search

pwn20wndstuff / Undecimus

unc0ver jailbreak for iOS 11.0 - 12.4
BSD 3-Clause "New" or "Revised" License
6.64k stars 1.3k forks source link

IOS 12.0.1 Unc0ver Jailbreak failed causing an Apple Logo reboot loop #554

Closed RonPimplebut closed 5 years ago

RonPimplebut commented 5 years ago

2018 iPad 6 Wifi (iPad7,5) IOS 12.0.1(16A404) MODEL : A1893 Failed at 16/38 th exploits Resulting an infinite rebooting loop on the apple logo And I am unable to restore my device without updating to 12.1.4

Plz help! How to fix this? Thanks

Here is trhe logs :

`[] unc0ver Version: 3.0.0~b34 [] Darwin Kernel Version 18.0.0: Tue Aug 14 22:07:17 PDT 2018; root:xnu-4903.202.2~1/RELEASE_ARM64_T8010 [] Bundled Resources Version: 1.0~b4 -canOpenURL: failed for URL: "cydia://" - error: "This app is not allowed to query for scheme cydia" -canOpenURL: failed for URL: "cydia://" - error: "This app is not allowed to query for scheme cydia" -canOpenURL: failed for URL: "cydia://" - error: "This app is not allowed to query for scheme cydia" [] STATUS: Exploiting (1/38) [] Loading preferences... [] Successfully loaded preferences. [] STATUS: Exploiting (2/38) [] Exploiting kernel_task... [+] memory_size: 2076180480 [D] platform: iPad7,5 16A404 [+] created 1024 pipes [+] created 8000 ports [+] sprayed 16777216 bytes to 1024 pipes in kalloc.16384 [+] created 3564 vouchers [+] sprayed 311427072 bytes to 8 ports in kalloc.1024 [+] stashed voucher pointer in thread ........................................................................................................................................................................................................................................................ [+] sprayed 519045120 bytes of OOL ports to 6 ports in kalloc.32768 [+] recovered voucher port 0x2007 for freed voucher [+] adding references to the freed voucher to change the OOL port pointer [+] receiving the OOL ports will leak port 0x1eb203 [+] received voucher port 0x2007 in OOL ports [+] voucher overlapped at offset 0x3d90 [+] received fake port 0xaa07 [+] port is at pipe index 256 [+] got ip_requests at 0xffffffe023231ee0 [+] fake port is at offset 10416 [+] base port is at 0xffffffe005c328b0 [+] kernel_task is at 0xffffffe0006461c0 [+] done! port 0xaa07 is tfp0 [] kCFCoreFoundationVersionNumber: 1556.000000 [] offsets selected for iOS 12.0 or above [] tfp0: 0xaa07 [] kernel_base: 0xfffffff016004000 [] kernel_slide: 0x000000000f000000 [] Successfully exploited kernel_task. [] STATUS: Exploiting (3/38) [] Initializing patchfinder64... [] Successfully initialized patchfinder64. [] STATUS: Exploiting (4/38) [] Finding offsets... [] trustcache = 0xfffffff00768be00 + 0x000000000f000000 [] OSBoolean_True = 0xfffffff0076b2e40 + 0x000000000f000000 [] osunserializexml = 0xfffffff007557250 + 0x000000000f000000 [] smalloc = 0xfffffff006a9c424 + 0x000000000f000000 [] add_x0_x0_0x40_ret = 0xfffffff007437ecc + 0x000000000f000000 [] zone_map_ref = 0xfffffff007664ec8 + 0x000000000f000000 [] vfs_context_current = 0xfffffff00724d428 + 0x000000000f000000 [] vnode_lookup = 0xfffffff00722ec4c + 0x000000000f000000 [] vnode_put = 0xfffffff00722b5f4 + 0x000000000f000000 [] kernel_task = 0xfffffff007642078 + 0x000000000f000000 [] shenanigans = 0xfffffff007811580 + 0x000000000f000000 [] lck_mtx_lock = 0xfffffff0072008f4 + 0x000000000f000000 [] lck_mtx_unlock = 0xfffffff00720116c + 0x000000000f000000 [] vnode_get_snapshot = 0xfffffff007245ff0 + 0x000000000f000000 [] fs_lookup_snapshot_metadata_by_name_and_return_name = 0xfffffff00694564c + 0x000000000f000000 [] apfs_jhash_getvnode = 0xfffffff006984830 + 0x000000000f000000 [] Successfully found offsets. [] STATUS: Exploiting (5/38) [] Deinitializing patchfinder64... [] Successfully deinitialized patchfinder64. [] STATUS: Exploiting (6/38) [] Escaping Sandbox... [] myProcAddr = 0xffffffe00570dfc0 [] kernelCredAddr = 0xffffffe0008e2370 [] Shenanigans = 0xffffffe0008e2370 [] myOriginalCredAddr = 0xffffffe0039a8360 [] Successfully escaped Sandbox. [] STATUS: Exploiting (7/38) [] Setting HSP4 as TFP0... [] kernel_task_kaddr = 0xffffffe0006461c0 [] remapped_task_addr = 0xffffffe025dd21c0 [] port_kaddr = 0xffffffe000028000 [] Will set all_image_info_addr to: 0xfffffff016004000 [] Setting all_image_info_addr... [] Will set all_image_info_size to: 0x000000000f000000 [] Setting all_image_info_size... [] Successfully set HSP4 as TFP0. [] STATUS: Exploiting (8/38) [] Unexporting kernel task port... [] old host type: 0x80000003 [] Successfully unexported kernel task port. [] STATUS: Exploiting (9/38) [] Writing a test file to UserFS... [] Successfully wrote a test file to UserFS. [] STATUS: Exploiting (10/38) [] STATUS: Exploiting (11/38) [] Unlocking nvram... [] IODTNVRAM obj at 0xffffffe0005da0a0 [] IODTNVRAM vtable: 0xfffffff0160ca160 - 0xfffffff0160ca780

