Dopamine is not supported

[huyongnd]

Describe the bug 砸壳过程正常，但是生成的 ipa 仍然处于加密状态

To Reproduce Steps to reproduce the behavior:使用bagcak 金铲铲之战命令进行砸壳，期间一切正常

Screenshots

Desktop (please complete the following information):

• OS: MacOS 13.4
• nodejs: v19.7.0
• frida-node: [e.g. v12.9.6]
• frida on device version: 16.0.19
• iOS and jailbreak version: 15.0.1
• The app you are trying to work on [e.g. com.example.app]: 金铲铲之战（com.tencent.jkchess）

Additional context Add any other context about the problem here.

[huyongnd]

再来补充下，又刷了一遍你公众号文章，把 node 切成了 lts 版本重新又来了一遍还是这样，手机是 iPhone 13 mini

[ChiChou]

npm i -g bagbak@latest 升级最新（当前 3.0.8）试试，如果还不行烦请带 DEBUG 参数然后把日志发上来

DEBUG=1 bagbak 金铲铲之战 --raw -f

[huyongnd]

感谢回复。升级了最新 3.0.9，现在不管是带不带 DEBUG现在都报错，报错内容相同：

chmod: changing permissions of '/private/var/containers/Bundle/Application/BF34B336-8101-4876-A9B4-B4832B1ECA5E/WeChat.app/WeChat': Operation not permitted
file:///opt/homebrew/lib/node_modules/bagbak/index.js:82
            reject(new Error(`remote command "${cmd}" exited with code ${code}`));
                   ^

Error: remote command "chmod +xX '/private/var/containers/Bundle/Application/BF34B336-8101-4876-A9B4-B4832B1ECA5E/WeChat.app/WeChat'" exited with code 1
    at Channel.<anonymous> (file:///opt/homebrew/lib/node_modules/bagbak/index.js:82:20)
    at Channel.emit (node:events:524:35)
    at doClose (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/utils.js:101:21)
    at onCHANNEL_CLOSE (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/utils.js:108:7)
    at CHANNEL_CLOSE (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/client.js:705:11)
    at 97 (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/protocol/handlers.misc.js:999:16)
    at Protocol.onPayload (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/protocol/Protocol.js:2052:10)
    at ChaChaPolyDecipherBinding.decrypt (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/protocol/crypto.js:851:26)
    at Protocol.parsePacket [as _parse] (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/protocol/Protocol.js:2021:25)
    at Protocol.parse (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/protocol/Protocol.js:306:16)

Node.js v19.7.0

Dopamine越狱需要修改默认的 ssh 密码，所以密码改过。已上传 Mac 公钥，使用 ssh 命令可以正常连接到手机

[ChiChou]

这是为了解决 #105 加入的处理。

根据这个帖子（网页快照）的说法，Dopamine 下运行 chmod 修改应用权限会失败。

可以编辑 /opt/homebrew/lib/node_modules/bagbak/index.js 暂时先把 134 行注释掉。

await this.#executableWorkaround(mainExecutable);

关于 ssh，这个工具的 ssh 协议不依赖系统命令，直接在 js 里实现的。能走到这一行代码说明已经连上去了

[huyongnd]

没想到这么快收到回复，注释后报错：

main executable => /private/var/containers/Bundle/Application/BF34B336-8101-4876-A9B4-B4832B1ECA5E/WeChat.app/WeChat
pid => 3951
node:internal/process/promises:289
            triggerUncaughtException(err, true /* fromPromise */);
            ^

[Error: Unable to find process with pid 3951]

Node.js v19.7.0

[ChiChou]

放弃吧，证明这个版本上的 frida 不完全支持 spawn

[ChiChou]

iOS 14 Unc0ver 和 16 checkm8 都没有问题

[huyongnd]

好的 谢谢啦~

[asdfzxcvbn]

i can reproduce this issue on macos mojave. iphone 7 with rootful palera1n on ios 14.8:

this issue does not exist on any version before v3.

[ChiChou]

@asdfzxcvbn it’s a bug on 3.0.x-3.0.7, please check if it still reproduces on 3.0.9

[asdfzxcvbn]

@asdfzxcvbn it’s a bug on 3.0.x-3.0.7, please check if it still reproduces on 3.0.9

my screenshot shows the bug happening on v3.0.9.

[ChiChou]

@asdfzxcvbn do you have debug logs?

[asdfzxcvbn]

@asdfzxcvbn do you have debug logs?

yeah, here: https://f.zxcvbn.fyi/bagbak-debug.txt

[ChiChou]

@asdfzxcvbn do you have debug logs?

yeah, here: https://f.zxcvbn.fyi/bagbak-debug.txt

Thanks. I am on my phone now, will get back to you later

[ChiChou]

@asdfzxcvbn it should be fixed in v3.0.11 https://github.com/ChiChou/bagbak/commit/d7121f04ae00243d66ed3cad0e26b49eea01276e#diff-8ca1d3a7e38fa539bf8a44bd7806039caab17e6e0861bf11a1340f325cf48103L109

[asdfzxcvbn]

@asdfzxcvbn it should be fixed in v3.0.11 d7121f0#diff-8ca1d3a7e38fa539bf8a44bd7806039caab17e6e0861bf11a1340f325cf48103L109

otool reports back that it's decrypted like it should be, but the apps themselves crash on launch

[ChiChou]

@asdfzxcvbn it should be fixed in v3.0.11 d7121f0#diff-8ca1d3a7e38fa539bf8a44bd7806039caab17e6e0861bf11a1340f325cf48103L109

otool reports back that it's decrypted like it should be, but the apps themselves crash on launch

Some times app have self protection against running when repacked. Please add get-task-allow to the app and debug what caused the termination, or at least give me some idevicecrashreport logs.

[Geczy]

➜  ipastuff git:(main) ideviceinstaller -i ./decrypted/com.sanfordguide.amt-6.3.1.ipa 
WARNING: could not locate iTunesMetadata.plist in archive!
Copying './decrypted/com.sanfordguide.amt-6.3.1.ipa' to device... AFC Write error: 30
Error: wrote only 0 of 1048576

here's one thing i could find from logs. maybe this plist missing is the cause?

[asdfzxcvbn]

➜  ipastuff git:(main) ideviceinstaller -i ./decrypted/com.sanfordguide.amt-6.3.1.ipa 
WARNING: could not locate iTunesMetadata.plist in archive!
Copying './decrypted/com.sanfordguide.amt-6.3.1.ipa' to device... AFC Write error: 30
Error: wrote only 0 of 1048576

here's one thing i could find from logs. maybe this plist missing is the cause?

no, a lot of apps dont have iTunesMetadata.plist.

[Geczy]

oh okay, well the AFC write error looks related then. the metadata plist is just a warning

[asdfzxcvbn]

@asdfzxcvbn it should be fixed in v3.0.11 d7121f0#diff-8ca1d3a7e38fa539bf8a44bd7806039caab17e6e0861bf11a1340f325cf48103L109

otool reports back that it's decrypted like it should be, but the apps themselves crash on launch

Some times app have self protection against running when repacked. Please add get-task-allow to the app and debug what caused the termination, or at least give me some idevicecrashreport logs.

spotify doesnt have sideload detection, and the dumped app works on bagbak v2.6.6. here's the crash log though: https://f.zxcvbn.fyi/Spotify-2023-06-17-140206.ips.txt

[Geczy]

here's another error, i guess its a better one

➜  ipastuff git:(main) ✗ bash ./download-ipa.sh https://apps.apple.com/in/app/sanford-guide/id863196620
⬇️ Installing com.sanfordguide.amt to the phone...
ERROR: Install failed. Got error "ApplicationVerificationFailed" with code 0xe8008001: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.6AswP9/extracted/Payload/sanfordguideiapamt.app : 0xe8008001 (An unknown error has occurred.)
❌ Failed to install com.sanfordguide.amt. Exiting.

[asdfzxcvbn]

here's another error, i guess its a better one

➜  ipastuff git:(main) ✗ bash ./download-ipa.sh https://apps.apple.com/in/app/sanford-guide/id863196620
⬇️ Installing com.sanfordguide.amt to the phone...
ERROR: Install failed. Got error "ApplicationVerificationFailed" with code 0xe8008001: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.6AswP9/extracted/Payload/sanfordguideiapamt.app : 0xe8008001 (An unknown error has occurred.)
❌ Failed to install com.sanfordguide.amt. Exiting.

i dont think that has anything to do with bagbak. you need to codesign your app before installing it.

[Geczy]

oh yeah 😂 i forgot

[ChiChou]

@asdfzxcvbn Confirmed. v3.0.0-3.0.13 have a critical bug

https://github.com/ChiChou/bagbak/commit/1f4aba1962bb80d8499c09af553985c3b4833701#diff-3782ce3815652539832b31d11e68943cc074f23a3cd8527ac9159be5008afaea

[asdfzxcvbn]

@asdfzxcvbn Confirmed. v3.0.0-3.0.13 have a critical bug

1f4aba1#diff-3782ce3815652539832b31d11e68943cc074f23a3cd8527ac9159be5008afaea

finally working as intended! THANK YOU !!

[Geczy]

➜  ipastuff git:(main) ideviceinstaller -i ./decrypted/com.sanfordguide.amt-6.3.1.ipa 
WARNING: could not locate iTunesMetadata.plist in archive!
Copying './decrypted/com.sanfordguide.amt-6.3.1.ipa' to device... AFC Write error: 30
Error: wrote only 0 of 1048576

here's one thing i could find from logs. maybe this plist missing is the cause?

is this the log that helped figure out the problem?

[ChiChou]

➜  ipastuff git:(main) ideviceinstaller -i ./decrypted/com.sanfordguide.amt-6.3.1.ipa 
WARNING: could not locate iTunesMetadata.plist in archive!
Copying './decrypted/com.sanfordguide.amt-6.3.1.ipa' to device... AFC Write error: 30
Error: wrote only 0 of 1048576

here's one thing i could find from logs. maybe this plist missing is the cause?

is this the log that helped figure out the problem?

It shouldn’t have anything to do with afc

[ChiChou]

He mentioned that v2.6.6 works so I just binary diff-ed two artifacts

[ChiChou]

@huyongnd 3.2.0 更改了 spawn 的实现，但手上没有设备，我无法确认是否可以支持 Dopamine

[CodeTips]

系统版本 15.4.1 Dopamine 越狱 报错 node:internal/process/promises:289 triggerUncaughtException(err, true / fromPromise /); ^

[Error: Process with pid 91283 either refused to load frida-agent, or terminated during injection]

[ChiChou]

系统版本 15.4.1 Dopamine 越狱 报错 node:internal/process/promises:289 triggerUncaughtException(err, true / fromPromise /); ^

[Error: Process with pid 91283 either refused to load frida-agent, or terminated during injection]

@CodeTips

frida 附加进程的时候崩了，这个得看 Console.app 或者 idevicesyslog 才能知道是谁

[CodeTips]

之前也是砸壳过程正常，生成的 ipa 仍然处于加密状态 升级到最新版就开始报错

[ChiChou]

之前也是砸壳过程正常，生成的 ipa 仍然处于加密状态 升级到最新版就开始报错

找 ReportCrash 进程的日志，而且 idevicecrashreport 工具（或者 Xcode）可以导出完整的 ips 报告

[CodeTips]

<redacted>

运行完就生成了这个ips

[ChiChou]

<redacted> 运行完就生成了这个ips

感谢 @CodeTips。我推送了另一个分支 https://github.com/ChiChou/bagbak/tree/dopamine

git clone https://github.com/ChiChou/bagbak.git
pushd bagbak
git checkout dopamine
npm i
./bin/bagbak.js --raw com.google.chrome.ios

试试看呢

[CodeTips]

info] pulling app bundle from device, please be patient [info] downloaded 3257 files and 2626 folders [info] app bundle downloaded Failed to attach to pid 11047, skipping... Warning: Unable to dump Chrome Frameworks/ChromeInternal.framework/ChromeInternal Frameworks/ChromeSSOInternal.framework/ChromeSSOInternal Failed to attach to pid 11048, skipping... Warning: Unable to dump PlugIns/content_widget_extension.appex/content_widget_extension Failed to attach to pid 11049, skipping... Warning: Unable to dump PlugIns/credential_provider_extension.appex/credential_provider_extension Failed to attach to pid 11050, skipping... Warning: Unable to dump PlugIns/intents_extension.appex/intents_extension Failed to attach to pid 11051, skipping... Warning: Unable to dump PlugIns/open_extension.appex/open_extension Failed to attach to pid 11052, skipping... Warning: Unable to dump PlugIns/search_widget_extension.appex/search_widget_extension Failed to attach to pid 11053, skipping... Warning: Unable to dump PlugIns/share_extension.appex/share_extension Failed to attach to pid 11054, skipping... Warning: Unable to dump PlugIns/widget_kit_extension.appex/widget_kit_extension file:///Users/x/Documents/Github/bagbak/index.js:233 await this.#device.kill(SpringBoard); ^

