ziVA icon indicating copy to clipboard operation
ziVA copied to clipboard

Published 20 hours ago verified publisher icon doadam

Service AppleAVEDriver not found

Open ajsacco opened this issue 8 years ago • 22 comments

When running the exploit on my iPhone 5S 10.2.1, I get stuck at:

msg too large: Error retrieving name Service AppleAVEDriver not found! Error initiating a connection to the AppleAVE driver

ajsacco avatar Sep 11 '17 05:09 ajsacco

Hi how you running exploit ?

hobbitlv1 avatar Sep 13 '17 17:09 hobbitlv1

I added the files to yalu102 as Luca suggested, triggering main() when the app opens. I feel like ziVA might be running in the sandbox but I'm not completely sure. (I'm pretty new to iOS exploitation; I'm just playing around with it and I don't really know much.)

P.S. I've also created a project with triple_fetch and ziVA; I have gotten triple_fetch to work but I'm not 100% sure how to implement ziVA.

ajsacco avatar Sep 13 '17 22:09 ajsacco

ziVA requires a sandbox escape, and I’m fairly sure Yalu doesn’t contain one. You would need triple_fetch, ziVA, and Yalu’s KPP bypass.

soup6020 avatar Sep 13 '17 22:09 soup6020

Do you have any ideas on how I should implement Yalu? Again, I don't have any experience in iOS exploits, so I will take any advice.

ajsacco avatar Sep 13 '17 23:09 ajsacco

Neither do I. I’m just going off of what people like S1guza have said.

soup6020 avatar Sep 13 '17 23:09 soup6020

I got the absolute same problem with my triple_fetch combined ziVA exploit. I posted my issue 9 days ago but @doadam has a job and doesn't have time for explaining dummies to fix dummy problems lol. Anyway I saw you are asking how to use ziVa exploit with triple_fetch. Here is how I made it work: First my device is iPhone7,1 (6+) so it is not supported by official ziVA, so I've downloaded @Mila432's offsets.m commit. Then I downloaded the project, unzipped to my MacOS Sierra's desktop then replaced the offsets.m file. After that I easily build it with terminal app by cd and make. Then I downloaded triple_fetch project from bugs.chromium.org. Then I copied the executable and pasted to the triple_fetch's nsxpc2pc/pocs location, I just renamed the ziVA exploit to hello_world and replaced with the original one. Then I launched the triple_fetch project from Xcode and installed to my iPhone, It automatically launched the app and the debug window showed up in Xcode, after some reboots to get the triple_fetch exploit work i runned to ziVA exploit by simply pressing the exec bundles button on the nsxpc2pc app on my iPhone. Then I checked the debug panel in my Xcode and got the same error code you got. Here is my issue link: https://github.com/doadam/ziVA/issues/5

arinc9 avatar Sep 14 '17 20:09 arinc9

Do you know exactly what ziVA does? It says kernel exploit but what does that do? Gain root access?

ajsacco avatar Sep 14 '17 22:09 ajsacco

Actually I don't know because I didn't get it to work.

arinc9 avatar Sep 14 '17 22:09 arinc9

I was trying to enable tfp0 to downgrade don't care about jailbreak for 10.3 it is slower than 10.2

arinc9 avatar Sep 14 '17 22:09 arinc9

Doesn't triple_fetch get tfp0? If so, you might be able to modify nonceenabler and run it as a poc.

ajsacco avatar Sep 14 '17 23:09 ajsacco

How did you get the ziVA poc to output in the xcode debugger? I'm not getting any output from ziVA itself, just the nsxpc2pc app.

ajsacco avatar Sep 15 '17 04:09 ajsacco

Oh sorry I forgot to mention about that. I got debug process in only @Mila432's ziVA exploit fork. But don't forget to change the offsets, because Mila closed his pull request so it is not included in his/her fork.

arinc9 avatar Sep 15 '17 07:09 arinc9

And no triple_fetch has nothing to do with tfp0. In order to enable tfp0 on 10.3 siguza has wrote an article about it. Because there is some changes in tfp0 in 10.3 than 10.2

arinc9 avatar Sep 15 '17 07:09 arinc9

Run ziVA with a sandbox bypass: http://github.com/coffeebreakerz/CheekiJailbreeki (not jailbreak)

jakeajames avatar Sep 15 '17 12:09 jakeajames

Coffeebreakerz are fake i won't use any tools created by them.

arinc9 avatar Sep 15 '17 12:09 arinc9

Plus if this project was working why nobody posted it in r/jailbreak?

arinc9 avatar Sep 15 '17 12:09 arinc9

Can you send me the ziva binary that you used? I can't seem to get the debug log.

ajsacco avatar Sep 16 '17 03:09 ajsacco

I'm on a trip sorry. You should do it on your own, this is the best way to learn, experience by yourself!

arinc9 avatar Sep 16 '17 11:09 arinc9

I don't think the 5s has an AppleAVEDriver kext. I don't see it in iOS 10.1.1 or 10.2.

Sticktron avatar Sep 19 '17 15:09 Sticktron

@arinc9 "Coffeebreakerz are fake i won't use any tools created by them."

You're a complete idiot. triple_fetch needs to be modified to run ziVA correctly. And CheekiJailbreeki is the ONLY project which does that right now. Try it yourself, everything is open-source

There are posts in /r/jailbreak but they get downvoted by idiots like you

jakeajames avatar Sep 19 '17 21:09 jakeajames

Does anyone know where in the filesystem AppleAVEDriver is stored? I've opened the ipsw for both ip5s and ip6s on 10.2.1 but cant seem to find it.

ajsacco avatar Sep 27 '17 02:09 ajsacco

It is a kernel extension (driver), you have to extract it from the kernel cache.

You can use img4tool to decompress the kernelcache and then user joker to extract kexts from it.

Sticktron avatar Sep 27 '17 03:09 Sticktron