googleprojectzero / ktrw Goto Github PK

panic : caught sync exception with interrupts held

The symbols file used :
iPhone10,1_17G68.txt

Is it possible to add the task_for_pid-allow permission to the Xcode ktrw_kext_loader project so that to be able to debug this app?
I am trying to run this project on iPhone10, 4 (iOS 13.2.2) which has missed kernel parameters and debugging capabilities would be very useful.
I use the Checkra1n JB tool which provides us with tfp0 functionality. tfp0 requires task_for_pid-allow permission.
What would you recommend in this case?
Thanks.

Once connected with lldb, commands like pr i and c work as expected, freezing and un-freezing the device respectively. However when trying to use commands like x, di, or b, I get error: failed to send packet.

Here are some sample outputs:

(lldb) x/12wx 0xffffffe001d5b528
error: failed to send packet: 'xffffffe001d5b400,200'
(lldb) di -s 0xfffffff01110e238
error: failed to send packet: 'xfffffff01110e200,200'
error: Failed to disassemble memory at 0xfffffff01110e238.
(lldb) b 0xfffffff01110e230
warning: failed to set breakpoint site at 0xfffffff01110e230 for breakpoint 1.1: error sending the breakpoint request
Breakpoint 1: address = 0xfffffff01110e230

Please let me know what other information you need (this is running on an iPhone 8 iOS 13.5, with the offsets supplied by NewDwarf in issue #6)

I've been trying to run KTRW on iOS 13.5 but iOS won't boot.

The file ktrw_gdb_stub/kernel_symbols/iPhone10,1_17F75.txt was created with following content

KERNELCACHE UUID:   15576917-FD0D-3A15-B52E-72D55A37D8E8

DEVICE:     iPhone10,1 17F75
DEVICE:     iPhone10,4 17F75

__disable_preemption    0xFFFFFFF007D08CF0
__enable_preemption     0xFFFFFFF007D08D20
__mh_execute_header     0xFFFFFFF007004000
_const_boot_args        0xFFFFFFF0079328C0
_IOSleep                0xFFFFFFF008131198
_kernel_map             0xFFFFFFF0079316a8
_kernel_memory_allocate 0xFFFFFFF007C88CE0
_kernel_thread_start    0xFFFFFFF007C33608
_ml_nofault_copy        0xFFFFFFF007D0F574
_panic                  0xFFFFFFF00909EA08
_paniclog_append_noflush    0xFFFFFFF007C0E170
_thread_deallocate      0xFFFFFFF007C010AC
_vsnprintf              0xFFFFFFF0080204E0

The pongo_kext_loader tool prints out:

pongo_kext_loader/pongo_kext_loader pongo_kextload/kextload.pongo-module ktrw_gdb_stub/kernel_symbols ktrw_gdb_stub/ktrw_gdb_stub.ikext

[1003] Found pongoOS device
[1003] Loading pongoOS kextload module
[1003] Loading kernel symbols
[1003] Loading kernel extension

On the iPhone 8 screen the last messages are:

KTRW pongoOS kextload pre-boot hook
Skipping checkra1n pre-boot hook
Disabling KTRR AMCC lockdown
Disabling KTRR MMU lockdown
Booting

At the same time the GDB stub is not accessible which means that the kext is not activated.

There are no any new messages, at least, in 5+ minutes.
@bazad Is it a result of wrong addresses in the iPhone10,1_17F75.txt?

Hi,

I have an iPhone 8 Global running iOS 13.6, and I want to use KTRW + checkra1n for debugging kernel ( I have tested checkra1n with this device and kernel version and it works ). However I get no debug connection after following your instructions:

I guess that I need to create a new symbol file under ktrw_gdb_stub/kernel_symbols/
Is it enough to adapt KTRW on new iOS version or do I have to do anything else?

When building ktrw_gdb_stub I get the following warning (treated as error):

error: using extended field designator is an extension [-Werror,-Wextended-offsetof]

I solved it by adding the following CFLAGS in the Makefile:
-Wno-unknown-warning-option -Wno-invalid-offsetof -Wno-extended-offsetof

Could you provide offsets for the iPhone 10,4 17D50 please? Alternatively, would it be possible to write a script/instructions to aid with fetching the required offsets ourselves?

After booting with KTRW, checkra1n's kernel patches don't appear to have been applied meaning that you can't SSH into a device and you can't launch unsigned applications.

Is this expected behaviour? Would it be possible to enable checkra1n's patches? It would be extremely useful to be able to launch unsigned applications in order to debug kexts that are denied access by the app sandbox.

It seems that

Hi! Thank you for the truly awesome work @bazad!

I made @NewDwarf's comments from #1 into a branch: https://github.com/dflatline/ktrw/commits/iOS13.3. I successfully tested basic debugging on an iPhone 10,1 17C54 and checkra1n 0.9.5 with that branch.

I can make that into a PR if that saves you time but it's not my work. What a mess for the contribution policy :/

While I am here: do you use IDA+BinDiff to help update symbols automatically? Are people still porting symbols forward from the iOS 12 beta1 symbol leak in this way?

Are there other options that don't require IDA? Levin's joker/jtool2 didn't yield any of these symbols by default. I started toying with some yara plugins for Hopper but then @NewDwarf beat me to it, presumably by manual binary string match-and-check?

Can you provide suggestions to help update these symbol offsets for future iOS releases? I can go back to work on Hopper scripts, if that is even a worthwhile direction...