Skip to content

iPhone14,8 sbx1sbx1 crash during GPU→mediaplaybackd escape #305

Description

@kennedydqz-del

iPhone14,8 (14 Plus) + iOS 18.6.2 — Heartbeat Trace Results

Device: iPhone 14 Plus (iPhone14,8, A15) — iOS 18.6.2 (Build 22G100)

Tested 15+ times with 20obb/darksword-Exploit web version + custom print() heartbeat chain:

✅ SBX1_STARTED      — sbx1_main.js eval executed successfully
✅ SBX1_SPAWN_READY  — function definitions completed
✅ SBX1_PIPELINE_START — main pipeline sbx1sbx1() started
💀 Crash              — sbx1sbx1() crashed internally, PIPELINE_RESULT never appeared
❌ PE_INJECTED_OK     — pe_main was never injected into mediaplaybackd
❌ 0 POST data packets

Conclusion: The second sandbox escape sbx1sbx1() (GPU→mediaplaybackd, CVE-2025-43510 COW bug) crashes on iPhone14,8. RCE and first sandbox escape (sbx0) pass consistently.

Question: iPhone14,8_22G100 offsets are complete in the code, but sbx1sbx1() fails somewhere internally. Has anyone encountered this or have suggestions?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions