kpwn / yalu102 Goto Github PK

incomplete iOS 10.2 jailbreak for 64 bit devices by qwertyoruiopz and marcograssi

License: Do What The F*ck You Want To Public License

Objective-C 86.13% C 13.33% Shell 0.54%

yalu102's Introduction

yalu102

A "work in progress" iOS jailbreak for 64-bit devices created by qwertyoruiopz and marcograssi.

Please use the "Issues" tab for code related issues only. If you need support please search on /r/jailbreak before posting a question there.

Supported Devices and iOS versions

Device	Version
iPad Pro	iOS 10.0.0 -> iOS 10.2
iPhone 6S	iOS 10.0.0 -> iOS 10.2
iPhone SE	iOS 10.0.0 -> iOS 10.2
iPhone 5S	iOS 10.0.0 -> iOS 10.2
iPad Air	iOS 10.0.0 -> iOS 10.2
iPad Mini 2	iOS 10.0.0 -> iOS 10.2
iPhone 6	iOS 10.0.0 -> iOS 10.2
iPad Mini 3	iOS 10.0.0 -> iOS 10.2
iPad Air 2	iOS 10.0.0 -> iOS 10.2
iPad Mini 4	iOS 10.0.0 -> iOS 10.2
iPod touch (6G)	iOS 10.0.0 -> iOS 10.2

Planned Support:

In the near future, the jailbreak will support the following devices:

Device	Version
iPhone 7	iOS 10.0.0 -> iOS 10.1.1

Note, the iPhone 7 is only supported till iOS 10.1.1 If you are already on iOS 10.2 with an iPhone 7, stay there. The actual exploit behind this still works, but the KPP bypass does not.

Compiling:

git clone the repo.
Open the repo in Xcode
Change the bundle ID, as shown here
Include the IOKit headers, and add them to your search path.
Run the project.

Warnings

This jailbreak is a work in progress. Some things do not work, but most things do.

Do not install things that are untested.

AppSync and other unsupported and untested software will probably throw your device into a bootloop or do other bad things. Do not open an issue complaining that your device has been bootlooped because you installed other software. You have been warned.

Installing

DO NOT DOWNLOAD THIS SOFTWARE FROM OTHER SOURCES OTHER THAN THESE LINKS UNDER ANY CIRCUMSTANCE. IT IS VERY EASY TO BACKDOOR THIS SORT OF SOFTWARE TO CONTAIN MALWARE. PLEASE BE EXTREMELY CAREFUL. THESE MIRRORS ARE TRUSTED, BUT STILL CHECK THE SHA1.

Download the pre-compiled version from the table below.
Check the SHA1 hash of the downloaded file (optional but recommended).
Install using Cydia Impactor.
Open the application and follow instructions.

Version	Download	SHA1
Beta 7	Link	4afa99d4b568aa8cbb9ac61fddd584111fed79c5
Beta 6	Link	0130ebe60c97e2013a4b849b7d9bc321d749f304
Beta 5	Link	f8eb6cd37054a9d25b818e3bddd13bfedbf72df1
Beta 4	Link	f8270e59d7d7267613ffa63217b91fea425eec36
Beta 3	Link	b2e0bdd31566f876d67cba036b5d29aef7ff257d
Beta 2	Link	4fddad7cca8aa0c0a6579c1d63d00917f15efc86
Beta 1	Link	2fe14f1c1e1a0d26203bbb123f6747a978dd2b4f

Contributing

Create a fork of the repository, make your changes and then create a pull request. Please be sure to check if the pull request has been made before, before creating a new one. Note, any pull requests adding IOKit headers will be closed. Please respect copyright laws, and do not distribute / download IOKit headers from unofficial sources: they are bundled legally with macOS SDK

yalu102's People

Contributors

Stargazers

Watchers

Forkers

fxfactorial nicolaspte1998 shade-zepheri slogutis androolloyd abdomuftah vmunich mrwyx viisauksena hayesc3322 2600box spr-luis nuke11proof sumalla twicepipes spike008t darknesgaming tomlube pandazheng obaby akpotter egybkgo9449 boierito drake90001 geekwish b0ngl0rd 0neday zhengmin1989 johnnyb186 klaus385 arnoldtaw zacharyzhang-ny azmmat holdmyl nhoxbooedu sseemmooo dudego mrwulff flankerhqd quintus08 jtv7 stefanstefan2001 liudayu oboje hirakujira kostiazzz bean6754 sleepyknife rtridz smichalowski lucadiliello pollito05 killcamper mowd wcameronmartin snowleopardw hilariousfan23 dizzydz eagle518 thomasking2014 rpalmieri99 zaczh hcanzonetta noscripter inlefter mzirintu a7ent 1gitgrey cydios hengos wjm va2ron1 ieswxia ellecox kpwnz mohsenuae10 seifscape wh33t01 istighfarinba daniel63194 milo2012 ccebreros1 fdinc noah-p0werd0wn zaqfx seemirra big538 masbog xinrenparty meyer9 sunyuping brunonfl davidvazguijarro knovikllc galicia agagarin lzk3624 lltcggie denisiums wazowski78

yalu102's Issues

Find the offsets

Could you make a write up on how to find the offsets for our device and iOS like p0 did it would save you time and since you don't have the devices anyway it could help for more support

The allproc offset is the one from Mach portal right?
The other two we don't know how to get so maybe you could explain to us how like project zero did

Regards
Cawk

iPhone 6s N71m failed retry (Jailbreak)

iPhone 6s N71m failed try again ;)

it doesn,t work

Does it work on ipad air 2 - Wifi?

Question in title

How come my screen go's completely black ?

In yalu1011 it has wierd screen distortion then it kernel panics. this time its instant to black and reboots.

sysname: Darwin
nodename: 0
release: 16.3.0
version: Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S8000
machine: iPhone8,1
2017-01-25 15:58:58.675005 yalu102[237:5001] found corruption 37c03

Iphone 7 & 7 plus support

How much more for the 7 & 7+ to be supported??

Build issues...

When I try to build yalu102.app in Xcode 8.2, I get a lot of kernel linking errors

I have iPad Air 2 Wi-Fi 10.2 Offsets

_allproc: 0x5b8528
_kernproc: 0x5be0e0
fffffff0075c20b8 S _rootvnode
fffffff0071e1258 S _vfs_rootvnode

iPhone 6+ offsets

For iOS 10.1.1:

uname version: Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7000
allproc: 0x5B4168
rootvnode: 0x5ba0b8

(planning for the future)

offsets for iPad Air 2 Wi-Fi?

Got iPhone 6 Offsets but after multiple reboots and runs Cydia isn't appearing

What Xcode outputs

sysname: Darwin
nodename: Andrews-iPhone
release: 16.3.0
version: Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:08 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_T7000
machine: iPhone7,2
2017-01-25 23:08:40.822432 yalu102[226:4153] found corruption d07
2017-01-25 23:08:43.421386 yalu102[226:4153] found kernel text at fffffff012404000
2017-01-25 23:08:43.423499 yalu102[226:4153] got tfp0 -> e07
2017-01-25 23:08:43.425650 yalu102[226:4153] found procs at fffffff1174f68b0
2017-01-25 23:08:43.429818 yalu102[226:4153] seg: __TEXT
2017-01-25 23:08:43.429903 yalu102[226:4153] seg: __DATA_CONST
2017-01-25 23:08:43.429940 yalu102[226:4153] seg: __TEXT_EXEC
2017-01-25 23:08:43.429978 yalu102[226:4153] seg: __KLD
2017-01-25 23:08:43.430012 yalu102[226:4153] seg: __LAST
2017-01-25 23:08:43.430044 yalu102[226:4153] seg: __DATA
2017-01-25 23:08:43.430078 yalu102[226:4153] seg: __PRELINK_TEXT
2017-01-25 23:08:43.430173 yalu102[226:4153] seg: __PLK_TEXT_EXEC
2017-01-25 23:08:43.430227 yalu102[226:4153] seg: __PRELINK_DATA
2017-01-25 23:08:43.430264 yalu102[226:4153] seg: __PLK_DATA_CONST
2017-01-25 23:08:43.430298 yalu102[226:4153] seg: __PLK_LINKEDIT
2017-01-25 23:08:43.430332 yalu102[226:4153] seg: __PRELINK_INFO
2017-01-25 23:08:43.430366 yalu102[226:4153] seg: __LINKEDIT
2017-01-25 23:08:43.430478 yalu102[226:4153] fffffff0114cc000 - fffffff012c94000
2017-01-25 23:08:43.486675 yalu102[226:4153] ffffffff03d98000
2017-01-25 23:08:43.533917 yalu102[226:4153] fffffff0124715a0
2017-01-25 23:08:43.572392 yalu102[226:4153] pmap: fffffff012920850
2017-01-25 23:08:43.611367 yalu102[226:4153] got phys at 0 for virt fffffff002f78000
2017-01-25 23:08:43.611499 yalu102[226:4153] found cpu 0
2017-01-25 23:08:43.611533 yalu102[226:4153] found physz: fffffff012493000
2017-01-25 23:08:43.611570 yalu102[226:4153] found cpu 1
2017-01-25 23:08:43.611599 yalu102[226:4153] found physz: fffffff012493000
2017-01-25 23:08:43.611645 yalu102[226:4153] fffffff012593574 - fffffff0125933a8
2017-01-25 23:08:43.612986 yalu102[226:4153] ttbr0: 802ab9000 fffffff012471590
2017-01-25 23:08:43.613362 yalu102[226:4153] got a cpacr

