Skip to content

Instantly share code, notes, and snippets.

@coolstar

coolstar/electra-reboot-doc.md

Last active January 23, 2019 11:26
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save coolstar/6c84a47a7a007de8bedeaf6d9eda4f6d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save coolstar/6c84a47a7a007de8bedeaf6d9eda4f6d to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. coolstar revised this gist Jan 23, 2019. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions electra-reboot-doc.md
    View file
    Original file line number Diff line number Diff line change
    @@ -17,8 +17,10 @@ How to debug issue:
    4. Check logs from iOS crash log and Electra

    Note this in the logs:
    ```
    Sun Nov 25 02:20:18 2018 We got called (fake_posix_spawn)! /sbin/launchd
    Sun Nov 25 02:20:18 2018 Nothing to inject
    ```

    Note a "SystemMemoryReset" in iOS's crash reports

  2. coolstar revised this gist Jan 23, 2019. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions electra-reboot-doc.md
    View file
    Original file line number Diff line number Diff line change
    @@ -3,6 +3,7 @@ iOS 9.?? -> iOS 11.4 (and possibly also in 12.x) Overnight "Reboot" issue
    This document is (C) CoolStar, 2019. All Rights Reserved.

    Document Date: 12/19/2018
    Updated: 1/23/2019

    Many have noticed on the Pangu 9.3 and on the Electra 11.x jailbreaks, devices can often reboot overnight
    sometimes this reboots with a WDT Timeout error, or sometimes the device comes back up without actually
    @@ -47,5 +48,4 @@ Note, the fix for this is tricky for a number of reasons:
    3. launchd execs itself, thus pspawn payload is no longer present in launchd, though pspawn payload does get called one final
    time before the exec (so we have a window of opportunity here)

    (Fix will probably miss the Electra 1.1.0 release, as that is slated for sometime around the Sileo launch next week
    [to fix the pspawn/MIG hanging issue] so there's not enough time to create and test the patch, but should be in 1.2.0)
    (Fix has missed Electra 1.1.0 release, as that was slated for around the Sileo launch [to fix the pspawn/MIG hanging issue] so there was not enough time to create and test the patch, but should be in 1.2.0)
  3. coolstar created this gist Dec 19, 2018.
    51 changes: 51 additions & 0 deletions electra-reboot-doc.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,51 @@
    iOS 9.?? -> iOS 11.4 (and possibly also in 12.x) Overnight "Reboot" issue

    This document is (C) CoolStar, 2019. All Rights Reserved.

    Document Date: 12/19/2018

    Many have noticed on the Pangu 9.3 and on the Electra 11.x jailbreaks, devices can often reboot overnight
    sometimes this reboots with a WDT Timeout error, or sometimes the device comes back up without actually
    rebooting the kernel, except all tweaks and substitute are unload (on 9.3), or the entire system becomes
    jailed (on 11.x).

    How to debug issue:
    1. Turn on iCloud backup
    2. Enable debug logging in Electra's pspawn payload
    3. Let device charge overnight for several days until it reboots overnight
    4. Check logs from iOS crash log and Electra

    Note this in the logs:
    Sun Nov 25 02:20:18 2018 We got called (fake_posix_spawn)! /sbin/launchd
    Sun Nov 25 02:20:18 2018 Nothing to inject

    Note a "SystemMemoryReset" in iOS's crash reports

    After some launchd reversing and analysis of the program flow in launchd:
    1. launchd
    2. launchd calls posix_spawn with the POSIX_SPAWN_SETEXEC attr to spawn itself
    3. the current launchd is replaced with a new instance of launchd

    From looking at launchctl man pages, there is an option "launchctl reboot userspace" which causes launchd to terminate
    all running daemons, exec itself and then perform a "userspace reboot".

    When running "launchctl reboot userspace" as root on Electra, sure enough an identical log shows up from pspawn payload
    (except no SystemMemoryReset log).

    So, what causes this?

    Initial Findings:
    1. String "Failed to write SystemMemoryReset report" and "Failed to write SystemMemoryReset report for KHWM reboot" indicate
    /usr/libexec/mmaintenanced is the culprit
    2. It appears mmaintenanced unregisters an xpc activity "com.apple.memory-maintenance.userspace_reboot"
    3. mmaintenanced has entitlement com.apple.private.xpc.launchd.userspace-reboot (though this isn't needed if the process is
    already a platform binary -- weird)

    Note, the fix for this is tricky for a number of reasons:
    1. jailbreakd has been killed by launchd as it stopped all daemons, so it will not be available to inject into the new launchd
    2. amfid has also been killed by launchd, so it is no longer patched to allow non-stock binaries (though trustcache injection still works)
    3. launchd execs itself, thus pspawn payload is no longer present in launchd, though pspawn payload does get called one final
    time before the exec (so we have a window of opportunity here)

    (Fix will probably miss the Electra 1.1.0 release, as that is slated for sometime around the Sileo launch next week
    [to fix the pspawn/MIG hanging issue] so there's not enough time to create and test the patch, but should be in 1.2.0)