Fix a race condition in GUI when printing and fix malfunctioning analyticsd daemon. #242
Conversation
|
@SongXiaoXi Absolutely incredible work!! 👏🏼👏🏼👏🏼 Outstanding root cause analysis. Man you just did the exact thing I hoped for on a long shot when I documented this 2 weeks ago on #238. What's even crazier is by sheer coincidence you're the same guy who did the bulk of the work when I set out to bring the official D0m0 CocoaTop64 BigBoss release up to iOS 13+ support and iPad SplitView compatibility etc.! (The only 2 major GitHub jailbreak projects I've participated on) I'm ecstatic and cannot wait to try this out. I don't have a Mac and do all my development with Clang and theos on device, is there a way I can compile this? Or can you post a binary? I have a swiftc and repl but I've never used them. |
|
@badger200 Oh yeah, nice to see you here.
passwd: master.passwd:
Good luck enjoying analyticsd! |
|
老哥 要不要简单出个修改脚本先 |
|
Have you been regularly rebooting to ensure that this all applies indefinitely? And great work |
|
老哥方便做个脚本给普通用户使用嘛感激不尽 |
|
I think you should fully test out something like this before submitting a PR, I’m not doubting the logic, but the implementation seems to be broken atm. |
|
@dlevi309 Can you point out what implementation is wrong? I have it running on iPhone 12 iOS 14.2.1 and iOS 14.5.1. And this fix doesn't rely on struct offsets to be patched, so I don't think it's necessary to test all devices between these two system versions (of course, I don't own all of them). |
|
@SongXiaoXi Hi, and I was getting a permissions issue error when the jailbreak would try drop the analyticsd plist onto the device, but I guess it was my fault for not fully unjailbreaking first. And I just want to confirm that you’ve installed this patch by running this project? because I noticed that you mentioned doing this manually. Sorry, I just wanna make sure before I attempt to run it again 😅 |
|
@dlevi309 Yes, I have encountered this problem, it seems that fugu14 itself will not overwrite /Library/LaunchDaemon/analyticsd.plist if you forgot to delete it beforehand. |
|
@SongXiaoXi You should probably add that to the explanation above then, because that would have been good to know :p either way, I’ll try this out again at some point, so thank you again for your contribution |
|
@SongXiaoXi Success!! I finally got the nerve to do this. You were right, I needed to remove the The rest was straightforward but I was triple checking everything and caution anyone following this, I made sure to use For anyone following this, here's a list of my exact commands from my .bash_history, I left in all my checks so you can remember to confirm each step yourself: I have several aliases:
Several more extremely handy aliases I use:
(Verified that Notice command 46449 does NOT have a trailing / on the path, crucial for affecting the symlink itself, rather than the dir it points to) |
How about making a shell script? |
|
@nildeveloper I considered it, it would be pretty easy to do, but given the possibility of bricking someone's device or at least breaking their jailbreak possibly irreversibly (or necessitating an orig-fs restore which loses everything you've ever added on disk0s1s1 (all except /private/var or /var), I don't feel it would be a responsible thing to do. Also I only have iOS 14.4 to test on and I can't assume my shell script would correctly handle everyone using it. I really hope LinusHenze and Pwn2ownd will accept @SongXiaoXi 's PR to make this all part of the proper fix. If you're willing to accept all those risks, I can take the terminal history I posted and just strip out all the verbose checks and let you try it...? Or you could even do it yourself by pasting that into a file, then simply running something like |
Thanks for your reply, i have restored rootfs last night,bacause of the random reboot when using some APP. |
|
I think the bigger news here is your claim on line 774 of |
|
I had installed fugu14 with your change, now battery usage is normal. (12mini ,14.3) |
|
pulled the trigger on this and battery usage + all the smaller bugs caused by the original bug (which was.. a lot) are all fixed up! Thanks for your work on this! (and I didn’t do the manual method, I restored rootfs, reinstalled the jailbreak with xcode, etc. on an iPhone 12 Pro Max, 14.4) btw, if someone wrote a script to automate the manual method, this fix could easily be deployed as a package for users who currently have the original installed |
|
Guys 🚨I've been getting kernel panics🚨 every time I play Real Racing 3 and click video ads (not sure why, but this is a very reliable trigger) usually panic log saying "Unexpected SoC watchdog reset" otherwise it's a use after free zone in panicked task launchd pid 1. Ever since about 2 days after I did this fix... I have carefully traced everything else I changed on my system in this timeframe and step by step isolated it but the panics continue EVEN if I disable tweak injection altogether! Could it possibly be related to the analyticsd fix? Do any of you who implemented this fix have Real Racing 3 installed and can try clicking 5-10 ads? I cannot watch 5-10 ads without a panic. Usually it panics on the first ad. Sometimes it panics as soon as the RR3 game menu loads! If anyone knows how to debug a kernel panic I'm all ears. I used jtool2 to symbolicate my panic-full-xxx.ips log but don't see any obvious culprit. |
|
Does this occur with and without this PR? I have not tested PR #242, but I’ve experienced what I believe to be panics attempting to watch SimCity Buildit ads when jailbroken.
