[Temp workaround found]Clutch does not work on iOS 12 with unc0ver

[esterTion]

Previously reported in #228 , opening a new issue for some infos gathered.

Same binary built from a6f6aee, signed using
ldid -Sclutch-ent.xml -K/usr/share/jailbreak/signcert.p12 Clutch-2.0.4-Debug
which clutch-ent.xml is Clutch.entitlements, and signcert.p12 is from unc0ver [Signing Certificate] package

iOS 9.3.2 iPhone SE (working)

``` root# Clutch-2.0.4-Debug -v -b se.aksys.tydlig ClutchPrint.m : 77 | using bundle identifier Now dumping se.aksys.tydlig ClutchPrint.m : 77 | ######## bundle URL file:///private/var/containers/Bundle/Application/8C34F912-9679-4D1E-9B6F-3EFD1BD15525 Preparing to dump Path: /var/containers/Bundle/Application/8C34F912-9679-4D1E-9B6F-3EFD1BD15525/Tydlig.app/Tydlig ClutchPrint.m : 77 | Finding compatible dumper for binary with arch cputype: 16777228 ClutchPrint.m : 77 | Segment cputype: 16777228, cpusubtype: 0 ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0 ClutchPrint.m : 77 | Dumper supports cputype 16777228 ClutchPrint.m : 77 | Found compatible dumper for binary with arch arm64 ClutchPrint.m : 77 | 64bit dumping: arch arm64 offset 0 ClutchPrint.m : 77 | FOUND __TEXT SEGMENT ClutchPrint.m : 77 | FOUND ENCRYPTION INFO: cryptoff 16384 | cryptsize 950272 | cryptid 1 ClutchPrint.m : 77 | FOUND CODE SIGNATURE: dataoff 1255936 | datasize 26048 ClutchPrint.m : 77 | found all required load commands for arm64 ClutchPrint.m : 77 | to MH_PIE or not to MH_PIE, that is the question ClutchPrint.m : 77 | got the pid 61229 /var/containers/Bundle/Application/8C34F912-9679-4D1E-9B6F-3EFD1BD15525/Tydlig.app/Tydlig ClutchPrint.m : 77 | 0 1255936 872415232 ClutchPrint.m : 77 | Found CSSLOT_CODEDIRECTORY ClutchPrint.m : 77 | Codesign Pages 307 ClutchPrint.m : 77 | Found main binary mach-o image @ 0x100070000! ASLR slide: 0x100070000 ClutchPrint.m : 77 | checksum size 6140 Dumping (arm64) Patched cryptid (64bit segment) Writing new checksum ClutchPrint.m : 77 | Done writing checksum ClutchPrint.m : 77 | done dumping ClutchPrint.m : 77 | Sucessfully dumped arm64 segment of Finished dumping se.aksys.tydlig to /var/tmp/clutch/F7B2109A-D729-4841-945A-05609DC246F5 Finished dumping se.aksys.tydlig in 0.8 seconds ```

iOS 12.1.2 iPhone 8 (not working)

