Skip to content

Instantly share code, notes, and snippets.

@coolstar

coolstar/electra-reboot-doc.md

Last active January 23, 2019 11:26
Show Gist options
  • Save coolstar/6c84a47a7a007de8bedeaf6d9eda4f6d to your computer and use it in GitHub Desktop.
Save coolstar/6c84a47a7a007de8bedeaf6d9eda4f6d to your computer and use it in GitHub Desktop.
Download ZIP
About iOS's Overnight Reboots
Raw
electra-reboot-doc.md

iOS 9.?? -> iOS 11.4 (and possibly also in 12.x) Overnight "Reboot" issue

This document is (C) CoolStar, 2019. All Rights Reserved.

Document Date: 12/19/2018 Updated: 1/23/2019

Many have noticed on the Pangu 9.3 and on the Electra 11.x jailbreaks, devices can often reboot overnight sometimes this reboots with a WDT Timeout error, or sometimes the device comes back up without actually rebooting the kernel, except all tweaks and substitute are unload (on 9.3), or the entire system becomes jailed (on 11.x).

How to debug issue:

  1. Turn on iCloud backup
  2. Enable debug logging in Electra's pspawn payload
  3. Let device charge overnight for several days until it reboots overnight
  4. Check logs from iOS crash log and Electra

Note this in the logs:

  Sun Nov 25 02:20:18 2018 We got called (fake_posix_spawn)! /sbin/launchd
  Sun Nov 25 02:20:18 2018 Nothing to inject

Note a "SystemMemoryReset" in iOS's crash reports

After some launchd reversing and analysis of the program flow in launchd:

  1. launchd
  2. launchd calls posix_spawn with the POSIX_SPAWN_SETEXEC attr to spawn itself
  3. the current launchd is replaced with a new instance of launchd

From looking at launchctl man pages, there is an option "launchctl reboot userspace" which causes launchd to terminate all running daemons, exec itself and then perform a "userspace reboot".

When running "launchctl reboot userspace" as root on Electra, sure enough an identical log shows up from pspawn payload (except no SystemMemoryReset log).

So, what causes this?

Initial Findings:

  1. String "Failed to write SystemMemoryReset report" and "Failed to write SystemMemoryReset report for KHWM reboot" indicate /usr/libexec/mmaintenanced is the culprit
  2. It appears mmaintenanced unregisters an xpc activity "com.apple.memory-maintenance.userspace_reboot"
  3. mmaintenanced has entitlement com.apple.private.xpc.launchd.userspace-reboot (though this isn't needed if the process is already a platform binary -- weird)

Note, the fix for this is tricky for a number of reasons:

  1. jailbreakd has been killed by launchd as it stopped all daemons, so it will not be available to inject into the new launchd
  2. amfid has also been killed by launchd, so it is no longer patched to allow non-stock binaries (though trustcache injection still works)
  3. launchd execs itself, thus pspawn payload is no longer present in launchd, though pspawn payload does get called one final time before the exec (so we have a window of opportunity here)

(Fix has missed Electra 1.1.0 release, as that was slated for around the Sileo launch [to fix the pspawn/MIG hanging issue] so there was not enough time to create and test the patch, but should be in 1.2.0)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment