Hangs after PATCH stage on A9 devices (CPID: 8000)

[MatthewPierson]

Attempting to run './gaster pwn' hangs forever after reaching the PATCH stage on all my A9 devices, a 6s and two SEs. This occurs using both LibUSB and IOKit, along with raised USB_TIMEOUT values. Device does not reboot, just stays on a black screen with nothing being printed to the serial output. Only occurs on my A9 devices, works perfectly fine on my A7, A8, A10 and A11 devices (Side-note, great job on the support for those devices!).

[rA9stuff]

I’m having the exact same issue with the same output on s8003. Program is run from macOS 12.4 Monterey installed M1 Pro with USB-A cable connected to USB-C to USB-A adapter.

[MatthewPierson]

Tried again using the latest commit, still having the same behaviour on all the A9's.

[0x7ff]

Hey @MatthewPierson,

Thanks for creating this issue. I don't have an A9 device right now, but the issue is probably related to the shc overflow issue so I fixed it by removing the unused parts. Please try the new commit, thanks.

[rA9stuff]

Not @MatthewPierson but it didn't work on my s8003 device. Here's the output of the latest commit.

ra9@rA9s-MacBook-Pro gaster-main-3 % ./gaster pwn
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8003 CPRV:01 CPFM:03 SCEP:01 BDID:02 ECID:[REDACTED] IBFL:1C SRTG:[iBoot-2234.0.0.2.22]
Found the USB handle.
Stage: RESET
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8003 CPRV:01 CPFM:03 SCEP:01 BDID:02 ECID:[REDACTED] IBFL:1C SRTG:[iBoot-2234.0.0.2.22]
Found the USB handle.
Stage: SETUP
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8003 CPRV:01 CPFM:03 SCEP:01 BDID:02 ECID:[REDACTED] IBFL:1C SRTG:[iBoot-2234.0.0.2.22]
Found the USB handle.
Stage: PATCH
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227

[HydrationMan]

Same here on s8000, latest commit

[MatthewPierson]

@0x7ff Can confirm that I still get the same issue even after trying on the current latest commit. Same output as @rA9stuff's image on my s8000 devices.

[0x7ff]

@MatthewPierson @rA9stuff @HydrationMan,
The issue is solved, as it turns out eclipsa was broken too. Thanks.

[rA9stuff]

Can confirm it is now resolved :)

ra9@rA9s-MacBook-Pro gaster-main-4 % ./gaster pwn                          
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8003 CPRV:01 CPFM:03 SCEP:01 BDID:02 ECID:[REDACTED] IBFL:1C SRTG:[iBoot-2234.0.0.2.22]
Found the USB handle.
Stage: RESET
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8003 CPRV:01 CPFM:03 SCEP:01 BDID:02 ECID:[REDACTED] IBFL:1C SRTG:[iBoot-2234.0.0.2.22]
Found the USB handle.
Stage: SETUP
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8003 CPRV:01 CPFM:03 SCEP:01 BDID:02 ECID:[REDACTED] IBFL:1C SRTG:[iBoot-2234.0.0.2.22]
Found the USB handle.
Stage: PATCH
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8003 CPRV:01 CPFM:03 SCEP:01 BDID:02 ECID:[REDACTED] IBFL:1C SRTG:[iBoot-2234.0.0.2.22] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.
ra9@rA9s-MacBook-Pro gaster-main-4 % irecovery -q
CPID: 0x8003
CPRV: 0x01
BDID: 0x02
ECID: [REDACTED]
CPFM: 0x03
SCEP: 0x01
IBFL: 0x1c
SRTG: iBoot-2234.0.0.2.22
SRNM: N/A
IMEI: N/A
NONC: 2f714fabdf7d17e9435cb8889d854fc11f37aa64
SNON: 56d93da48e347d687d1ac2caaefa71995bb655ef
PWND: gaster
MODE: DFU

[rA9stuff]

Though, it fails on T8011, device reboots while exploiting. Here's the output.

ra9@rA9s-MacBook-Pro gaster-main-4 % ./gaster pwn
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:[REDACTED] IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: RESET
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:[REDACTED] IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: SPRAY
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227

P.S. I could open a different issue for this if you want to.

