Open esterTion opened 5 years ago
After found it's sandbox issue, I messed around with it, and now it correctly dumps app. Problem: This workaround requires resigning binary, which will lost original developer group info, and make it both generate new container for app preferences, and also no able to share data within original app-group. (e.g. Google shares account info across apps)
Therefore, this dump method might not be good for crack ipa generating, but is good enough for reverse engineer researching.
ldid -e Binary >app-ent.xml
. Also keep a copy of original binary if you want to restore later to avoid preferences lost. <key>platform-application</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>run-unsigned-code</key>
<true/>
<key>com.apple.private.skip-library-validation</key>
<true/>
<key>com.apple.private.security.no-container</key>
<true/>
Could not obtain mach port
(This step is important, or newly signed binary won't spawn with error AppleFairplayTextCrypterSession:fairplayOpen() failed, error -42022
)ldid -Sapp-ent.xml Binary
Clutch -b com.bundle.id
, now clutch can spawn and decrypt the binaryStill, I think this is a unc0ver issue, not fully patching kernel (Probably won't happen in KPPless)
我認為自從iOS 11.1 開始已封了Clutch的運作方法, 可能Clutch要重新設計. 即使能通過簽名執行也不能解密App, 不能正常運作, 不關uncover的事.
@holyswordma 注意步骤3,必须要先对原始进行一次dump,不然会导致FairPlay报错。 原理我也不清楚,大概是解密缓存吧
这个是内核限制的问题,本来越狱就是尽可能解除限制
Temporary workaround
After found it's sandbox issue, I messed around with it, and now it correctly dumps app. Problem: This workaround requires resigning binary, which will lost original developer group info, and make it both generate new container for app preferences, and also no able to share data within original app-group. (e.g. Google shares account info across apps)
Therefore, this dump method might not be good for crack ipa generating, but is good enough for reverse engineer researching.
- Find the app you want to dump, extract its original entitlements using
ldid -e Binary >app-ent.xml
. Also keep a copy of original binary if you want to restore later to avoid preferences lost.- add new entitlements below to the file
new entitlements
- Run clutch on original untouched binary, which should fail by
Could not obtain mach port
(This step is important, or newly signed binary won't spawn with errorAppleFairplayTextCrypterSession:fairplayOpen() failed, error -42022
)- Resign binary with
ldid -Sapp-ent.xml Binary
- Run
Clutch -b com.bundle.id
, now clutch can spawn and decrypt the binaryStill, I think this is a unc0ver issue, not fully patching kernel (Probably won't happen in KPPless)
Example shell script
Perhaps you should keep a backup of the original entitlement file (app-ent.xml) and re-use the original entitlement file signature dumped binary after spawn and decrypt the binary?
Perhaps you should keep a backup of the original entitlement file (app-ent.xml) and re-use the original entitlement file signature dumped binary after spawn and decrypt the binary?
It's not about entitlements, app group is determined by signing private key, which only developer has. Once you resigned the binary, it can never turn back to original signature. In fact, Clutch only update the CDHash part, but ldid will overwrite entire signature
Perhaps you should keep a backup of the original entitlement file (app-ent.xml) and re-use the original entitlement file signature dumped binary after spawn and decrypt the binary?
It's not about entitlements, app group is determined by signing private key, which only developer has. Once you resigned the binary, it can never turn back to original signature. In fact, Clutch only update the CDHash part, but ldid will overwrite entire signature
Thanks for Notes
@esterTion I tried your workaround very hard and it unfortunately doesn't work. The related error message is still the mach port. I am on iOS 12.1.2 with unc0ver 3.3.8
Did you dumped the original binary first? It need to be attempted on original, or decryption will fail.
Sadly I’ve been in jail for months now, so can’t test anything.
I did. Not sure what went wrong.
You can connect your phone to pc and use idevicesyslog
from libimobiledevice
to grab syslog, and see what’s the error
If you have Mac you can use Apple Configurator 2
app
Thanks for your advice. I will give it a try when I have free time.
@jeffli678 So hi, Thanks to Apple bringing back the old exploit, now I'm free on 12.4. And I've tested again, it is clearly working for me.
So i'm not sure which part did you do wrong
If you are straight grabbing that script, then there are some missing pieces before you can use
e.g. $id
is not defined, also /User/Documents/App-link/App/$id
is a link directory to the actual app container
Ironically, I also tried the latest jailbreak on another phone running 12.4. The jailbreak was successful, but I cannot get Cydia to work, it says no Internet connection.
That said, I somehow believe I previously followed your steps closely. I will try again and post logs later.
Discloser: I am reletively new to iOS reverse engineering.
I cannot get Cydia to work, it says no Internet connection.
Delete /var/preferences/com.apple.networkextension.plist
, reboot
I spent some time yesterday trying to get Clutch working on a iPhone 7 (iOS 12.4) jailbroken with Chimera and did not succeed. No idea if they are compatible, but I was able to to frida-ios-dump as an alternative.
You can get around some of these app issues with unc0ver or 12.* Clutch use in general. Couple of other devs found some ways with 12.1-12.4 before. Check out https://github.com/Alderon86/hydraDump
Can likely be done without as many external requirements, but it worked for me when i was unable to dump anything on 12.* unc0ver stuff
Check out https://github.com/Alderon86/hydraDump
See inside and you will find out it’s exactly my code from here🤔
Well no s***, they seemed so proud of what they did when they showed me 😂 I'll have to call em out for proper accreditation.
Previously reported in #228 , opening a new issue for some infos gathered.
Same binary built from a6f6aee, signed using
ldid -Sclutch-ent.xml -K/usr/share/jailbreak/signcert.p12 Clutch-2.0.4-Debug
which clutch-ent.xml is Clutch.entitlements, and signcert.p12 is from unc0ver [Signing Certificate] package
iOS 9.3.2 iPhone SE (working)
``` root# Clutch-2.0.4-Debug -v -b se.aksys.tydlig ClutchPrint.m : 77 | using bundle identifier Now dumping se.aksys.tydlig ClutchPrint.m : 77 | ######## bundle URL file:///private/var/containers/Bundle/Application/8C34F912-9679-4D1E-9B6F-3EFD1BD15525 Preparing to dumpiOS 12.1.2 iPhone 8 (not working)
``` root# Clutch-2.0.4-Debug -v -b se.aksys.tydlig ClutchPrint.m : 77 | using bundle identifier Now dumping se.aksys.tydlig ClutchPrint.m : 77 | ######## bundle URL file:///private/var/containers/Bundle/Application/41E5C2E5-37A1-4873-BAF3-E5C267745AD4 Preparing to dumpThe problem seems to be at task_for_pid, pwn20wndstuff/Undecimus#728 seems has addressed this issue with swigger/debugserver-ios
Update: Clearly I didn't thought of reading syslog before, there's this kernel complaint:
I guess it's officially an unc0ver issue now