``` root# Clutch-2.0.4-Debug -v -b se.aksys.tydlig ClutchPrint.m : 77 | using bundle identifier Now dumping se.aksys.tydlig ClutchPrint.m : 77 | ######## bundle URL file:///private/var/containers/Bundle/Application/41E5C2E5-37A1-4873-BAF3-E5C267745AD4 Preparing to dump Path: /var/containers/Bundle/Application/41E5C2E5-37A1-4873-BAF3-E5C267745AD4/Tydlig.app/Tydlig ClutchPrint.m : 77 | Finding compatible dumper for binary with arch cputype: 16777228 ClutchPrint.m : 77 | Segment cputype: 16777228, cpusubtype: 0 ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0 ClutchPrint.m : 77 | Dumper supports cputype 16777228 ClutchPrint.m : 77 | Found compatible dumper for binary with arch arm64 ClutchPrint.m : 77 | 64bit dumping: arch arm64 offset 0 ClutchPrint.m : 77 | FOUND __TEXT SEGMENT ClutchPrint.m : 77 | FOUND ENCRYPTION INFO: cryptoff 16384 | cryptsize 950272 | cryptid 1 ClutchPrint.m : 77 | FOUND CODE SIGNATURE: dataoff 1255936 | datasize 42352 ClutchPrint.m : 77 | found all required load commands for arm64 ClutchPrint.m : 77 | to MH_PIE or not to MH_PIE, that is the question ClutchPrint.m : 77 | got the pid 15530 /var/containers/Bundle/Application/41E5C2E5-37A1-4873-BAF3-E5C267745AD4/Tydlig.app/Tydlig Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed! Error: Failed to dump with arch arm64 2019-03-16 23:54:37.729 Clutch-2.0.4-Debug[15527:211844] failed operation :( 2019-03-16 23:54:37.729 Clutch-2.0.4-Debug[15527:211844] application {name = 'NSOperationQueue 0x107ecc000'} ClutchPrint.m : 77 | operation hash 4435572032 ClutchPrint.m : 77 | operation hash 4201234 Error: Failed to dump 2019-03-16 23:54:37.730 Clutch-2.0.4-Debug[15527:211844] failed operation :( 2019-03-16 23:54:37.730 Clutch-2.0.4-Debug[15527:211844] application {name = 'NSOperationQueue 0x107ecc000'} ClutchPrint.m : 77 | operation hash 4201234 Error: Failed to dump se.aksys.tydlig :( ```

The problem seems to be at task_for_pid, pwn20wndstuff/Undecimus#728 seems has addressed this issue with swigger/debugserver-ios

---

Update: Clearly I didn't thought of reading syslog before, there's this kernel complaint:

Mar 17 14:02:45 esterTion kernel(Sandbox)[0] <Error>: Sandbox: hook..execve() killing <unsigned>[pid=714, uid=0]: only launchd is allowed to spawn untrusted binaries

I guess it's officially an unc0ver issue now

[esterTion]

Temporary workaround

After found it's sandbox issue, I messed around with it, and now it correctly dumps app. Problem: This workaround requires resigning binary, which will lost original developer group info, and make it both generate new container for app preferences, and also no able to share data within original app-group. (e.g. Google shares account info across apps)

Therefore, this dump method might not be good for crack ipa generating, but is good enough for reverse engineer researching.

1. Find the app you want to dump, extract its original entitlements using ldid -e Binary >app-ent.xml. Also keep a copy of original binary if you want to restore later to avoid preferences lost.
2. add new entitlements below to the file
   new entitlements

        <key>platform-application</key>
        <true/>
        <key>get-task-allow</key>
        <true/>
        <key>run-unsigned-code</key>
        <true/>
        <key>com.apple.private.skip-library-validation</key>
        <true/>
        <key>com.apple.private.security.no-container</key>
        <true/>

3. Run clutch on original untouched binary, which should fail by Could not obtain mach port (This step is important, or newly signed binary won't spawn with error AppleFairplayTextCrypterSession:fairplayOpen() failed, error -42022 )
4. Resign binary with ldid -Sapp-ent.xml Binary
5. Run Clutch -b com.bundle.id, now clutch can spawn and decrypt the binary

Still, I think this is a unc0ver issue, not fully patching kernel (Probably won't happen in KPPless)

