LiberiOS is getting an update for 11.2-11.3.1

Vent out liberIOS stuff here.
Requests for ETAs or 11.2+ support will be removed without warning!

LiberiOS is getting an update for 11.2-11.3.1

Postby morpheus » Thu May 31, 2018 6:27 pm

Not yet, but soon. Please don't nag. Updates to follow in this thread.
morpheus
Site Admin
 
Posts: 698
Joined: Thu Apr 11, 2013 6:24 pm

Re: LiberiOS is getting an update for 11.2-11.3.1

Postby luckycat889 » Thu Jun 14, 2018 4:03 pm

Mr Levin,
FYI, since we don't want to re-invent the wheel...

Presumably, you'll use Ian Beer's 'multi_path' work for the 11.3.1 support (or his new 'empty_list' PoC).
I did some early integration with multi_path and QiLin, and I noticed that 'dropbearr' just bails out.
It turns out that there is a file descriptor leak in Ian's original sploit.c file, and if you initialize QiLin the usual way with go() (which launches dropbear), dropbear's initial listen sockets are descriptor values in the 2k's. Internally dropbear uses select for multiplexing, and on iOS it appears that FD_SETSIZE is set to 1024, thus causing failure in all select() calls within dropbear.

The best way, apart from patching dropbear with poll() calls, is obviously to fix the resource leak:
--- In alloc_and_fill_pipe(); keep track of the pipe file descriptors, like this (added lines prefixed with +)
+int write_fds[10000] = {0};
int alloc_and_fill_pipe() {
...
+ write_fds[next_read_fd] = write_end;
read_fds[next_read_fd++] = read_end;

--- At end of multi_path_get_kernel_meory_rw() add
for (int i = 0; i < next_read_fd; i++) {
close(write_fds[i]);
close(read_fds[i]);
}

Now it's safe to initialize QiLin(also one would need to retrieve the kernel_base first) and call go(), and dropbear is happy!

Thanks,
luckycat889
 
Posts: 11
Joined: Thu Dec 28, 2017 3:15 am

Re: LiberiOS is getting an update for 11.2-11.3.1

Postby matteyeux » Fri Jul 06, 2018 10:25 am

Is LiberiOS still getting an update for iOS 11.3.x ? (not asking for estimated time of arrival)
I'm asking because you left Twitter and maybe you don't want to release it anymore (I understand why). I'm keeping one of my devices on stock iOS for LiberiOS.
Anyway thank you for your work on QiLin toolkit, it's really useful for post exploitation stuff !
User avatar
matteyeux
 
Posts: 17
Joined: Tue Jan 05, 2016 7:59 pm


Return to liber iOS

Who is online

Users browsing this forum: No registered users and 0 guests