Device freezing after installing new substrate

[AtifChy]

After installing new cydia substrate i reboot and rejailbroke my device. After sometimes my device got frozen and i was forced to hard reboot my device. After reboot, i rejailbroke my device and after sometimes my device froze again. I used restore rootfs but the freezing issue is still not fixed.

I am using iPhone 6, iOS 11.3.1 Unc0ver v2.1.0 (latest one)

I also found some users with same issue. It mostly happening with older devices.

[yaf3i]

PayPal crash cause of JB detection use PalBreak for JB detection bypass

[BiasShadow]

I wouldn’t have posted if there was an update

[BiasShadow]

PayPal isn’t crashing because of Jailbreak detection. All apps have worked before update

[BiasShadow]

If what you’re saying is true, then some how apps I used daily randomly started crashing even when they don’t receive updates. PayPal isn’t the only app.

[KMamedoff]

Sometimes when I use Xcode to build and app my device becomes unresponsive and reboots.

[pwn20wndstuff]

@saurik iPhone 5S and 6 users are still reporting freezing issues that appear to be much more brutal even after the latest update (Freezing just a few minutes after jailbreaking.)... Do you have any clue about what the issue may be yet? If not, I can find some helpful people who are having this issue and redirect them here to help you identify it

[pwn20wndstuff]

@saurik I got a Reddit user to provide syslog from their iPhone 6 that has freezing issues with Substrate and have noticed that kernel repeatedly logs this message till the system freezes "vnode: table is full"!

[Chasewhip8]

@soum91 the panic log would be helpful.

[MrL0]

@chasewhip8 & @pwn20wndstuff I have “panic-full” log if it helps; iPhone 6 11.3.1

[saurik]

@pwn20wndstuff

Do you have any clue about what the issue may be yet?

I pretty much have "no clue": like, I have one idea, and I am almost 100% sure that it is wrong.

I got a Reddit user to provide syslog...

Do you know if this includes the output from ASL? (Substrate logs its status and errors to ASL.)

vnode: table is full

This is really interesting... it either means that substrated is being rapidly started and restarted over and over again (maybe it is crashing!), or it means that the memory layout of these devices is somehow different in a way that is messing with my ability to construct deterministic hooks.

[pwn20wndstuff]

@saurik In addition to that, I have also noticed that the devices that are having the "vnode: table is full" issue have significantly less capacity for vnodes (kern.maxvnodes=3700 compared to kern.maxvnodes=4700 on the other devices.). Perhaps, are you mapping too many files? It’s also worth mentioning that host_page_size() is known to lie on those devices, just saying in case you have an important check that depends on it. Also, while I was writing this comment, the reddit user finished testing my (temporary) advice (Increasing kern.maxvnodes.) and has reported that the device was running smooth now

[pwn20wndstuff]

It seems like this isn’t quite a system lockup but a kernel panic. May need to ask them for a panic log too

[saurik]

I’ve experienced times where springboard would crash and be stuck in that state (endless spinning) and then reboot.

@BiasShadow Yeah, so that doesn't sound anything like a "loop": that just sounds like it is "freezing". If anyone has an actual "loop" that is going to be like, a five minute fix with the right kind of log; but if you are having it just freeze, then that is much more complex to diagnose.

Tried opening PayPal, but it crashed

OK: I've replicated this issue. This is definitely unrelated, and is something I've seen before (but not nearly so brutally). What is happening is PayPal is using an Objective-C category to hook code that is a dependency of loading the "main bundle". I will try to fix this one today.

[perrycucko]

Substrate causes some system daemons to act weird and hog CPU (including 7011) on A11 devices. Daemons such as diagnosticd, mobilewatchdog, aggregated are the main ones that cause the battery drain. The problem seems to have disappeared after going back to Electra 1.0.4+Substitute from unc0ver 2.1.0 + 7011 Substrate.

[pwn20wndstuff]

@perrycucko This issue is caused by tweaks. We have already discussed about this on Twitter and Reddit

[pwn20wndstuff]

@saurik It’s been over 30 minutes or so since the tester increased kern.maxvnodes on their device. According to them, they haven’t experienced any issue yet whereas before doing this, their system would fall down in flames every 10 minutes or so

[saurik]

It’s also worth mentioning that host_page_size() is known to lie on those devices, just saying in case you have an important check that depends on it.

@pwn20wndstuff This is quite likely going to cause me some kind of problem.

Can someone run the following program and give me the output?

https://cache.saurik.com/random/github-20181229/pagesizes

[jakeajames]

@saurik The only case I know where host_page_size() lies is the iPad Air 2 and iPad Mini 4. iPad Air 2 is A8X and Mini 4 A8. yalu102 relied on that for the KPP bypass, and those devices were a special case, Todesco had to hardcode the fact that they use 4K pages, unlike 16K which is reported by host_page_size(). However I own an iPad Air 2 and haven't noticed any issues like those people are saying "every 10 minutes" or so. I only encountered one random freeze today (for the first time in unc0ver) and nothing similar since. Tried to replicate it by triggering the Twitter bug, but after three times in a row of memory pressure device is still working with no problems.

[pwn20wndstuff]

@saurik I just got someone with an iPhone 6 to run it. Results are interesting

sysctl(hw.machine) = iPhone7,2 sysctl(kern.osrelease) = 17.5.0 sysctl(kern.osproductversion) = 11.3.1 vm_kernel_page_size = 4096 host_page_size() = 4096 getpagesize() = 16384 sysctl(vm.pagesize) = 4096 sysctl(hw.pagesize) = 16384 sysctl(hw.pagesize32) = 16384

[pwn20wndstuff]

@saurik Also, while we are all confused with this, the Reddit user that increased kern.maxvnodes limit finally got a panic again (It took a while this time). This was obviously not a fix anyway

[pwn20wndstuff]

@saurik Do you have any idea about the confusing output? Is Substrate even affected by this?

[pwn20wndstuff]

Another person’s output:

64 sysctl(hw.machine) = iPhone7,2 64 sysctl(kern.osrelease) = 17.5.0 64 sysctl(kern.osproductversion) = 11.3.1 64 vm_kernel_page_size = 4096 64 vm_page_size = 16384 64 host_page_size() = 4096 64 getpagesize() = 16384 64 sysctl(vm.pagesize) = 4096 64 sysctl(hw.pagesize) = 16384 64 sysctl(hw.pagesize32) = 16384 32 = 86 [Bad CPU type in executable]

[pwn20wndstuff]

I got enough outputs from iPhone7,2’s (iPhone 6)

[jakeajames]

Here's mine, keeping in mind this is theoretically wrong, as iPad Air 2 uses 4K pages

64 sysctl(hw.machine) = iPad5,3 64 sysctl(kern.osrelease) = 17.5.0 64 sysctl(kern.osproductversion) = 11.3.1 64 ProductVersion = 11.3.1 64 vm_kernel_page_size = 16384 64 vm_page_size = 16384 64 host_page_size() = 16384 64 getpagesize() = 16384 64 sysctl(vm.pagesize) = 16384 64 sysctl(hw.pagesize) = 16384 64 sysctl(hw.pagesize32) = 16384 32 = 86 [Bad CPU type in executable]

[saurik]

@jakeajames Was this distinction from iOS 10? Like, is the thing you are talking about an issue that Luca was running into while working on iOS 10 jailbreaks? (Or maybe the issue is just if you are sitting in the kernel trying to do really low-level attacks?) I'm just confused, as based on what I'm seeing with other devices, I'd have considered the 64-bit processes to be at least internally consistent (so it almost doesn't matter what is being reported): like, I am struggling to come up with a way to actually cause a 4k page in a 64-bit process on a device that I know has 4k pages.

In the most recent version of pagesizes I've added an attempt to experimentally verify the page size with vm_remap. Can you run the latest version on your iPad Air 2?

I have also started doing an audit of everything I do in Substrate with respect to page sizes. I've found a couple places where I'm like "maybe this could be wrong?"; but again, the only scenarios would be when dealing with 64-bit/32-bit cross-process interaction :(.

FWIW, this is the output from an iPhone 6+ running iOS 8.0.