Example shell script

```Shell cd /User/Documents/App-link/App/$id app=(*.app) binary=${app%.app} echo "Resigning [$binary]" cd "$app" cp -p "$binary" "${binary}_backup" ## prevent dumping plugins and frameworks if [[ -e PlugIns ]]; then hasplugin=1 mv PlugIns PlugIns- fi if [[ -e Frameworks ]]; then hasfmwk=1 mv Frameworks Frameworks- fi ent_tmp=$(mktemp) ldid -e "$binary" >$ent_tmp plutil -key platform-application -true $ent_tmp >/dev/null plutil -key get-task-allow -true $ent_tmp >/dev/null plutil -key run-unsigned-code -true $ent_tmp >/dev/null plutil -key com.apple.private.skip-library-validation -true $ent_tmp >/dev/null plutil -key com.apple.private.security.no-container -true $ent_tmp >/dev/null #cat $ent_tmp echo "Dumping original to fail" Clutch-2.0.4-Debug -b $id ldid -S$ent_tmp "$binary" echo "Dumping again" Clutch-2.0.4-Debug -b $id rm -f $ent_tmp mv -f "${binary}_backup" "$binary" if [[ $hasplugin != "" ]]; then mv PlugIns- PlugIns fi if [[ $hasfmwk != "" ]]; then mv Frameworks- Frameworks fi ``` ``` esterTion:~ root# clutch-dump jp.co.cygames.princessconnectredive Resigning [princessconnectredive] Dumping original to fail Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed! Error: Failed to dump with arch arm64 2019-03-17 15:34:19.664 Clutch-2.0.4-Debug[845:7624] failed operation :( 2019-03-17 15:34:19.664 Clutch-2.0.4-Debug[845:7624] application {name = 'NSOperationQueue 0x105cf2b80'} Error: Failed to dump 2019-03-17 15:34:19.664 Clutch-2.0.4-Debug[845:7624] failed operation :( 2019-03-17 15:34:19.664 Clutch-2.0.4-Debug[845:7624] application {name = 'NSOperationQueue 0x105cf2b80'} Error: Failed to dump jp.co.cygames.princessconnectredive :( Dumping again ASLR slide: 0x100cd8000 Dumping (arm64) Patched cryptid (64bit segment) Writing new checksum Finished dumping jp.co.cygames.princessconnectredive to /var/tmp/clutch/CA4FA568-0970-441B-8F07-BC9DFFD1766C Finished dumping jp.co.cygames.princessconnectredive in 21.8 seconds ```

[holyswordman]

我認為自從iOS 11.1 開始已封了Clutch的運作方法, 可能Clutch要重新設計. 即使能通過簽名執行也不能解密App, 不能正常運作, 不關uncover的事.

[esterTion]

@holyswordma 注意步骤3，必须要先对原始进行一次dump，不然会导致FairPlay报错。 原理我也不清楚，大概是解密缓存吧

这个是内核限制的问题，本来越狱就是尽可能解除限制

[Halo-Michael]

Temporary workaround

After found it's sandbox issue, I messed around with it, and now it correctly dumps app. Problem: This workaround requires resigning binary, which will lost original developer group info, and make it both generate new container for app preferences, and also no able to share data within original app-group. (e.g. Google shares account info across apps)

Therefore, this dump method might not be good for crack ipa generating, but is good enough for reverse engineer researching.

1. Find the app you want to dump, extract its original entitlements using ldid -e Binary >app-ent.xml. Also keep a copy of original binary if you want to restore later to avoid preferences lost.
2. add new entitlements below to the file

new entitlements

1. Run clutch on original untouched binary, which should fail by Could not obtain mach port (This step is important, or newly signed binary won't spawn with error AppleFairplayTextCrypterSession:fairplayOpen() failed, error -42022 )
2. Resign binary with ldid -Sapp-ent.xml Binary
3. Run Clutch -b com.bundle.id, now clutch can spawn and decrypt the binary

Still, I think this is a unc0ver issue, not fully patching kernel (Probably won't happen in KPPless)

Example shell script

Perhaps you should keep a backup of the original entitlement file (app-ent.xml) and re-use the original entitlement file signature dumped binary after spawn and decrypt the binary?

[esterTion]

Perhaps you should keep a backup of the original entitlement file (app-ent.xml) and re-use the original entitlement file signature dumped binary after spawn and decrypt the binary?

It's not about entitlements, app group is determined by signing private key, which only developer has. Once you resigned the binary, it can never turn back to original signature. In fact, Clutch only update the CDHash part, but ldid will overwrite entire signature

[Halo-Michael]

Perhaps you should keep a backup of the original entitlement file (app-ent.xml) and re-use the original entitlement file signature dumped binary after spawn and decrypt the binary?

It's not about entitlements, app group is determined by signing private key, which only developer has. Once you resigned the binary, it can never turn back to original signature. In fact, Clutch only update the CDHash part, but ldid will overwrite entire signature

Thanks for Notes

[jeffli678]

@esterTion I tried your workaround very hard and it unfortunately doesn't work. The related error message is still the mach port. I am on iOS 12.1.2 with unc0ver 3.3.8

[esterTion]

Did you dumped the original binary first? It need to be attempted on original, or decryption will fail.

Sadly I’ve been in jail for months now, so can’t test anything.

[jeffli678]

I did. Not sure what went wrong.

[esterTion]

You can connect your phone to pc and use idevicesyslog from libimobiledevice to grab syslog, and see what’s the error If you have Mac you can use Apple Configurator 2 app

[jeffli678]

Thanks for your advice. I will give it a try when I have free time.

[esterTion]

@jeffli678 So hi, Thanks to Apple bringing back the old exploit, now I'm free on 12.4. And I've tested again, it is clearly working for me.

console logs