[0x7ff]

Hey @rA9stuff,
Change config_overwrite_pad from 0x540 to 0x580 on this line (https://github.com/0x7ff/gaster/blob/main/gaster.c#L745) and tell me if it works or not. If it is then I will update the code. Thanks.

[rA9stuff]

Hi @0x7ff,

It did not fix the issue, device still reboots after running the exploit. Here's the output:

ra9@rA9s-MacBook-Pro gaster-main-4 % ./gaster pwn                          
usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:[REDACTED] IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: RESET
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8011 CPRV:10 CPFM:03 SCEP:01 BDID:04 ECID:[REDACTED] IBFL:3C SRTG:[iBoot-3135.0.0.2.3]
Found the USB handle.
Stage: SPRAY
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227

[0x7ff]

It's failing in the spray stage which means that either config_hole or config_overwrite_pad is wrong. Please increase config_overwrite_pad to 0x5C0 lastly and if it doesn't work for you then I will find an A10X device to do more testing.

[0x7ff]

@rA9stuff

[rA9stuff]

@0x7ff it didn't fix the issue, but it might be occurring due to me using Apple Silicon. I'd wait for Intel mac users to test gaster on T8011 before trying to fix it. Thanks.

[rA9stuff]

A similar program called ipwnder-lite also fails to pwn 8011 on Apple Silicon, but succeeds on Intel, so that's what I assumed might be happening here.

[P5-2005]

@rA9stuff
seem fixed, macOS bigsur, intel cpu

usb_timeout: 5
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8000 CPRV:20 CPFM:03 SCEP:01 BDID:04 ECID:000000764FFFFFFF IBFL:1C SRTG:[iBoot-2234.0.0.3.3]
Found the USB handle.
Stage: RESET
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8000 CPRV:20 CPFM:03 SCEP:01 BDID:04 ECID:00000076FFFFFF IBFL:1C SRTG:[iBoot-2234.0.0.3.3]
Found the USB handle.
Stage: SETUP
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8000 CPRV:20 CPFM:03 SCEP:01 BDID:04 ECID:000000764FFFFFF IBFL:1C SRTG:[iBoot-2234.0.0.3.3]
Found the USB handle.
Stage: PATCH
ret: true
[IOKit] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8000 CPRV:20 CPFM:03 SCEP:01 BDID:04 ECID:000000764DFFFFFFF IBFL:1C SRTG:[iBoot-2234.0.0.3.3] PWND:[gaster]
Found the USB handle.
Now you can boot untrusted images.

[HydrationMan]

@MatthewPierson @rA9stuff @HydrationMan,
The issue is solved, as it turns out eclipsa was broken too. Thanks.

Thanks, new commit is working beautifully.

[MatthewPierson]

Can confirm that the latest commit works on every A7, A8, A9, A10 and A11 device that I have! Am using an Intel mac if that's relevant. Will close this issue now.

[homermafia]

Is this supposed to work on Linux systems ? I get the same problem on an A7 device, Ubuntu 20.4.

sudo ./gaster pwn
usb_timeout: 5
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:00 ECID:000000B6F437ED14 IBFL:1C SRTG:[iBoot-1704.10]
Found the USB handle.
Stage: RESET
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:00 ECID:000000B6F437ED14 IBFL:1C SRTG:[iBoot-1704.10]
Found the USB handle.
Stage: SPRAY
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:00 ECID:000000B6F437ED14 IBFL:1C SRTG:[iBoot-1704.10]
Found the USB handle.
Stage: SETUP
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
CPID:8960 CPRV:11 CPFM:03 SCEP:01 BDID:00 ECID:000000B6F437ED14 IBFL:1C SRTG:[iBoot-1704.10]
Found the USB handle.
Stage: PATCH
ret: true
[libusb] Waiting for the USB handle with VID: 0x5AC, PID: 0x1227
^C