hmm.. i just get more and more errors ( iphone 6s ios 10.2)

iPad mini 2 (Wi-Fi) jailbreak rebooting with seemingly offsets?

title: s/seemingly offsets/seemingly correct offsets

Offsets I'm using:

allproc_offset = 0x5ac418;
rootvnode_offset = 0x5a8418;

syslog:

sysname: Darwin
nodename: Benjamins-iPad
release: 16.3.0
version: Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S5L8960X
machine: iPad4,4
2017-01-26 01:14:10.684549 yalu102[228:5118] found corruption 37c03
2017-01-26 01:14:11.442127 yalu102[228:5118] found kernel text at fffffff009804000
2017-01-26 01:14:11.445041 yalu102[228:5118] got tfp0 -> 37d03
2017-01-26 01:14:11.447014 yalu102[228:5118] found procs at fffffff10ca12cb8
2017-01-26 01:14:11.453163 yalu102[228:5118] seg: __TEXT
2017-01-26 01:14:11.453278 yalu102[228:5118] seg: __DATA_CONST
2017-01-26 01:14:11.453329 yalu102[228:5118] seg: __TEXT_EXEC
2017-01-26 01:14:11.453377 yalu102[228:5118] seg: __KLD
2017-01-26 01:14:11.453422 yalu102[228:5118] seg: __LAST
2017-01-26 01:14:11.453464 yalu102[228:5118] seg: __DATA
2017-01-26 01:14:11.453574 yalu102[228:5118] seg: __PRELINK_TEXT
2017-01-26 01:14:11.453622 yalu102[228:5118] seg: __PLK_TEXT_EXEC
2017-01-26 01:14:11.453663 yalu102[228:5118] seg: __PRELINK_DATA
2017-01-26 01:14:11.453704 yalu102[228:5118] seg: __PLK_DATA_CONST
2017-01-26 01:14:11.453745 yalu102[228:5118] seg: __PLK_LINKEDIT
2017-01-26 01:14:11.453786 yalu102[228:5118] seg: __PRELINK_INFO
2017-01-26 01:14:11.453825 yalu102[228:5118] seg: __LINKEDIT
2017-01-26 01:14:11.453866 yalu102[228:5118] fffffff008994000 - fffffff00a09c000
2017-01-26 01:14:11.526676 yalu102[228:5118] ffffffff03f64000
2017-01-26 01:14:11.580815 yalu102[228:5118] fffffff0098655a0
2017-01-26 01:14:11.620324 yalu102[228:5118] pmap: fffffff009d14850
2017-01-26 01:14:11.660655 yalu102[228:5118] got phys at 0 for virt fffffff0008bc000
2017-01-26 01:14:11.660834 yalu102[228:5118] found cpu 0
2017-01-26 01:14:11.660880 yalu102[228:5118] found physz: fffffff009887000
2017-01-26 01:14:11.660928 yalu102[228:5118] found cpu 1
2017-01-26 01:14:11.660966 yalu102[228:5118] found physz: fffffff009887000
2017-01-26 01:14:11.661028 yalu102[228:5118] fffffff00998733c - fffffff00998719c
2017-01-26 01:14:11.663283 yalu102[228:5118] ttbr0: 8020bd000 fffffff009865590
2017-01-26 01:14:11.663814 yalu102[228:5118] got a cpacr

Then the device reboots.

Can anyone verify if these offsets are correct?

Can someone compile this?

I don't have a mac D:

Adding Support for iPhone 5S and iPhone 6 ?

Adding Support for iOS 10.1.1 for the iPhone 5S and 6 ?

Thanks for your hard work

Where do I download the Headers?

