Issue launching app analysis on 32 bit devices

[eric1dat]

I am having and issue where in, when I launch an app analysis on a 32 bit device. The process begins, spins a bit then restarts the device. I initially thouht it was an issue with frida, when I select the device I see all the apps avalible on it and I believe this a frida process as well. It is when I launch the app that things fail. I am able to run from the same server instace on 64 bit devices no problem. One more difference between 32 and 64 bit devices the 64 bit devices are jailbroken 9.3.3 and the 32 bit devices are 9.3.5 jailbrakes.

[ChiChou]

Any log from Console.app?

[eric1dat]

Yes on the the error, here's whats going to the Console:

An unhandledRejection occurred: Rejection:Error:The Connection is closed Error: The Connection is closed

Thanks for the app and having a look at this.

[ChiChou]

open Console.app, I mean the log from iPhone

[eric1dat]

Ah, O.k. The device is at the office, I'll dump the logs from it when I get in tomorrow.

[eric1dat]

Find attached the log from me running the process this morning DeviceCrash.crash.zip

[ChiChou]

launchd crashed, looks like it's a jailbreak environment problem

[ChiChou]

Passionfruit also supports repacking FridaGadget.dylib to ipa, which does not require jailbroken device.

[eric1dat]

Thanks for the research. I’ll try injecting the Frida library or a different 9.3.5 jailbreak

[ChiChou]

I only got a 32bit iPhone 5 with iOS 8. Still unable to reproduce this.

[eric1dat]

Wow, that's interesting. Perhaps it is my Jailbreak. I am using the Phoenix Jailbreak on 3 different 9.3.5 device. Again thanks much for your efforts.

[allRiceOnMe]

I have the same issue with the Phoenix Jailbreak (iOS 9.3.5, iPhone4S).

[ChiChou]

Yet another question to ask, have you confirm that the frida on device is properly installed? There's both 32bit and 64bit version in the Cydia source:

[allRiceOnMe]

Yea, i know. It's the correct "Frida for 32-bit devices" version installed. frida-ps -U shows all processes and attaching works fine.

[ChiChou]

@allRiceOnMe Does frida -f [com.xxx.bundleid.goes.here] -U work?

[allRiceOnMe]

Nope, it doesn't. Same result as when using passionfruit: The device restarts.

[ChiChou]

I guess only @oleavr can solve this...

Anyway, you can manually start an app on device, then passionfruit will try to attach it instead of spawning a new instance.

[ChiChou]

Seems like it's a frida framework's bug: https://github.com/frida/frida/issues/373 @eric1dat

[eric1dat]

Launching the app on the device then attaching with the tool works fine. Thanks for everyones inputs.

[oleavr]

This is indeed a bug in Frida, but I'm afraid I won't fix this unless somebody volunteers their time to debug it – I don't have any 32-bit devices available for testing.

[ChiChou]

cc @allRiceOnMe

[allRiceOnMe]

@oleavr How can I help?

[oleavr]

@allRiceOnMe Would be great if you could build Frida yourself, changing config.mk to remove --strip, and replacing /usr/sbin/frida-server with your symbolicated version. (Make sure you rm the original file first to avoid code-signing issues.) Then use launchctl to unload and then load frida-server. Once that's done, the next step is figuring out why launchd crashes when we instrument it with this script.

[allRiceOnMe]

@oleavr Could you please name the full command to load and unload using launchctl?

[oleavr]

@allRiceOnMe

$ launchctl unload /Library/LaunchDaemons/re.frida.server.plist
$ launchctl load /Library/LaunchDaemons/re.frida.server.plist

[allRiceOnMe]

@oleavr Ok, perfekt. I'm prepared.

[allRiceOnMe]

@oleavr What would be the next step? Thanks in advance

[oleavr]

@allRiceOnMe Could you provide a disassembly of __posix_spawn? We hook it here. I'm also curious if you are able to trace it if you do frida-trace -U -p 1 -i __posix_spawn -- does that crash launchd (PID 1) when you manually launch an app, or does it work?