iPhone14,8 (14 Plus) + iOS 18.6.2 — Heartbeat Trace Results
Device: iPhone 14 Plus (iPhone14,8, A15) — iOS 18.6.2 (Build 22G100)
Tested 15+ times with 20obb/darksword-Exploit web version + custom print() heartbeat chain:
✅ SBX1_STARTED — sbx1_main.js eval executed successfully
✅ SBX1_SPAWN_READY — function definitions completed
✅ SBX1_PIPELINE_START — main pipeline sbx1sbx1() started
💀 Crash — sbx1sbx1() crashed internally, PIPELINE_RESULT never appeared
❌ PE_INJECTED_OK — pe_main was never injected into mediaplaybackd
❌ 0 POST data packets
Conclusion: The second sandbox escape sbx1sbx1() (GPU→mediaplaybackd, CVE-2025-43510 COW bug) crashes on iPhone14,8. RCE and first sandbox escape (sbx0) pass consistently.
Question: iPhone14,8_22G100 offsets are complete in the code, but sbx1sbx1() fails somewhere internally. Has anyone encountered this or have suggestions?
iPhone14,8 (14 Plus) + iOS 18.6.2 — Heartbeat Trace Results
Device: iPhone 14 Plus (iPhone14,8, A15) — iOS 18.6.2 (Build 22G100)
Tested 15+ times with 20obb/darksword-Exploit web version + custom print() heartbeat chain:
Conclusion: The second sandbox escape sbx1sbx1() (GPU→mediaplaybackd, CVE-2025-43510 COW bug) crashes on iPhone14,8. RCE and first sandbox escape (sbx0) pass consistently.
Question: iPhone14,8_22G100 offsets are complete in the code, but sbx1sbx1() fails somewhere internally. Has anyone encountered this or have suggestions?