``` esterTion:/User/Documents/App-link/App/jp.co.bandainamcoent.BNEI0242 root# clutch-dump jp.co.bandainamcoent.BNEI0242 Resigning [BNEI0242] Dumping original to fail Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed! Error: Failed to dump with arch arm64 2019-08-20 11:29:26.758 Clutch-2.0.4-Debug[8973:191992] failed operation :( 2019-08-20 11:29:26.759 Clutch-2.0.4-Debug[8973:191992] application {name = 'NSOperationQueue 0x1015abd50'} Error: Failed to dump 2019-08-20 11:29:26.759 Clutch-2.0.4-Debug[8973:191992] failed operation :( 2019-08-20 11:29:26.760 Clutch-2.0.4-Debug[8973:191992] application {name = 'NSOperationQueue 0x1015abd50'} Error: Failed to dump jp.co.bandainamcoent.BNEI0242 :( Dumping again ASLR slide: 0x104150000 Dumping (arm64) Patched cryptid (64bit segment) Writing new checksum Finished dumping jp.co.bandainamcoent.BNEI0242 to /var/tmp/clutch/23D1BCAE-6922-4B01-9BE8-78B6A0CF94EE Finished dumping jp.co.bandainamcoent.BNEI0242 in 34.3 seconds ```

So i'm not sure which part did you do wrong If you are straight grabbing that script, then there are some missing pieces before you can use e.g. $id is not defined, also /User/Documents/App-link/App/$id is a link directory to the actual app container

[jeffli678]

Ironically, I also tried the latest jailbreak on another phone running 12.4. The jailbreak was successful, but I cannot get Cydia to work, it says no Internet connection.

That said, I somehow believe I previously followed your steps closely. I will try again and post logs later.

Discloser: I am reletively new to iOS reverse engineering.

[esterTion]

I cannot get Cydia to work, it says no Internet connection.

Delete /var/preferences/com.apple.networkextension.plist, reboot

[klmitchell2]

I spent some time yesterday trying to get Clutch working on a iPhone 7 (iOS 12.4) jailbroken with Chimera and did not succeed. No idea if they are compatible, but I was able to to frida-ios-dump as an alternative.

[TRGoCPftF]

You can get around some of these app issues with unc0ver or 12.* Clutch use in general. Couple of other devs found some ways with 12.1-12.4 before. Check out https://github.com/Alderon86/hydraDump

Can likely be done without as many external requirements, but it worked for me when i was unable to dump anything on 12.* unc0ver stuff

[esterTion]

Check out https://github.com/Alderon86/hydraDump

See inside and you will find out it’s exactly my code from here🤔

[TRGoCPftF]

Well no s***, they seemed so proud of what they did when they showed me 😂 I'll have to call em out for proper accreditation.