I have been trying to investigate some of the kernel crashes I have noticed on my IOS crash logs. Some of these are in device driver software for the peripheral interfaces.
Given that the driver code executes with kernel privileges, these kind of crashes leave the device vulnerable to remote code injection, with no user interaction required in some cases.
------------------------------------- Translated Report (Full Report Below) ------------------------------------- Incident Identifier: 76EC8391-9A48-44D9-8FFB-AF1CE5553209 CrashReporter Key: 9aa09fbaf03597169a066ac3afb13bb7f0f7e4d5 Hardware Model: iPhone17,1 Process: bluetoothd [96] Path: /usr/sbin/bluetoothd Identifier: bluetoothd Version: ??? Code Type: ARM-64 (Native) Role: Unspecified Parent Process: launchd [1] Coalition: com.apple.bluetoothd [131] Date/Time: 2025-01-17 08:09:58.6074 -0500 Launch Time: 2025-01-11 19:56:26.6427 -0500 OS Version: iPhone OS 18.2.1 (22C161) Release Type: User Baseband Version: 1.21.05 Report Version: 104 Exception Type: EXC_BAD_ACCESS (SIGKILL) Exception Subtype: KERN_INVALID_ADDRESS at 0x003d800000182159 -> 0x0000000000182159 (possible pointer authentication failure) Exception Codes: 0x0000000000000001, 0x003d800000182159 VM Region Info: 0x182159 is not in any region. Bytes before following region: 4366065319 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> __TEXT 104550000-104ee4000 [ 9808K] r-x/r-x SM=COW /usr/sbin/bluetoothd Termination Reason: PAC_EXCEPTION 1 Triggered by Thread: 9 Thread 0 name: Dispatch queue: com.apple.main-thread Thread 0: 0 libsystem_kernel.dylib 0x1eb406788 mach_msg2_trap + 8 1 libsystem_kernel.dylib 0x1eb409e98 mach_msg2_internal + 80 2 libsystem_kernel.dylib 0x1eb409db0 mach_msg_overwrite + 424 3 libsystem_kernel.dylib 0x1eb409bfc mach_msg + 24 4 CoreFoundation 0x199e1e7f4 __CFRunLoopServiceMachPort + 160 5 CoreFoundation 0x199e1dea0 __CFRunLoopRun + 1212 6 CoreFoundation 0x199e70274 CFRunLoopRunSpecific + 588 7 CoreFoundation 0x199e83814 CFRunLoopRun + 64 8 bluetoothd 0x1045d12b0 0x104550000 + 529072 9 dyld 0x1c0044de8 start + 2724 Thread 1 name: StackLoop Thread 1: 0 libsystem_kernel.dylib 0x1eb40c090 __psynch_cvwait + 8 1 libsystem_pthread.dylib 0x224a17fc4 _pthread_cond_wait + 1248 2 bluetoothd 0x10455b43c 0x104550000 + 46140 3 libsystem_pthread.dylib 0x224a157d0 _pthread_start + 136 4 libsystem_pthread.dylib 0x224a15480 thread_start + 8 Thread 2 name: hci_rx Thread 2: 0 libsystem_kernel.dylib 0x1eb40d4cc kevent + 8 1 bluetoothd 0x10457322c 0x104550000 + 143916 2 libsystem_pthread.dylib 0x224a157d0 _pthread_start + 136 3 libsystem_pthread.dylib 0x224a15480 thread_start + 8 Thread 3 name: acl_rx Thread 3: 0 libsystem_kernel.dylib 0x1eb40d4cc kevent + 8 1 bluetoothd 0x10457322c 0x104550000 + 143916 2 libsystem_pthread.dylib 0x224a157d0 _pthread_start + 136 3 libsystem_pthread.dylib 0x224a15480 thread_start + 8 Thread 4 name: sco_rx Thread 4: 0 libsystem_kernel.dylib 0x1eb40d4cc kevent + 8 1 bluetoothd 0x104573100 0x104550000 + 143616 2 libsystem_pthread.dylib 0x224a157d0 _pthread_start + 136 3 libsystem_pthread.dylib 0x224a15480 thread_start + 8 Thread 5 name: TxLoop Thread 5: 0 libsystem_kernel.dylib 0x1eb40c090 __psynch_cvwait + 8 1 libsystem_pthread.dylib 0x224a17f98 _pthread_cond_wait + 1204 2 bluetoothd 0x1046535f8 0x104550000 + 1062392 3 bluetoothd 0x104745874 0x104550000 + 2054260 4 libsystem_pthread.dylib 0x224a157d0 _pthread_start + 136 5 libsystem_pthread.dylib 0x224a15480 thread_start + 8 Thread 6 name: AudioSkywalkPipeReadLoop Thread 6: 0 libsystem_kernel.dylib 0x1eb40d4cc kevent + 8 1 bluetoothd 0x104a59f3c 0x104550000 + 5283644 2 libsystem_pthread.dylib 0x224a157d0 _pthread_start + 136 3 libsystem_pthread.dylib 0x224a15480 thread_start + 8 Thread 7: 0 libsystem_pthread.dylib 0x224a1546c start_wqthread + 0 Thread 8 name: Dispatch queue: com.apple.bluetooth.root Thread 8: 0 bluetoothd 0x10479d230 0x104550000 + 2413104 1 bluetoothd 0x104a4a148 0x104550000 + 5218632 2 bluetoothd 0x104a3974c 0x104550000 + 5150540 3 bluetoothd 0x104a31cb0 0x104550000 + 5119152 4 bluetoothd 0x104a31a14 0x104550000 + 5118484 5 bluetoothd 0x104a09ab0 0x104550000 + 4954800 6 libdispatch.dylib 0x1a1b5a248 _dispatch_call_block_and_release + 32 7 libdispatch.dylib 0x1a1b5bfa8 _dispatch_client_callout + 20 8 libdispatch.dylib 0x1a1b635cc _dispatch_lane_serial_drain + 768 9 libdispatch.dylib 0x1a1b64158 _dispatch_lane_invoke + 432 10 libdispatch.dylib 0x1a1b6f38c _dispatch_root_queue_drain_deferred_wlh + 288 11 libdispatch.dylib 0x1a1b6ebd8 _dispatch_workloop_worker_thread + 540 12 libsystem_pthread.dylib 0x224a17680 _pthread_wqthread + 288 13 libsystem_pthread.dylib 0x224a15474 start_wqthread + 8 Thread 9 name: Dispatch queue: com.apple.bluetooth.coreBluetooth Thread 9 Crashed: 0 bluetoothd 0x104581618 0x104550000 + 202264 1 bluetoothd 0x1045815ac 0x104550000 + 202156 2 bluetoothd 0x104a4d470 0x104550000 + 5231728 3 bluetoothd 0x104bdb670 0x104550000 + 6862448 4 bluetoothd 0x104bdc038 0x104550000 + 6864952 5 bluetoothd 0x104bdfbc4 0x104550000 + 6880196 6 bluetoothd 0x104bf21b4 0x104550000 + 6955444 7 libdispatch.dylib 0x1a1b5a248 _dispatch_call_block_and_release + 32 8 libdispatch.dylib 0x1a1b5bfa8 _dispatch_client_callout + 20 9 libdispatch.dylib 0x1a1b635cc _dispatch_lane_serial_drain + 768 10 libdispatch.dylib 0x1a1b64158 _dispatch_lane_invoke + 432 11 libdispatch.dylib 0x1a1b6f38c _dispatch_root_queue_drain_deferred_wlh + 288 12 libdispatch.dylib 0x1a1b6ebd8 _dispatch_workloop_worker_thread + 540 13 libsystem_pthread.dylib 0x224a17680 _pthread_wqthread + 288 14 libsystem_pthread.dylib 0x224a15474 start_wqthread + 8 Thread 10 name: Dispatch queue: com.apple.locationd-76 Thread 10: 0 libsystem_kernel.dylib 0x1eb4064e4 kevent_id + 8 1 libdispatch.dylib 0x1a1b7eb40 _dispatch_kq_poll + 228 2 libdispatch.dylib 0x1a1b7f54c _dispatch_event_loop_wait_for_ownership + 436 3 libdispatch.dylib 0x1a1b6bacc __DISPATCH_WAIT_FOR_QUEUE__ + 340 4 libdispatch.dylib 0x1a1b6b694 _dispatch_sync_f_slow + 148 5 bluetoothd 0x104569840 0x104550000 + 104512 6 bluetoothd 0x104ae2570 0x104550000 + 5842288 7 bluetoothd 0x1045663d8 0x104550000 + 91096 8 bluetoothd 0x104566078 0x104550000 + 90232 9 libxpc.dylib 0x224a70b10 _xpc_connection_call_event_handler + 144 10 libxpc.dylib 0x224a7268c _xpc_connection_mach_event + 1140 11 libdispatch.dylib 0x1a1b5c068 _dispatch_client_callout4 + 20 12 libdispatch.dylib 0x1a1b78424 _dispatch_mach_msg_invoke + 464 13 libdispatch.dylib 0x1a1b6342c _dispatch_lane_serial_drain + 352 14 libdispatch.dylib 0x1a1b79178 _dispatch_mach_invoke + 456 15 libdispatch.dylib 0x1a1b6342c _dispatch_lane_serial_drain + 352 16 libdispatch.dylib 0x1a1b64158 _dispatch_lane_invoke + 432 17 libdispatch.dylib 0x1a1b655c0 _dispatch_workloop_invoke + 1744 18 libdispatch.dylib 0x1a1b6f38c _dispatch_root_queue_drain_deferred_wlh + 288 19 libdispatch.dylib 0x1a1b6ebd8 _dispatch_workloop_worker_thread + 540 20 libsystem_pthread.dylib 0x224a17680 _pthread_wqthread + 288 21 libsystem_pthread.dylib 0x224a15474 start_wqthread + 8 Thread 11: 0 libsystem_pthread.dylib 0x224a1546c start_wqthread + 0 Thread 12 name: AudioSession - RootQueue Thread 12: 0 libsystem_kernel.dylib 0x1eb40671c semaphore_timedwait_trap + 8 1 libdispatch.dylib 0x1a1b5c5c0 _dispatch_sema4_timedwait + 64 2 libdispatch.dylib 0x1a1b5cbc0 _dispatch_semaphore_wait_slow + 76 3 libdispatch.dylib 0x1a1b6dc94 _dispatch_worker_thread + 324 4 libsystem_pthread.dylib 0x224a157d0 _pthread_start + 136 5 libsystem_pthread.dylib 0x224a15480 thread_start + 8 Thread 13 name: Dispatch queue: com.apple.bluetooth.ClassicScan Thread 13: 0 libsystem_kernel.dylib 0x1eb40c2b0 __semwait_signal + 8 1 libsystem_c.dylib 0x1a1bb65cc nanosleep + 220 2 libsystem_c.dylib 0x1a1bb64e4 usleep + 68 3 bluetoothd 0x104a3fc44 0x104550000 + 5176388 4 bluetoothd 0x104a003f4 0x104550000 + 4916212 5 libdispatch.dylib 0x1a1b5bfa8 _dispatch_client_callout + 20 6 libdispatch.dylib 0x1a1b635cc _dispatch_lane_serial_drain + 768 7 libdispatch.dylib 0x1a1b64158 _dispatch_lane_invoke + 432 8 libdispatch.dylib 0x1a1b6f38c _dispatch_root_queue_drain_deferred_wlh + 288 9 libdispatch.dylib 0x1a1b6ebd8 _dispatch_workloop_worker_thread + 540 10 libsystem_pthread.dylib 0x224a17680 _pthread_wqthread + 288 11 libsystem_pthread.dylib 0x224a15474 start_wqthread + 8 Thread 14 name: Dispatch queue: CBDaemon Thread 14: 0 libsystem_kernel.dylib 0x1eb40cb78 __psynch_mutexwait + 8 1 libsystem_pthread.dylib 0x224a188a0 _pthread_mutex_firstfit_lock_wait + 84 2 libsystem_pthread.dylib 0x224a18250 _pthread_mutex_firstfit_lock_slow + 220 3 bluetoothd 0x10458af74 0x104550000 + 241524 4 bluetoothd 0x10458af48 0x104550000 + 241480 5 bluetoothd 0x10458aef0 0x104550000 + 241392 6 bluetoothd 0x10459038c 0x104550000 + 263052 7 bluetoothd 0x1045af878 0x104550000 + 391288 8 bluetoothd 0x1045af29c 0x104550000 + 389788 9 libdispatch.dylib 0x1a1b5a248 _dispatch_call_block_and_release + 32 10 libdispatch.dylib 0x1a1b5bfa8 _dispatch_client_callout + 20 11 libdispatch.dylib 0x1a1b635cc _dispatch_lane_serial_drain + 768 12 libdispatch.dylib 0x1a1b64158 _dispatch_lane_invoke + 432 13 libdispatch.dylib 0x1a1b6f38c _dispatch_root_queue_drain_deferred_wlh + 288 14 libdispatch.dylib 0x1a1b6ebd8 _dispatch_workloop_worker_thread + 540 15 libsystem_pthread.dylib 0x224a17680 _pthread_wqthread + 288 16 libsystem_pthread.dylib 0x224a15474 start_wqthread + 8 Thread 9 crashed with ARM Thread State (64-bit): x0: 0x00000001053b0cd8 x1: 0x003d800000182142 x2: 0x000000016b935c90 x3: 0x0000000000000000 x4: 0x0000000a10c7aaa4 x5: 0x0000000a1019c4f4 x6: 0x0000000000000044 x7: 0x00618000006bb171 x8: 0x0000000000000080 x9: 0x00000000ffffff80 x10: 0x0000000a1019c4e0 x11: 0x0000000000000024 x12: 0x0000000000000000 x13: 0x0000000000000000 x14: 0x0000000000000000 x15: 0x0000000000000000 x16: 0x665f800224969650 x17: 0x0000000104ee55c8 x18: 0x0000000000000000 x19: 0x000000016b935c90 x20: 0x0000000a10c5dd60 x21: 0x00000001053b0cd8 x22: 0x00000001053b0cd0 x23: 0x003d800000182122 x24: 0x00000001053b0cd0 x25: 0x000000016b935c28 x26: 0x0000000000000400 x27: 0x0000000a10cb3058 x28: 0x0000000a10fb9540 fp: 0x000000016b935b80 lr: 0x627a8001045815ac sp: 0x000000016b935b70 pc: 0x0000000104581618 cpsr: 0x20000000 far: 0x003d800000182159 esr: 0x92000004 (Data Abort) byte read Translation fault Binary Images: 0x104550000 - 0x104ee3fff bluetoothd arm64e <55d75cb2d5c832f581ff9392d1e7ef28> /usr/sbin/bluetoothd 0x1051d8000 - 0x1051dbfff FastpathLib arm64e <50caf55faa7637dbaec22557871a3167> /System/Library/Extensions/AppleSPU.kext/PlugIns/FastpathLib.plugin/FastpathLib 0x10520c000 - 0x105217fff libobjc-trampolines.dylib arm64e /private/preboot/Cryptexes/OS/usr/lib/libobjc-trampolines.dylib 0x1eb405000 - 0x1eb43efe3 libsystem_kernel.dylib arm64e /usr/lib/system/libsystem_kernel.dylib 0x199da8000 - 0x19a2ebfff CoreFoundation arm64e <6a60be13e6573beca9acba239ae29862> /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation 0x1c0015000 - 0x1c009813f dyld arm64e <4eb7459fe23738ce82403f3e2e1ce5ab> /usr/lib/dyld 0x0 - 0xffffffffffffffff ??? unknown-arch <00000000000000000000000000000000> ??? 0x1a1b9e000 - 0x1a1c1dffb libsystem_c.dylib arm64e <8d425c7257c93e54a1e1e243cbdfc446> /usr/lib/system/libsystem_c.dylib 0x224a14000 - 0x224a20ff3 libsystem_pthread.dylib arm64e /usr/lib/system/libsystem_pthread.dylib 0x1a1b58000 - 0x1a1b9dfff libdispatch.dylib arm64e <8ce3afb96d8434468fd4e5f798d98403> /usr/lib/system/libdispatch.dylib 0x224a5f000 - 0x224aa6fff libxpc.dylib arm64e /usr/lib/system/libxpc.dylib EOF ----------- Full Report -----------
If Apple can provide the symbol table for IOS 18.2.1 blue tooth driver and source code, I can gladly help investigate this further.
Replies
1
Boosts
0
Views
136
Participants
2