iPadから送信
… 2022/06/12 5:18、badger200 ***@***.***>のメール:
Guys I've been getting kernel panics every time I play Real Racing 3 and click video ads (not sure why, but this is a very reliable trigger) usually panic log saying "Unexpected SoC watchdog reset" otherwise it's a use after free zone in panicked task launchd pid 1.
Ever since about 2 days after I did this fix... I have carefully traced everything else I changed on my system in this timeframe and step by step isolated it but the panics continue EVEN if I disable tweak injection altogether!
Could it possibly be related to the analyticsd fix?
Do any of you who implemented this fix have Real Racing 3 installed and can try clicking 5-10 ads? I cannot watch 5-10 ads without a panic. Usually it panics on the first ad. Sometimes it panics as soon as the RR3 game menu loads!
If anyone knows how to debug a kernel panic I'm all ears. I used jtool2 to symbolicate my panic-full-xxx.ips log but don't see any obvious culprit.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.
|
|
@UInt2048 Unfortunately I found this Issue for uncover 8.0.2 on the same iOS 14.4 I'm on: unc0ver 8.0.2 ios 14.4 kernel panic when launching game He gets panics launching Fruit Ninja 2 on his iPhone. Update: Wow, I installed Fruit Ninja 2, and just as his Issue describes, I ☠️immediately got a kernel panic☠️ (pink screen/reset) 10 seconds after launching the app. It was merely playing an intro screen. Are you also using iOS 14.4? I did the analyticsd user/group edits all manually (see my long comment above) and it's not easily reversible, I didn't take detailed notes on what all files/dirs/symlinks original perms were. So now I'm nervous about undoing the change, but I will have to do it if I can't find another solution. |
|
@badger200 As far as I know, the |
|
@SongXiaoXi Very good insight into the issue. Unfortunately I am using 14.4. I believe even when I disabled Tweak Injection in the SubstituteSettings.app, it still injects substitute-loader.dylib etc into every app. I wonder if I could switch to Cydia Substrate somehow as a test? |
|
@badger200 No. |
|
Yes, my device is an iPad Air 4 on iPadOS 14.4.
iPadから送信
… 2022/06/12 5:35、badger200 ***@***.***>のメール:
@UInt2048 Unfortunately I found this Issue for uncover 8.0.2 on the same iOS 14.4 I'm on: pwn20wndstuff/Undecimus#2288 He gets panics launching Fruit Ninja 2 on his iPhone.
Are you also using iOS 14.4?
I did the analyticsd user/group edits all manually (see my long comment above) and it's not easily reversible, I didn't take detailed notes on what all files/dirs/symlinks original perms were. So now I'm nervous about undoing the change, but I will have to do it if I can't find another solution.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.
