Debugserver not work

[liuxuan30]

If try to attach:

iPhone:/bootstrap/usr root# ./debugserver *:1234 -a AppStore
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-360.0.26.14
 for arm64.
Attaching to process AppStore...
error: failed to attach to process named: "" (os/kern) invalid argument
Exiting.

If tried to launch:

iPhone:/bootstrap/usr root# ./debugserver *:1234 /Applications/AppStore.app/AppStore 
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-360.0.26.14
 for arm64.
error: failed to launch process ./debugserver: (os/kern) invalid argument
Exiting.

Some kernel log maybe helpful:

Jan 20 13:43:45 Xuans-iPhone debugserver[298] <Notice>: In completion handler, got pid for bundle id, pid: 299.
Jan 20 13:43:45 Xuans-iPhone debugserver[298] <Notice>: 1 +0.000000 sec [012a/0303]: error: ::task_set_exception_ports ( task = 0x2807, exception_mask = 0x000013fe, new_port = 0x200b, behavior = 0x80000001, new_flavor = 0x00000005 ) err = (os/kern) invalid argument (0x00000004)
Jan 20 13:43:45 Xuans-iPhone debugserver[298] <Notice>: Could not get inferior's Mach exception port, sending ptrace PT_KILL and exiting.
Jan 20 13:43:45 Xuans-iPhone debugserver[298] <Notice>: 2 +0.000221 sec [012a/0303]: RNBRunLoopLaunchInferior DNBProcessLaunch() returned error: '(os/kern) invalid argument'
Jan 20 13:43:45 Xuans-iPhone SpringBoard(FrontBoard)[230] <Notice>: [FBProcessManager] Removing: <FBProcess: 0x1c03093f0; debugserver; pid: -1>

I signed a copy of debugserver with below entitlements with jtool:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>platform-application</key>
        <true/>
        <key>com.apple.backboardd.debugapplications</key>
        <true/>
        <key>com.apple.backboardd.launchapplications</key>
        <true/>
        <key>com.apple.diagnosticd.diagnostic</key>
        <true/>
        <key>com.apple.frontboard.debugapplications</key>
        <true/>
        <key>com.apple.frontboard.launchapplications</key>
        <true/>
        <key>com.apple.springboard.debugapplications</key>
        <true/>
        <key>com.apple.springboard.launchapplications</key>
        <true/>
        <key>com.apple.security.network.client</key>
        <true/>
        <key>com.apple.security.network.server</key>
        <true/>
        <key>com.apple.assertiond.app-state-monitor</key>
        <true/>
        <key>com.apple.private.network.socket-delegate</key>
        <true/>
        <key>com.apple.mobileactivationd.network-security-disabled</key>
        <true/>
        <key>com.apple.networkd_privileged</key>
        <true/>
        <key>run-unsigned-code</key>
        <true/>
        <key>get-task-allow</key>
        <true/>
        <key>task_for_pid-allow</key>
        <true/>
        <key>com.apple.system-task-ports</key>
        <true/>
    </dict>
</plist>

[stek29]

It's debugserver bug -- it can't listen on *. Listen on localhost/127.0.0.1 and use iproxy.

[liuxuan30]

I think it's not the listen address issue first? tried 127.0.0.1, same issue.

Xuans-iPhone:/bootstrap/usr root# ./debugserver 127.0.0.1:1234 /Applications/AppStore.app/AppStore
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-360.0.26.14
 for arm64.
error: failed to launch process ./debugserver: (os/kern) invalid argument
Exiting.

[stek29]

I never tried to launch apps vie debug server, I've only attached to them. And I only got it working when using 127.0.0.1 and never with *.

[liuxuan30]

have you tried to attach AppStore?

