye\Desktop\plooshra1n>plooshra1n -f -c [Debug] src/wait_device.c:24 (wait_usb_handles) --> Waiting for devices... [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 1 succeeded [Info] openra1n.c:1027 (openra1n_checkm8) --> Setting up the exploit (this is the heap spray) [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 2 succeeded [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 3 succeeded [Info] openra1n.c:1034 (openra1n_checkm8) --> Right before trigger (this is the real bug setup) [Debug] openra1n.c:890 (checkm8_stage_patch) --> setting up stage 2 for t7000 [Debug] openra1n.c:929 (checkm8_stage_patch) --> successfully leaked data [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 0 succeeded [Info] openra1n.c:961 (checkm8_boot_pongo) --> Booting pongoOS [Debug] openra1n.c:962 (checkm8_boot_pongo) --> Appending shellcode to the top of pongoOS (512 bytes) [Debug] openra1n.c:965 (checkm8_boot_pongo) --> Compressing pongoOS [Debug] openra1n.c:969 (checkm8_boot_pongo) --> Compressed pongoOS from 254224 to 148253 bytes [Debug] openra1n.c:977 (checkm8_boot_pongo) --> Setting the compressed size into the shellcode [Debug] openra1n.c:982 (checkm8_boot_pongo) --> Reconnecting to device [Debug] openra1n.c:984 (checkm8_boot_pongo) --> Waiting for device to be ready [Debug] openra1n.c:1003 (checkm8_boot_pongo) --> Sent pongoOS (148765 bytes) [Debug] openra1n.c:1006 (checkm8_boot_pongo) --> pongoOS sent, should be booting [Debug] src/main.c:23 (main) --> Waiting for device to reconnect in pongoOS mode... [Debug] src/main.c:31 (main) --> Device connected in pongoOS mode! [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'fuse lock' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'sep auto' [Debug] src/pongo.c:162 (upload_pongo_file) --> Uploaded 118440 bytes [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'modload' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'darwin' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'palera1n_flags 0x4000005' [Debug] src/pongo.c:162 (upload_pongo_file) --> Uploaded 1048576 bytes [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'ramdisk' [Debug] src/pongo.c:162 (upload_pongo_file) --> Uploaded 5209403 bytes [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'overlay' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'xargs wdt=-1 rootdev=md0' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'bootx' [Info] src/pongo.c:67 (boot_device) --> Device should now be booting! [Info] src/pongo.c:72 (boot_device) --> Please wait up to 10 minutes for the fakefs to be created. [Info] src/pongo.c:73 (boot_device) --> Once the device boots up to iOS, run again without the -c (Create FakeFS) option to jailbreak.

C:\Users\nguye\Desktop\plooshra1n>plooshra1n -f [Debug] src/wait_device.c:24 (wait_usb_handles) --> Waiting for devices... [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 1 succeeded [Info] openra1n.c:1027 (openra1n_checkm8) --> Setting up the exploit (this is the heap spray) [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 2 succeeded [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 3 succeeded [Info] openra1n.c:1034 (openra1n_checkm8) --> Right before trigger (this is the real bug setup) [Debug] openra1n.c:890 (checkm8_stage_patch) --> setting up stage 2 for t7000 [Debug] openra1n.c:929 (checkm8_stage_patch) --> successfully leaked data [Debug] openra1n.c:1039 (openra1n_checkm8) --> Stage 0 succeeded [Info] openra1n.c:961 (checkm8_boot_pongo) --> Booting pongoOS [Debug] openra1n.c:962 (checkm8_boot_pongo) --> Appending shellcode to the top of pongoOS (512 bytes) [Debug] openra1n.c:965 (checkm8_boot_pongo) --> Compressing pongoOS [Debug] openra1n.c:969 (checkm8_boot_pongo) --> Compressed pongoOS from 254224 to 148253 bytes [Debug] openra1n.c:977 (checkm8_boot_pongo) --> Setting the compressed size into the shellcode [Debug] openra1n.c:982 (checkm8_boot_pongo) --> Reconnecting to device [Debug] openra1n.c:984 (checkm8_boot_pongo) --> Waiting for device to be ready [Debug] openra1n.c:1003 (checkm8_boot_pongo) --> Sent pongoOS (148765 bytes) [Debug] openra1n.c:1006 (checkm8_boot_pongo) --> pongoOS sent, should be booting [Debug] src/main.c:23 (main) --> Waiting for device to reconnect in pongoOS mode... [Debug] src/main.c:31 (main) --> Device connected in pongoOS mode! [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'fuse lock' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'sep auto' [Debug] src/pongo.c:162 (upload_pongo_file) --> Uploaded 118440 bytes [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'modload' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'darwin' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'palera1n_flags 0x4000001' [Debug] src/pongo.c:162 (upload_pongo_file) --> Uploaded 1048576 bytes [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'ramdisk' [Debug] src/pongo.c:162 (upload_pongo_file) --> Uploaded 5209403 bytes [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'overlay' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'xargs rootdev=md0' [Debug] src/pongo.c:103 (issue_pongo_command) --> Executing PongoOS command: 'bootx' [Info] src/pongo.c:67 (boot_device) --> Device should now be booting!

after phone booting not jailbreak bro. i tryed 6 ios 12.5.7, 6 plus not work

plooshi commented 1 year ago

can you run this: plooshra1n --help

mon0208 commented 1 year ago

can you run this: plooshra1n --help

C:\Users\nguye\Desktop\plooshra1n>plooshra1n -help Usage: plooshra1n [-RDhSpPs] [-BcCfl] [-b boot arguments] Made by Ploosh, using palera1n resources (for now) iOS/iPadOS 12.0-17.0 jailbreak for arm64 devices

    -R, --force-revert                      Remove jailbreak
    -b, --boot-args <boot arguments>        XNU boot arguments
    -D, --dfuhelper                         Exit after entering DFU
    -h, --help                              Show this help
    -S, --serial                            Log to serial console
    -p, --pongo-shell                       Boots to PongoOS shell
    -P, --pongo-full                        Boots to a PongoOS shell with default images already uploaded
    -s, --safe-mode                         Enter safe mode

iOS 15+ specific options: -B, --setup-bindfs Setup bindfs -c, --setup-fakefs Setup fakefs -C, --clean-fakefs Clean fakefs -f, --fakefs Boots fakefs -l, --rootless Boots rootless. This is the default

plooshi commented 1 year ago

okay, so you're using a relatively recent build with the auto-detection feature... i think you'll just need to use checkra1n -c to fix the checkra1n app not appearing.

mon0208 commented 1 year ago

I use windows bro, checkra1n only work mac and linux. Hope you fix plooshra1n soon. I tryed only plooshra1n -c not work too. there is one strange thing: if before the iphone jailbreaked with checkra1n usb, after reboot device and i jailbreak with plooshra1n it work. But if i fresh restore iphone and jailbreak with plooshra1n only it not work.

plooshi commented 1 year ago

yes, because springboard doesn't know about the checkra1n app.

mon0208 commented 1 year ago

ssh not work too :(, hope you fix it soon

plooshi commented 1 year ago

even using 

iproxy 4444 44
ssh root@localhost -p 4444

?

mon0208 commented 1 year ago

yes not work, iproxy 4444 44 ssh root@localhost -p 4444

and

iproxy 2222 44 ssh root@localhost -p 2222 not work too

plooshi commented 1 year ago

odd. should be working fine..

mon0208 commented 1 year ago

any update :( i tryed all model old ios not work