|
|
@UInt2048 Can you install Fruit Ninja 2 and report whether it panics 10 seconds after launching the app? I'm curious if anyone else here using unc0ver 8.0.2/Fugu14 on iOS 14.4+ gets panics on Fruit Ninja 2 a mere 10 seconds later? |
|
@SongXiaoXi Do you think I should try changing my analyticsd groups etc back to original to see if my panics stop? Is there any step that could kill my jailbreak? I absolutely cannot afford to lose my /dev/disk0s1s1 data with an orig-fs restore. (Unless it's possible to make a new snapshot, restore, then restore to this other snapshot, so the net result is as if I never did any restoring?) |
|
I restored rootfs and battery usage is appearing in settings and normally recording. I can try reinstalling the jailbreak but I have done that to no avail this far… |
|
@SongXiaoXi In my research of the 3D game panics, I saw a kernel panic that suggested this occurs with the Apple Neural Engine, I saw a bunch of "ANExxxxxx" calls in the panic trace. I can't be certain though. I desperately wish there was a way to temporarily disable the Neural Engine and test that. Apple tells developers there's no way to know if your code will execute on CPU, GPU, or Neural Engine processors, as it handles it automatically and uses its own judgment depending on various factors like how it performs, battery usage, how often the function is being called, etc. (Now I wonder if our crash might occur at a different rate plugged in vs on battery?) So if there was a way to disable the ANE, theoretically everything should continue to function but just get executed on CPU or GPU. I would be ecstatic if I had the option of disabling ANE and getting rock solid stability, I don't mind a performance trade off. |
|
@badger200 When I reviewed my crash logs from a previous time, I noticed that they all contained 'element modified after free' errors within the tasks or proc zone. This issue seems to occur frequently in low-quality web-based apps and may be related to different users' habits. Therefore, the panic caused by the Neural Engine you mentioned may be one of them, but I don't have any reverse engineering knowledge in this area. By the way, based on my previous judgment, I conducted numerous tests using the modified Fugu14 and unc0ver/Taurine. For example, I used Fugu14 and the open-source parts of Taurine to construct an experimental jailbreak tool to test its effectiveness against crashes. There is still a small chance of crashing, as Taurine's jailbreakd is also not open source and may patch the kernel in a manner similar to substituted. I have no good way to modify it too. I still believe that the patches made by substituted/jailbreakd using kernel rw before each process starts greatly affect stability. If I have a significant amount of free time, I plan to explore what Linus and opa334 did in Fugu15 and make one last attempt to build a jailbreak tool using Fugu14 and the fully open-source Fugu15 Max, possibly with my optimizations, similar to what sockH3lix achieved. |
|
I tried this but analytics.back daemon won't run and therefore, no fix. I checked cocoatop and saw that it tries every time to fire up but disappears few seconds later. What am I missing? |
|
@Nonta72 There are likely some errors occurring with the analytics.back daemon, and it typically prints logs before exiting/crashing. If you have a Mac, you can retrieve the logs containing the keyword "analytics.back" through the Console app. If not, there is a tweak that allows you to view system logs on your device, but I couldn't recall its name even after spending a few minutes thinking about it. Please pay attention to any logs related to analytics.back or ReportCrash. |
|
I get these 5 errors repeating indefinitely. Brand new installation of your fork (after succession rootfs restore) iPhone 12 Pro Max 14.5.1 |
Hi, thank you for your reply! I managed to retrieve logs and I have similar error messages just like the ones on the screenshot sent by @cdustevich1
PS : I'm also on iOS 14.5.1 on an iPhone XS. @cdustevich1 also has an iPhone 12 Pro Max with iOS 14.5.1. Maybe it has something to do with iOS 14.5.1? |
|
I think I figured it out (somewhat!). As the logs state, there was no permission to write to I checked the permissions of each directory in @cdustevich1 you should probably try this. Few commands in NewTerm2 or through an SSH tunnel should do the trick. You can use Filza if you don't want to use terminal. |
|
That worked, you are the man! The directory was different but I just looked through filza for the one with CoreAnalytics and set the permissions to 7777 for the Library folder and all subfolders and rebooted. Now if only there was a fix for Unc0ver breaking CarPlay… |
Glad it worked for you too! My battery graph has returned and so far no issue with it. I still face random reboots when I try to open some apps/games. However, I never had any issue with CarPlay using this jailbreak. I use it with a Renault Clio 5. The only tweak I use that is related to CarPlay is CarBridge which allows me to access any app in CarPlay (not sure it can fix the problem you're facing, but it's worth mentioning). |
|
@Nonta72 I also noticed this permission denied error, which might be the reason why your analyticsd.back is not working. But strangely, on my device, the owner of files in this |
No, there's nothing inside the folder. There was nothing before I changed the permission and I just checked, still nothing. Here's the output :
|
|
I also have nothing in the folder either. The permissions survived a rootfs (which surprised me but I guess makes sense) and it is definitely still working after a few hours. 14.5.1 does seem to be what’s in common between our devices so perhaps that’s the issue. SXX ur looking at the systemgroup.com.apple.osanalytics folder correct? Because that’s the one that has CoreAnalytics in it for me. |
Can you list some of those apps? I can test on my devices and see if I have the same issues.
