search

coolstar / electra

Electra iOS 11.0 - 11.1.2 jailbreak toolkit based on async_awake
GNU General Public License v3.0
656 stars 163 forks source link

Library Validation failed #176

Closed cjsworld closed 6 years ago

cjsworld commented 6 years ago

I has signed my binary with "platform-application" entitlement, but it still can't load untrusted lib. The log says:

Library Validation failed: Rejecting '/usr/lib/libTest.dylib' (Team ID: none, platform: no) for process 'test11(12099)' (Team ID: none, platform: no), reason: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)

and console says:

dyld: Library not loaded: /usr/lib/libTest.dylib
  Referenced from: /usr/bin/test11
  Reason: no suitable image found.  Did find:
    /usr/lib/libTest.dylib: code signing blocked mmap() of '/usr/lib/libTest.dylib'
    /usr/lib/libTest.dylib: code signing blocked mmap() of '/usr/lib/libTest.dylib'

After reading docs, i removed the -lTest from LDFLAGS, and do dlopen after jb_oneshot_entitle_now(getpid(), FLAG_PLATFORMIZE);, it works.

But it is inconvenient to change lib linking to dlopen, because i have to dlsym those symbols that i use. Even worse, if i want to use CocoaLumberjack.framework, i have to dlopen it manually, and modify the DDLogInfo macro from [DDLog xxxx] to [NSClassFromString(@"DDLog") xxx] to make linker happy.

After some try, i made a loader that posix_spawn target binary with POSIX_SPAWN_START_SUSPENDED, and then jb_oneshot_entitle_now using the pid, it works fine.

int main(int argc, char *argv[], char *envp[]) {
    posix_spawnattr_t attr;
    posix_spawnattr_init(&attr);
    posix_spawnattr_setflags(&attr, POSIX_SPAWN_START_SUSPENDED);

    pid_t pid;
    int ret = posix_spawnp(&pid, argv[1], NULL, &attr, &argv[1], envp);

    if (ret) {
        fprintf(stderr, "posix_spawn failed! ret=%d\n", ret);
        return 1;
    }

    jb_oneshot_entitle_now(pid, FLAG_PLATFORMIZE | FLAG_ENTITLE | FLAG_SANDBOX | FLAG_SIGCONT);

    int status;
    waitpid(pid, &status, 0);
    return 0;
}

I also found that the binary can run normally after first loader called. May be there is some kind of cache, but it won't maintain for too long, after some period of time, it failed to run again.

Is there any solution for this?

kirb commented 6 years ago

You need to also make amfi skip validation of libraries with the com.apple.private.skip-library-validation entitlement.

cjsworld commented 6 years ago

it works, thanks a lot !!!