[] vm_kernel_page_size: 4000 [] allocated address: ffffffe000034000 [] address to wire: ffffffe000034000 [] Unlocked nvram [] Successfully unlocked nvram. [] runCommandv(206) command: /usr/sbin/nvram "com.apple.System.boot-nonce" [] runCommandv(206): com.apple.System.boot-nonce 0x1111111111111111 [] runCommandv(206) completed with exit status 0 [] Locking nvram... [] Locked nvram [] Successfully locked nvram. [] STATUS: Exploiting (12/38) [] Logging slide... [] Successfully logged slide. [] STATUS: Exploiting (13/38) [] Logging ECID... [] ECID = 6202130365022246 [] modifyPlist: Will modify plist: /var/mobile/Containers/Data/Application/862BD916-1455-4FFB-8E57-D646F22E96AD/Library/Preferences/science.xnu.undecimus.plist [] modifyPlist: Success [] Successfully logged ECID. [] STATUS: Exploiting (14/38) [] Disabling Auto Updates... [] modifyPlist: Will modify plist: /var/mobile/Library/Preferences/com.apple.Preferences.plist [] modifyPlist: Writing to file: /var/mobile/Library/Preferences/com.apple.Preferences.plist [] modifyPlist: Success [] Successfully disabled Auto Updates. [] STATUS: Exploiting (15/38) [] Initializing kexecute... [] got user client: 0x1eb90b [] Successfully initialized kexecute. [] STATUS: Exploiting (16/38) [] Remounting RootFS... fs_snapshot_list: Invalid argument [] runCommandv(207) command: /sbin/mount [] runCommandv(207): com.apple.os.update-339EA0A6FC1179198D1E30911EB6409708BFAB57FC59FD903B3786D2CB482135D529E097312A62722274DB5E5EE77AC5@/dev/disk0s1s1 on / (apfs, local, nosuid, read-only, journaled, noatime) [] runCommandv(207): devfs on /dev (devfs, local, nosuid, nobrowse) [] runCommandv(207): /dev/disk0s1s2 on /private/var (apfs, local, nodev, nosuid, journaled, noatime, protect) [] runCommandv(207): /dev/disk0s1s1 on /private/var/MobileSoftwareUpdate/mnt1 (apfs, local, nosuid, journaled, noatime, nobrowse) [] runCommandv(207) completed with exit status 0 [] Clearing dev vnode's si_flags... [] zone_map_ref: fffffff016664ec8 [] zone_map: fffffff0cec91c90 [] zm_range: 0xffffffe0004cc000 - 0xffffffe02cd00000 (read 0x20, exp 0x20) [] devVnode = 0xffffffe000ed61c0 [] v_specinfo = 0xffffffe000ed9e60 [] si_flags = 0x0 [] Successfully cleared dev vnode's si_flags. [] Mounting system snapshot... [] __assert(22:!is_mountpoint("/var/MobileSoftwareUpdate/mnt1"))@JailbreakViewController.m:1132[jailbreak] +[CATransaction synchronize] called within transaction +[CATransaction synchronize] called within transaction +[CATransaction synchronize] called within transaction[] unc0ver Version: 3.0.0~b34 [] Darwin Kernel Version 18.0.0: Tue Aug 14 22:07:17 PDT 2018; root:xnu-4903.202.2~1/RELEASE_ARM64_T8010 [] Bundled Resources Version: 1.0~b4 -canOpenURL: failed for URL: "cydia://" - error: "This app is not allowed to query for scheme cydia" -canOpenURL: failed for URL: "cydia://" - error: "This app is not allowed to query for scheme cydia" -canOpenURL: failed for URL: "cydia://" - error: "This app is not allowed to query for scheme cydia" [] STATUS: Exploiting (1/38) [] Loading preferences... [] Successfully loaded preferences. [] STATUS: Exploiting (2/38) [] Exploiting kernel_task... [+] memory_size: 2076180480 [D] platform: iPad7,5 16A404 [+] created 1024 pipes [+] created 8000 ports [+] sprayed 16777216 bytes to 1024 pipes in kalloc.16384 [+] created 3564 vouchers [+] sprayed 311427072 bytes to 8 ports in kalloc.1024 [+] stashed voucher