Weirdly, CarPlay works on my CRV correctly every time but on my Mustang I have to unplug and replug 3 times for it to work. It's weird that it works differently on different vehicles, but I haven't been able to find a fix. |
It mostly happens with a local shopping app (no use for you because you won't be able to download/use it outside my country). I also face the same issue with a crypto mining app called Pi Network. It's a hit or miss really. Sometimes it happens, sometimes it doesn't. I've given up on trying to fix that. I can use the website for shopping instead of the app. The crypto mining app bug doesn't bother me anymore really.
Regarding the CarPlay, I'm not sure why it behaves like that with your vehicles. It's too bad because we're kinda stuck with 14.5.1 since iOS 16.3 and newer updates made futurerestore impossible because of the stup!d cryptex. |
|
@cdustevich1 Here bro - https://apps.apple.com/us/app/golf-clash/id1089225191 This app will crash 2 mins into it And it happens every time |
|
@SongXiaoXi Check this out!!! Someone used the new "kfd" to make an unofficial fork of Taurine for 14.4! https://github.com/wh1te4ever/Taurine/releases/tag/v1.1.6-c Unfortunately it only supports <A11 but still does this open any doors for a 14.4 fix that doesn't panic due to the task structure overwrite or whatever it is? And hopefully to avoid starting processes suspended like unc0ver v8 does? LMK |
|
@badger200 I have finally managed to find the time to tidy up all my code and release it here. And I can be certain that the kernel panic issue was caused by an implementation problem in unc0ver, because I haven't encountered any kernel panics in over two months, even when using these frequently problematic apps like low-quality web-based apps and the ones you mentioned, Fruit Ninja 2 and Real Racing 3. However, it's still a work in progress, and I can't guarantee a completion date. I have only successfully tested it on iPhone 12 running iOS 14.5.1. There's still a lot to do: I have many details that I don't know how to implement, such as userspace reboot and ldrestart. The offsets or patching methods may not be compatible with other iOS versions or devices. And the installation UI is still misleading. If you want to give it a try, it's best to understand the changes I made to the code (although the implementation is quite messy). Contributions to the code are welcome. |
|
@SongXiaoXi Great job! I hope you can release a usable version soon. I'll be available to assist with testing when that happens. 12 Pro Max 14.4.2. |
|
Test device XR/14.5.1. |
|
I have a 12 Pro on 14.3 :) |
|
Absolutely outstanding!! Is there any minimal way to try it? How/why is jailbreakd optional? Will excluding jailbreakd finally allow new processes to launch with full native speed? If you want a great torture test, build Python and do a (If Python doesn't build, you might need to manually add |
Fix a race condition in GUI when printing.
And it seems the exploitation and post-exploitation work on my iPhone 12 iOS 14.2.1 without any modification.
Fix malfunctioning analyticsd daemon
While the patch in Fugu14 preserved the user id and $HOME by changing the name of the user
_analyticsdto_nanalyticsd, it seems that some other daemon changes the owner of/private/var/db/analyticsdand its subdirectories to ·_analyticsd·, whose uid has changed to 264. This will cause the_analyticsd.backwith uid 263 to not be able to read/private/var/db/analyticsdat all, with error:Home directory is not setup. Waiting to see if it gets repaired....This fix is based on the following facts:
/private/var/mobile/Containers/Data/.getpwname_r.getuidandgetpwuid./private/var/db/analyticsdto the user name_analyticsd.So if the passwd and master.passwd have the following contents, things can be easily fixed.
And then, after the system is powered on:
/System/Library/LaunchDaemon/com.apple.analyticsd.plistwith username_analyticsdand set $HOME to /private/var/mobile/Containers/Data/Fugu14Untether based on the username./private/var/db/analyticsdto 263, based on the username_analyticsd.analyticsd.backwith the user name_nanalyticsdis launched, which will use the uid 263. Although there are two user with the same uid 263, it will only pick the first one bygetpwuid. So it will use/private/var/db/analyticsdwith the correct owner, uid 263Then the battery detail in Settings works properly.
If you have jailbroken by Fugu14, you can try the manual steps below, or remove origin Fugu14 jailbreak modification then and use this PR to jailbreak. Restoring rootfs is a easy way, but loses all tweaks. Or manually undo all modification according "Jailbreak" section in Fugu14 writeup.