I can not build the yalu app

iPhone 5S Offset

allproc_offset = 0x5b20e0;
rootvnode_offset = 0x5b20b8;
Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S5L8960X

[tvOS] offsets

If someone is trying to make it work, here's what I found :

allproc_offset = 0x5b8168;
procoff = 0x360; //not sure at all
rootvnode_offset = 0x5ba0b8;

syscall perf degradation

a known bug is syscall perf degradation. this is due to a difference from yalub3 which will be sorted out at some point

failed,retry

before used yalu b3,now use yalu102,show "failed,retry"
iPhone 7 iOS10.1.1

'libkern/OSReturn.h' file not found

says file not found cannot compile...

4K Device Support

Support needed for 4K devices. ( In more understandable terms, "old" devices )

just a question, sorry for posting it here

a commit made like 10 mins ago called "mobilesubstrate omg" just caught my attention, does this mean substrate is working or..?

also, where should i post questions about this? twitter (i would but idk who to ask)?

EXC_BAD_ACCESS on running the jailbreak

I have a feeling this is due to my device (iPhone 6+) not being officially supported, but here's the report.

I have put the correct allproc_offset inside offsets.c. When I run the jailbreak, the app stalls.

The log is as follows:

sysname: Darwin
nodename: Georges-iPhone
release: 16.1.0
version: Darwin Kernel Version 16.1.0: Thu Sep 29 21:56:11 PDT 2016; root:xnu-3789.22.3~1/RELEASE_ARM64_T7000
machine: iPhone7,1
2017-01-26 09:49:45.375728 yalu102[245:6882] found corruption 1207
2017-01-26 09:49:48.027033 yalu102[245:6882] found kernel text at fffffff012404000
2017-01-26 09:49:48.029040 yalu102[245:6882] got tfp0 -> 38103
2017-01-26 09:49:48.029424 yalu102[245:6882] found procs at fffffff11654dc98
2017-01-26 09:49:48.033201 yalu102[245:6882] ffffffffffffffff - 0
2017-01-26 09:49:48.033250 yalu102[245:6882] 143080040ef80
(lldb)

The error message (Line 183, jailbreak.m):

http://i.imgur.com/u9aFPah.png

Variable values at the point of crash:
http://imgur.com/a/pZ555

Where do you get the IOKit files??

iPod touch 6?

No, I don't have the offsets :C

Problems

Ive fixed many issues with IO kit (i think it was on my end) but anyways when i try to click the go button it crashes my device and idk if its supposed to install cydia or what (i assume it was considering it had cydia.app and all of the essintaial cydia components in the bootstrap.tar file so)

Can't add offsets for alternate board ids

The current uname.version string comparison is insufficient, it needs the board/model id to be able to create cases for devices with the same kernel but different boards (e.g. Samsung vs TSMC).

Support for iPad Mini 4 WiFi

Could someone add support for this please, thanks in advance.

Support iPhone SE iOS 10.2

Please add iPhone SE
Thanks

iPhone 6S Plus apps fail to launch

release: 16.3.0
version: Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S8000
machine: iPhone8,2

All apps (App Store and system) other than Cydia, Messages, Photos, Camera and Watch fail to launch.

Stuck on while loop after "found kernel text"

Trying out the jailbreak on my iPhone 6 (7,2) and I get passed the crash that most are having at found corruption but then it freezes afterwards at "found kernel text at" I did some logging in the code and it seems to be stuck at the while loop around line 247 (while (proc_) {) any ideas?

This is running while still attached to Xcode by the way.