pointer in thread ........................................................................................................................................................................................................................................................ [+] sprayed 519045120 bytes of OOL ports to 6 ports in kalloc.32768 [+] recovered voucher port 0x2007 for freed voucher [+] adding references to the freed voucher to change the OOL port pointer [+] receiving the OOL ports will leak port 0x1eb203 [+] received voucher port 0x2007 in OOL ports [+] voucher overlapped at offset 0x3d90 [+] received fake port 0xaa07 [+] port is at pipe index 256 [+] got ip_requests at 0xffffffe023231ee0 [+] fake port is at offset 10416 [+] base port is at 0xffffffe005c328b0 [+] kernel_task is at 0xffffffe0006461c0 [+] done! port 0xaa07 is tfp0 [] kCFCoreFoundationVersionNumber: 1556.000000 [] offsets selected for iOS 12.0 or above [] tfp0: 0xaa07 [] kernel_base: 0xfffffff016004000 [] kernel_slide: 0x000000000f000000 [] Successfully exploited kernel_task. [] STATUS: Exploiting (3/38) [] Initializing patchfinder64... [] Successfully initialized patchfinder64. [] STATUS: Exploiting (4/38) [] Finding offsets... [] trustcache = 0xfffffff00768be00 + 0x000000000f000000 [] OSBoolean_True = 0xfffffff0076b2e40 + 0x000000000f000000 [] osunserializexml = 0xfffffff007557250 + 0x000000000f000000 [] smalloc = 0xfffffff006a9c424 + 0x000000000f000000 [] add_x0_x0_0x40_ret = 0xfffffff007437ecc + 0x000000000f000000 [] zone_map_ref = 0xfffffff007664ec8 + 0x000000000f000000 [] vfs_context_current = 0xfffffff00724d428 + 0x000000000f000000 [] vnode_lookup = 0xfffffff00722ec4c + 0x000000000f000000 [] vnode_put = 0xfffffff00722b5f4 + 0x000000000f000000 [] kernel_task = 0xfffffff007642078 + 0x000000000f000000 [] shenanigans = 0xfffffff007811580 + 0x000000000f000000 [] lck_mtx_lock = 0xfffffff0072008f4 + 0x000000000f000000 [] lck_mtx_unlock = 0xfffffff00720116c + 0x000000000f000000 [] vnode_get_snapshot = 0xfffffff007245ff0 + 0x000000000f000000 [] fs_lookup_snapshot_metadata_by_name_and_return_name = 0xfffffff00694564c + 0x000000000f000000 [] apfs_jhash_getvnode = 0xfffffff006984830 + 0x000000000f000000 [] Successfully found offsets. [] STATUS: Exploiting (5/38) [] Deinitializing patchfinder64... [] Successfully deinitialized patchfinder64. [] STATUS: Exploiting (6/38) [] Escaping Sandbox... [] myProcAddr = 0xffffffe00570dfc0 [] kernelCredAddr = 0xffffffe0008e2370 [] Shenanigans = 0xffffffe0008e2370 [] myOriginalCredAddr = 0xffffffe0039a8360 [] Successfully escaped Sandbox. [] STATUS: Exploiting (7/38) [] Setting HSP4 as TFP0... [] kernel_task_kaddr = 0xffffffe0006461c0 [] remapped_task_addr = 0xffffffe025dd21c0 [] port_kaddr = 0xffffffe000028000 [] Will set all_image_info_addr to: 0xfffffff016004000 [] Setting all_image_info_addr... [] Will set all_image_info_size to: 0x000000000f000000 [] Setting all_image_info_size... [] Successfully set HSP4 as TFP0. [] STATUS: Exploiting (8/38) [] Unexporting kernel task port... [] old host type: 0x80000003 [] Successfully unexported kernel task port. [] STATUS: Exploiting (9/38) [] Writing a test file to UserFS... [] Successfully wrote a test file to UserFS. [] STATUS: Exploiting (10/38) [] STATUS: Exploiting (11/38) [] Unlocking nvram... [] IODTNVRAM obj at 0xffffffe0005da0a0 [] IODTNVRAM vtable: 0xfffffff0160ca160 - 0xfffffff0160ca780

