Unc0ver crashing repeadetly on iPad Pro 10.5” 2017 iOS 12.1.1 unc0ver b26

[c0redump3d]

My device is an iPad Pro 10.5” 2017 model with an A10X Fusion chip running iOS 12.1.1

EDIT: It seems Pwn reverted these changes??? opening the issue again as this does indeed break devices w/ 4gb of ram again. See: https://github.com/pwn20wndstuff/Undecimus/commit/93f0097162dae2104d109aa9224215f8c9b2c5a3

Unc0ver or the exploit seem to be having a few issues. Upon running unc0ver initially the exploit runs just fine and everything works great. But, upon rebooting and attempting to rerun the app the exploit will repeadetly fail with a 0% success rate. Ive looked into this a bit more and it seems like leaging the ipad unlocked for around 50 minutes to an hour, the exploit seems to work again only once. I don’t feel like it is necessarily the exploit itself with just having a terrible success rate with specific iPads because running something like RootKit which was a /var/ file explorer, the exploit works almost 90% of the time, even after rebooting. Though, the exact same issue is seen in other applications like RootlessJB and GeoFilza. I don’t quite know why the exploit works extremely well in RootKit but then fails every single time after running unc0ver once. I just thought i would inform the developers of this issue to see if any of the extra info that was found will help in maybe finding a mitigation instead of waiting close to an hour or more to attempt to get the exploit to work again.

[JoshThomasx20]

try jailbreaking again with uncover might just be ipaid uncover works completely fine with exploits

[c0redump3d]

try jailbreaking again with uncover might just be ipaid uncover works completely fine with exploits

I’m not understanding what you are saying. I said in the post that i have ran it many times but only seems to work a singular time before the exploit continually fails. Also, I have seen some others on the r/jailbreak discord server with the same ipad having the exact same issue so im doubtful that it is just my iPad.

[Fr0st3h]

Same issue here. Multiple people are having issue with Ipad pro. Rootless doesnt work, unc0ver doesnt work. only thing that works is Tooklit/Rootkit by xSpiral

DONT close this as placebo again whoever you are. This is a real issue that doesn't deserve to be ignored.

[clarityzzz]

Does any of you guys have XCode access? I've fixed iPad Pro 10.5'' on iOS 11 and the fix was pushed to unc0ver. It might break iOS 12 compatibility. Attach diags from Settings-> Share Diagnostics

[c0redump3d]

Does any of you guys have XCode access? I've fixed iPad Pro 10.5'' on iOS 11 and the fix was pushed to unc0ver. It might break iOS 12 compatibility. Attach diags from Settings-> Share Diagnostics

Yes, i have access to xcode. Could you point me in the right direction on where i can try this?

[clarityzzz]

git clone https://github.com/pwn20wndstuff/Undecimus.git -b develop cd Undecimus git submodule update --init --recursive --remote fix build (remove mp entitlements) go to voucher_swap/kernel_alloc.c https://github.com/pwn20wndstuff/Undecimus/blob/78f1e754ec93b8b7285930b7950fe957475a5c2a/Undecimus/source/kernel_alloc.c#L359 change this line from MACH_PORT_QLIMIT_DEFAULT to MACH_PORT_QLIMIT_MAX and tell me if it works. Also, attach diags before doing this.

[ghost]

I'm experiencing this as well. I tried around 100 times now and I only got unc0ver to work twice, way in the beginning. At first I tried to do it on 12.1.1 final, but now I have restored to 12.1.1 beta 3, thinking that it was something with the install.

[bdan629]

Not working for me either on A9X. Ipad pro 12.9 inch Wifi IOS 12.1.1. Kernel panics after stashed voucher pointer in thread. Diagnostics file attached.

diagnostics.txt

[c0redump3d]

Okay, so @clarityzzz seems to have fixed it! He is testing it out a few more times before he makes a PR. His original fix as seen as above was not enough for it to get it to work, he had me change a few more things and it works great now! Has about ~90% success rate and works on both my iPad and iPhone.

[clarityzzz]

353 fixes this.

[c0redump3d]

Pwn has merged the changes from #353 Issue is now officially fixed, closing issue. https://github.com/pwn20wndstuff/Undecimus/commit/bd5c6f8cff0468bc7663f0167276b91d9819a890

[c0redump3d]

Read post again, seems pwn has reverted the changes.

If this caused compatibility issues on older devices I believe the next best thing would to maybe try and attempt to detect the amount of physical memory that the users device is using and, based on that use 0.17 if the memory of the users device is below 3gb and use 0.25 if the users device has at least 3gb or more of ram.

[endercypher]

It’s just the success rate. @Cryptiiiic please close this issue

[c0redump3d]

@king4q you’re wrong. Changing something in the exploit fixed this issue because the exploit seemed to have some issues with devices with 4gb’s of ram. It seems that pwn has reverted the changes and it is working again so I will be closing this issue again.

With the fix applied voucher easily has around a 90% success rate.

[clarityzzz]

@king4q it's not the exploit success rate. Garbage collection won't be triggered if you have plenty of ram left. You need to spray more ports, fill up more ram to trigger it and trigger the exploit. If success rate CAN and WAS improved previously and that was reverted, something needs to be done AND justified the issue being reopened. Don't comment on technical issues if you don't know the technicalities, thanks.

[endercypher]

I do know the technicalities thank you though.

[clarityzzz]

@king4q I'll be waiting on your pull requests to fix voucher_swap success rate on iPhone 7 and others then. Cheers mate.

[endercypher]

I never once said I was gonna make a pull request. Nor did I even hint or mention at it. So I will not be making one as there’s no reason to. As I know the iP7 & newer for iPhones specifically I know have a very good success rate for voucher_swap.