LiberiOS is getting an update for 11.2-11.3.1

Vent out liberIOS stuff here.
Requests for ETAs or 11.2+ support will be removed without warning!

LiberiOS is getting an update for 11.2-11.3.1

Postby morpheus » Thu May 31, 2018 6:27 pm

Not yet, but soon. Please don't nag. Updates to follow in this thread.
Site Admin
Posts: 650
Joined: Thu Apr 11, 2013 6:24 pm

Re: LiberiOS is getting an update for 11.2-11.3.1

Postby luckycat889 » Thu Jun 14, 2018 4:03 pm

Mr Levin,
FYI, since we don't want to re-invent the wheel...

Presumably, you'll use Ian Beer's 'multi_path' work for the 11.3.1 support (or his new 'empty_list' PoC).
I did some early integration with multi_path and QiLin, and I noticed that 'dropbearr' just bails out.
It turns out that there is a file descriptor leak in Ian's original sploit.c file, and if you initialize QiLin the usual way with go() (which launches dropbear), dropbear's initial listen sockets are descriptor values in the 2k's. Internally dropbear uses select for multiplexing, and on iOS it appears that FD_SETSIZE is set to 1024, thus causing failure in all select() calls within dropbear.

The best way, apart from patching dropbear with poll() calls, is obviously to fix the resource leak:
--- In alloc_and_fill_pipe(); keep track of the pipe file descriptors, like this (added lines prefixed with +)
+int write_fds[10000] = {0};
int alloc_and_fill_pipe() {
+ write_fds[next_read_fd] = write_end;
read_fds[next_read_fd++] = read_end;

--- At end of multi_path_get_kernel_meory_rw() add
for (int i = 0; i < next_read_fd; i++) {

Now it's safe to initialize QiLin(also one would need to retrieve the kernel_base first) and call go(), and dropbear is happy!

Posts: 10
Joined: Thu Dec 28, 2017 3:15 am

Return to liber iOS

Who is online

Users browsing this forum: No registered users and 1 guest