iPhone 5S

I find offset for iPhone 5S, but get error

sysname: Darwin
nodename: iPhone-Slonick
release: 16.3.0
version: Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S5L8960X
machine: iPhone6,1
2017-01-26 06:16:38.111751 yalu102[204:3578] found corruption 38203
2017-01-26 06:16:42.325356 yalu102[204:3578] found kernel text at fffffff015c04000
2017-01-26 06:16:42.327648 yalu102[204:3578] got tfp0 -> f07
2017-01-26 06:16:42.328246 yalu102[204:3578] found procs at fffffff0161af1b0
2017-01-26 06:16:42.328547 yalu102[204:3578] seg: __TEXT
2017-01-26 06:16:42.328619 yalu102[204:3578] seg: __DATA_CONST
2017-01-26 06:16:42.328664 yalu102[204:3578] seg: __TEXT_EXEC
2017-01-26 06:16:42.328743 yalu102[204:3578] seg: __KLD
2017-01-26 06:16:42.328789 yalu102[204:3578] seg: __LAST
2017-01-26 06:16:42.328830 yalu102[204:3578] seg: __DATA
2017-01-26 06:16:42.328871 yalu102[204:3578] seg: __PRELINK_TEXT
2017-01-26 06:16:42.328911 yalu102[204:3578] seg: __PLK_TEXT_EXEC
2017-01-26 06:16:42.328991 yalu102[204:3578] seg: __PRELINK_DATA
2017-01-26 06:16:42.329042 yalu102[204:3578] seg: __PLK_DATA_CONST
2017-01-26 06:16:42.329083 yalu102[204:3578] seg: __PLK_LINKEDIT
2017-01-26 06:16:42.329123 yalu102[204:3578] seg: __PRELINK_INFO
2017-01-26 06:16:42.329162 yalu102[204:3578] seg: __LINKEDIT
2017-01-26 06:16:42.329200 yalu102[204:3578] fffffff014dbc000 - fffffff016498000
2017-01-26 06:16:42.399342 yalu102[204:3578] ffffffff03d9c000
2017-01-26 06:16:42.444078 yalu102[204:3578] fffffff015c655a0
2017-01-26 06:16:42.483456 yalu102[204:3578] pmap: fffffff016114850
2017-01-26 06:16:42.522567 yalu102[204:3578] got phys at 0 for virt fffffff002fc8000
2017-01-26 06:16:42.522748 yalu102[204:3578] found cpu 0
2017-01-26 06:16:42.522790 yalu102[204:3578] found physz: fffffff015c87000
2017-01-26 06:16:42.522836 yalu102[204:3578] found cpu 1
2017-01-26 06:16:42.522873 yalu102[204:3578] found physz: fffffff015c87000
2017-01-26 06:16:42.522969 yalu102[204:3578] fffffff015d8733c - fffffff015d8719c
2017-01-26 06:16:42.524845 yalu102[204:3578] ttbr0: 8024c5000 fffffff015c65590
2017-01-26 06:16:42.525369 yalu102[204:3578] got a cpacr

IOKit/IOKitLib.h file not found

/Users/arinc/Documents/yalu102/yalu102/jailbreak.m:14:9: 'IOKit/IOKitLib.h' file not found

Kernel Panic for iPhone 6s Plus iOS 10.2

Hey,
I've tried the jailbreak about 10 times but it resprings the device and nothing happen, here is the kernel panic log:

http://pastebin.com/BGkLuSMG

Ipad mini 3 offsets

Can anyone give me the mini 3's offsets

rootvnode_offset

I was able to get correct offset for 6s on 10.2. Here's the output. Am I suppose to change the rootvnode_offset too?

Possible incorrect offsets for iPad Air 2 Wi-Fi

Whenever I try on iPad Air 2 Wi-Fi it either reboots or says "failed, retry."

'libkern/OSReturn.h' file not found

Trying to compile ( Error Message: 'libkern/OSReturn.h' file not found) idk whats happening because i added header and put everything in right places so it shouldn't be saying that??? Im obviously doing something wrong. I am trying to use an old device to just test it out and get a feel for a jailbreak so

Major crash issue @kpwn

After my phone is sitting for a while i go to cydia and the phone crashes and reboots. I have to hardreset the phone for yalu to work again @kpwn

[Can be a tester] possible on tvOS ?

Is it possible to adapt for tvOS 10.0.1 / 10.1 (equivalent to iOS10.2 I think) ?
I can test anything you post on my Apple TV.
Thanks !

iPhone 5S iPhone6,2 Crash

Opens and crashes with the message found corruption 38503

Does not work on iPad4,7

Before everyone goes crazy, yes, I know. It does not work on all devices. Just letting Luca know.

I don't think it was a kernel panic, all that happens is it hangs and then reboots.

Since you released incomplete source, would it be against EULA to open this and learn a little?

With the current status of the jailbreak community going to an absolute pile of garbage, would it be ok if I opened the source to learn a little about how the jailbreak works?

Thanks and with much respect,

rpalmieri

IOKit/IOKitLib.h file (SOLVED)

IOKit/IOKitLib.h file not found

Thx, this problem was solved

Could not build module 'IOKit'

Also says this when i try to compile

Substrate error

Cydia substrate seems to make apps crash when jailbroken

Add Support for iPhone 6S | N71AP

else if (strcmp(u.version, "Darwin Kernel Version 16.3.0: Tue Nov 29 21:40:09 PST 2016; root:xnu-3789.32.1~4/RELEASE_ARM64_S8000") == 0) {
allproc_offset = 0x5a8438;
procoff = 0x360; // iphone 6s N71AP , credit to @jonderewith
rootvnode_offset = 0x5b20b8;
}