64 sysctl(hw.machine) =  iPhone7,1
64 sysctl(hw.machine) =  iPhone7,1
64 sysctl(kern.osrelease) =  14.0.0
64 sysctl(kern.osproductversion) = :(
64 ProductVersion = 8.0
64 vm_kernel_page_size = 4096
64 vm_page_size = 16384
64 host_page_size() = 4096
64 getpagesize() = 16384
64 sysctl(vm.pagesize) = 4096
64 sysctl(hw.pagesize) = 16384
64 sysctl(hw.pagesize32) = :(
64 vm_remap = 16384
32 sysctl(hw.machine) =  iPhone7,1
32 sysctl(kern.osrelease) =  14.0.0
32 sysctl(kern.osproductversion) = :(
32 ProductVersion = 8.0
32 vm_kernel_page_size = 4096
32 vm_page_size = 4096
32 host_page_size() = 4096
32 getpagesize() = 4096
32 sysctl(vm.pagesize) = 4096
32 sysctl(hw.pagesize) = 4096
32 sysctl(hw.pagesize32) = :(
32 vm_remap = 4096

[jakeajames]

@saurik, Luca's issue was related to the KPP bypass which needed to know kernel page sizes in order to correctly work, he was relying on host_page_size and at the end he did this hack: https://github.com/kpwn/yalu102/blob/master/yalu102/pte_stuff.h#L66. It could however be related to low-level things as you said, because Ian Beer's empty_list exploit also utilizes host_page_size() and on my Air 2 it almost never works if I change the result to 4K, that is very weird and confusing indeed.

Here's new output:

64 sysctl(hw.machine) = iPad5,3 64 sysctl(kern.osrelease) = 17.5.0 64 sysctl(kern.osproductversion) = 11.3.1 64 ProductVersion = 11.3.1 64 vm_kernel_page_size = 16384 64 vm_page_size = 16384 64 host_page_size() = 16384 64 getpagesize() = 16384 64 sysctl(vm.pagesize) = 16384 64 sysctl(hw.pagesize) = 16384 64 sysctl(hw.pagesize32) = 16384 64 vm_remap = 16384 32 = 86 [Bad CPU type in executable]

[saurik]

So, the error log for substrated is stored in /var/tmp, which is semi-unuseful. This is a debug build of Substrate which 1) moves the log to /Library/Substrate (so you need to make that folder) and 2) turns on MSDebug in substrated (which causes it to spam every single operation it is doing to the log).

https://cache.saurik.com/substrate/debs/mobilesubstrate_0.9.7012~b1+3.g0d39cb1+lsl_iphoneos-arm.deb

@pwn20wndstuff Do you think that you can get a user that is running out of vnodes to run this (after creating /Library/Substrate; if that folder isn't there they go to /var/tmp still), and then send a copy of the logs (potentially all of the multiple logs, as maybe substrated is crashing over and over again)?

(FWIW, these logs would be useful to obtain from anyone else who is experiencing freezing issues.)

[pwn20wndstuff]

@saurik On it

[pwn20wndstuff]

(This version does really log a lot ;P.)

[jakeajames]

Just had my second freeze on substrate. Noticed one small fact which may or may not be useful, while hard-rebooting a very small timeframe before the apple logo my device sort of "unfreezed", it triggered all the touch events I had sent while on the frozen state, this happened the first time as well

Edit: I'll try that new build tomorrow and see if I can get it to freeze again. Now it's kinda late

[Chasewhip8]

@jakeajames this happens to me whenever I froze using substitute.

[athisun]

... and then send a copy of the logs (potentially all of the multiple logs, as maybe substrated is crashing over and over again)?

@saurik I have collected a couple of logs. What's the best non-public way of sending them to you? Link via email?

[Chasewhip8]

@DeathIsUnknown logs are fine to be sent publicly. It’s just logging substrated

[athisun]

@Chasewhip8 Sorry, I'd rather err on the side of caution regarding log files whose content I can't proof for private data, regardless of what they're meant to and not meant to contain.

@saurik Sent you an email with a link to some logs.

[Chasewhip8]

I mean sure, however logs are in plain text.

[saurik]

Link via email?

@DeathIsUnknown That works!

logs are fine to be sent publicly. It’s just logging substrated

This log includes the names of programs that you are running; there is a potential for that to be sensitive information. It is also theoretically possible to figure out what extensions the user has installed that are using MSHookFunction (but that would be extremely difficult), which a user might consider sensitive.

I mean sure, however logs are in plain text.

FWIW, these logs contain large blocks of binary data (which should all be code, though, not data, so other than contributing to the identification of software, it won't include any private information).

[Chasewhip8]

My bad, was not aware of that.

[saurik]

Sent you an email with a link to some logs.