[] vm_kernel_page_size: 4000 [] allocated address: ffffffe000034000 [] address to wire: ffffffe000034000 [] Unlocked nvram [] Successfully unlocked nvram. [] runCommandv(206) command: /usr/sbin/nvram "com.apple.System.boot-nonce" [] runCommandv(206): com.apple.System.boot-nonce 0x1111111111111111 [] runCommandv(206) completed with exit status 0 [] Locking nvram... [] Locked nvram [] Successfully locked nvram. [] STATUS: Exploiting (12/38) [] Logging slide... [] Successfully logged slide. [] STATUS: Exploiting (13/38) [] Logging ECID... [] ECID = 6202130365022246 [] modifyPlist: Will modify plist: /var/mobile/Containers/Data/Application/862BD916-1455-4FFB-8E57-D646F22E96AD/Library/Preferences/science.xnu.undecimus.plist [] modifyPlist: Success [] Successfully logged ECID. [] STATUS: Exploiting (14/38) [] Disabling Auto Updates... [] modifyPlist: Will modify plist: /var/mobile/Library/Preferences/com.apple.Preferences.plist [] modifyPlist: Writing to file: /var/mobile/Library/Preferences/com.apple.Preferences.plist [] modifyPlist: Success [] Successfully disabled Auto Updates. [] STATUS: Exploiting (15/38) [] Initializing kexecute... [] got user client: 0x1eb90b [] Successfully initialized kexecute. [] STATUS: Exploiting (16/38) [] Remounting RootFS... fs_snapshot_list: Invalid argument [] runCommandv(207) command: /sbin/mount [] runCommandv(207): com.apple.os.update-339EA0A6FC1179198D1E30911EB6409708BFAB57FC59FD903B3786D2CB482135D529E097312A62722274DB5E5EE77AC5@/dev/disk0s1s1 on / (apfs, local, nosuid, read-only, journaled, noatime) [] runCommandv(207): devfs on /dev (devfs, local, nosuid, nobrowse) [] runCommandv(207): /dev/disk0s1s2 on /private/var (apfs, local, nodev, nosuid, journaled, noatime, protect) [] runCommandv(207): /dev/disk0s1s1 on /private/var/MobileSoftwareUpdate/mnt1 (apfs, local, nosuid, journaled, noatime, nobrowse) [] runCommandv(207) completed with exit status 0 [] Clearing dev vnode's si_flags... [] zone_map_ref: fffffff016664ec8 [] zone_map: fffffff0cec91c90 [] zm_range: 0xffffffe0004cc000 - 0xffffffe02cd00000 (read 0x20, exp 0x20) [] devVnode = 0xffffffe000ed61c0 [] v_specinfo = 0xffffffe000ed9e60 [] si_flags = 0x0 [] Successfully cleared dev vnode's si_flags. [] Mounting system snapshot... [] __assert(22:!is_mountpoint("/var/MobileSoftwareUpdate/mnt1"))@JailbreakViewController.m:1132[jailbreak] +[CATransaction synchronize] called within transaction +[CATransaction synchronize] called within transaction +[CATransaction synchronize] called within transaction`

coenkcore commented 5 years ago

Have you delete OTA file before run jailbreak?

snowball7241 commented 5 years ago

How did you get the logs from a bootlooping phone?

TempAccountNull commented 5 years ago

@snowball you can use a program to get into /var/mobile/library/CrashReporter.

CoolPersonMaam commented 5 years ago

https://www.theiphonewiki.com/wiki/Beta_Firmware Find 12.1.1 b3 get to it quick

RonPimplebut commented 5 years ago

I have downgrade to 12.1.1 beta then I have deleted OTA file and it<s work now.

I got the log in the Uncover built in logs under the jailbreak button

Once JB is done can I update to ios 12.1.2 jailbrake now ?

But i dont know if i need to close this issue?

Thanks everybody

CoolPersonMaam commented 5 years ago

You can only do it if you have blobs

This is a yes or no question do you have blobs saved for 12.1.2 it’s no longer signed

Also if you mind the beta pop up if you jailbreak it remove it btw

RonPimplebut commented 5 years ago

Unfortunately I dont have specified blobs. I only have the 12.1.1b3 but i am ok with 12.1.1b3 jailbreaked device Thank you