ReferenceError: SpringBoard is not defined at BagBak.dump (file:///Users/x/Documents/Github/bagbak/index.js:233:29) at async main (file:///Users/x/Documents/Github/bagbak/bin/bagbak.js:143:7)

Node.js v21.5.0 这次就只有Chrome相关的ips

[ChiChou]

info] pulling app bundle from device, please be patient [info] downloaded 3257 files and 2626 folders [info] app bundle downloaded Failed to attach to pid 11047, skipping... Warning: Unable to dump Chrome Frameworks/ChromeInternal.framework/ChromeInternal Frameworks/ChromeSSOInternal.framework/ChromeSSOInternal Failed to attach to pid 11048, skipping... Warning: Unable to dump PlugIns/content_widget_extension.appex/content_widget_extension Failed to attach to pid 11049, skipping... Warning: Unable to dump PlugIns/credential_provider_extension.appex/credential_provider_extension Failed to attach to pid 11050, skipping... Warning: Unable to dump PlugIns/intents_extension.appex/intents_extension Failed to attach to pid 11051, skipping... Warning: Unable to dump PlugIns/open_extension.appex/open_extension Failed to attach to pid 11052, skipping... Warning: Unable to dump PlugIns/search_widget_extension.appex/search_widget_extension Failed to attach to pid 11053, skipping... Warning: Unable to dump PlugIns/share_extension.appex/share_extension Failed to attach to pid 11054, skipping... Warning: Unable to dump PlugIns/widget_kit_extension.appex/widget_kit_extension file:///Users/x/Documents/Github/bagbak/index.js:233 await this.#device.kill(SpringBoard); ^

ReferenceError: SpringBoard is not defined at BagBak.dump (file:///Users/x/Documents/Github/bagbak/index.js:233:29) at async main (file:///Users/x/Documents/Github/bagbak/bin/bagbak.js:143:7)

Node.js v21.5.0 这次就只有Chrome相关的ips

@CodeTips 说明从 launchd posix_spawn 也不行，只能走 _launch_job_routine，是个参数很复杂的私有函数。我还是想看看 ips 提示什么。另外 Console.app 里面有没有 kernel 进程类似这样的日志？

hook..execve() killing [pid= 11047, uid=0]: only launchd is allowed to spawn untrusted binaries

[CodeTips]

hook..execve()相关的就只有这个日志 <redacted> 上面是生成的ips,每个extension 都有, 我看内容基本一样

[miticollo]

I think that this issue could be closed because Dopamine 2.0.9 solves the long standing issue about Frida spawn.

[ChiChou]

I think that this issue could be closed because Dopamine 2.0.9 solves the long standing issue about Frida spawn.

@huyongnd 听说新版 Dopamine 有修复这个问题

[miticollo]

@ChiChou I think I wrote too early!

Describe the bug

1. The app is not decrypted.
2. After decryption the app on jailbroken device can't launch anymore. Because (from Console.app) SpringBoard claims:

   [com.spotify.client - signature state: Unknown, reason: Error - 49165: reason: An unexpected error was encountered (0xC00D)

To Reproduce

$ export SSH_USERNAME='mobile'                 
$ export SSH_PASSWORD='alpine'
$ export SSH_PORT=22          
$ export DEBUG_SCP=1
$ npx -- bagbak -U -d 'com.spotify.client'

Full output

Video https://we.tl/t-02SuRiT4FL

Desktop:

• OS: macOS 13.6.4 (22G513)
• nodejs: v21.6.2
• frida on device version: 16.2.1
• iOS and jailbreak version: 15.6 (19G69) and Dopamine 2.0.9
• The app you are trying to work on com.spotify.client, AppStore link
• bagbak version: 3.2.2 (commit 9ddf8b9 from origin/main)

[ChiChou]

@miticollo I am implementing another workaround totaly ignoring posix_spawn right now