@DeathIsUnknown (Oh, lol: I had seen your comment and was already analyzed your log before getting around to later writing that comment.)

So, I think I was able to figure out what was going on from your logs!! I think this build (which still has all of the crazy logging plus even some more logging that I had turned off before that would have been useful) might work; would you mind trying it out?

https://cache.saurik.com/substrate/debs/mobilesubstrate_0.9.7012~b1+6.gf040135+lsl_iphoneos-arm.deb

(Note: I am still analyzing the potential of a vnode caching issue; these logs are showing a lot of unique executable pages... I would expect fewer than 50, but this is showing well over a thousand.)

[athisun]

would you mind trying it out?

@saurik Done. See your email inbox.

[saurik]

@DeathIsUnknown Thanks!! It is weird that amfid seems to just stop responding. One option is that it crashed, but I don't see CrashReporter trying to start in these logs. It also could have wedged, but I don't think the stuff I inject into it can wedge :/. Another option is that I managed to use up all of your vnodes, as there definitely are thousands of hooks being allocated here... I've finished a build that, with an annoying tradeoff (I didn't implement the full mechanism I'd like for this to handle concurrent hooks), ensures that it never accidentally creates the same hook multiple times when there are rushes to hook many processes at the same time. Can you try this build?

https://cache.saurik.com/substrate/debs/mobilesubstrate_0.9.7012~b1+7.gfbd45be+lsl_iphoneos-arm.deb

[DRSNBKRC]

I have ıphone 6. My phone 11.1.2 unc0ver 2.1.0, Cydia substrate freezing and white screen:(( 0.9.7000,0.9.7010 and 7011...How can I do..?

[athisun]

Can you try this build?

@saurik New logs sent. Sorry for the delay.

[saurik]

@DeathIsUnknown Thanks!! Like, seriously: this is so so so helpful. And this is actually going great: the fixes I made in the previous builds for the overall message system to be working (which I think account for the occasional issues on random devices), and now I'm able to see very clearly what is going on with the vnode leak (which I'm presuming is the issue that is affecting some hardware but not other hardware): the issue is that hooks I'm making in processes aren't deterministic on your device due to some difference in accessible memory regions. (What device do you have, btw?)

I've added a change that might fix this problem, and a ton of logging to this part of the system (in case it doesn't work, and to help me verify this fix is correct: I even try the old mechanism and then log my way through the new one to verify what is going on) to this build; would you mind trying this one? (Watch me have made something really dumb in this one, like a typo, or not leaving myself quite enough room.)

https://cache.saurik.com/substrate/debs/mobilesubstrate_0.9.7012~b1+10.g384b5bc+lsl_iphoneos-arm.deb

[saurik]

OK: now that I know what I'm looking for, I've realized I can replicate the behavior on iOS 8.0. (It is stupid, as I'd noticed this issue already while testing a while back and added a workaround, which I thought would be "no worse than older versions of Substrate", but in fact it is worse as these newer versions of Substrate can't get rid of vnodes once allocated. I guess I need to build a garbage collector for hooks that tracks processes still using them to mitigate similar corner cases :/.)

Regardless, I think I fixed this issue "correctly" in 0.9.7012.

[athisun]

What device do you have, btw?

I was the first one to run your pagesizes script. iPhone 6 (128GB) A1586, iOS 11.3.1 sysctl(hw.machine) = iPhone7,2 sysctl(kern.osrelease) = 17.5.0 sysctl(kern.osproductversion) = 11.3.1

would you mind trying this one?

I gave it a quick try over a couple of hours, but didn't run into any freezing. I can test some more tomorrow.

[Ultra03]

I gave it a quick try over a couple of hours, but didn't run into any freezing. I can test some more tomorrow.

I second this. I have an iPhone 6 64GB on 11.3.1.

[saurik]

Have you looked into fixing the PayPal issue yet?

@pwn20wndstuff This has been fixed in 0.9.7013.

[Chasewhip8]

@saurik Should a system reboot be required after the update to restart substrated?

[pwn20wndstuff]

@saurik Thank you once again. - I have deleted my comment since @sbingner confused me in Discord telling me that it was their jailbreak detection right after I made that comment -.- (The comment was about the PayPal issue).

[pwn20wndstuff]

I was told by a user on Twitter that this new update also fixes "Instagram Stories", which was something that I was getting questioned about for a long time