Xuans-iPhone:/bootstrap/usr root# ps -ax|grep AppS
  144 ??         0:04.42 /System/Library/PrivateFrameworks/AppStoreDaemon.framework/appstored.bundle/appstored
 1216 ??         0:01.40 /Applications/AppStore.app/AppStore
 1226 ttys002    0:00.01 grep AppS
Xuans-iPhone:/bootstrap/usr root# ./debugserver 127.0.0.1:1234 -a 1216
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-360.0.26.14
 for arm64.
Attaching to process 1216...
error: failed to attach process 1216: (os/kern) invalid argument
Exiting.

[coolstar]

You need to use jailbreakd_client to platformize debugserver

[liuxuan30]

@coolstar thanks for the tip. May I ask more details? how to use it?

jailbreakd_client <1 | 2> 1 = entitle+platformize the target PID 2 = entitle+platformize the target PID and subsequently sent SIGCONT

since debugserver will be launched manually and exit almost immediately, how can I get the pid and run this client?

I have signed it as platform, why another platformize again here?

[holyswordman]

As i know, when u just signed it as platform in entitlement xml is not full platformize, so u need to do it via jailbreakd client. u may write a program that spawn the debugserver and platformize it.

[stek29]

Ah, lol, I thought you've entitled it and haven't even noticed you're trying to attach to platform binary

[liuxuan30]

@stek29 @holyswordman thank you guys. But could you tell me how to use this client? Still confused how to use this jailbreakd_client. This already a cli tool

and

haven't even noticed you're trying to attach to platform binary

What's the difference here?

[stek29]

@liuxuan30 actually there's no difference with electra since it marks all apps as platform

[stek29]

@liuxuan30 ./jbdo ./debugserver 0.0.0.0:1234

sign debugserver with task_for_pid-allow entitlement + default ones

jbdo: https://0x0.st/sq2A.bin code of jbdo at https://github.com/coolstar/electra/issues/53#issuecomment-359287851

[liuxuan30]

Thanks! I will give a try but this is still missing usage of jailbreakd_client :)

[stek29]

@liuxuan30 there's #53 for that :)

[liuxuan30]

oops sorry it's mistakenly closed. @stek29 Sorry for very delayed reply. I tried jbdo to hook AppStore for example, /usr/local/bin/jbdo /usr/local/bin/debugserver *:1234 -a 1367 however it just hangs. If try to connect from my mac,

(lldb) process connect connect://192.168.1.55:1234
error: Failed to connect port

I also tried to /electra/jailbreakd_client 1367 1 for AppStore, nothing help. I think it's just jbdo stucks somewhere?

[stek29]

jbdo needs to be rewritten for latest libjailbreak

[rustymagnet3000]

hey @stek29 @liuxuan30 did you get debugserver working as expected?

I am hitting the same issues as @liuxuan30.

[liuxuan30]

No.

[stek29]

• Sign debugserver
• Start debugserver in suspended state (or just SIGKILL it quickly)
• Use jailbreakd_client to entitle debugserver pid
• SIGCONT debugserver

[liuxuan30]

if debugserver get killed, the pid is no longer valid? Can you explain more in suspended state? Thanks

[rustymagnet3000]

A nice little article about this very topic: https://kov4l3nko.github.io/blog/2018-03-18-my-experience-with-lldb-and-electra-jb/

[liuxuan30]

@rustymagnet3000 that would work, but opening two ssh tunnels seems a little complex to use. If we can connect directly is much easier.

[rustymagnet3000]

two ssh tunnels makes sense (one for lldb/gdb the other for ssh).

I spent all the effort creating a signed iOS Debugserver (the old way to get it working) and I just needed to use /Developer/usr/bin/debugserver

Wow. Electra is amazing!!

[rustymagnet3000]

I think you should close this ticket @liuxuan30

[liuxuan30]

not really. I'd prefer non-ssh way.

[KingKong5147]

Is there a guide to get this working for iOS 11.3.1? A simple step by step guide?

[goodcyg]

@liuxuan30 I have the same problem. error: failed to attach to process named: “” (os/kern) invalid argument I download https://0x0.st/sq2a.bin, but is the content like this? Process 17 stopped

• thread #1: tid = 17, 0x00007f13a56ad4a8, name = 'fhost' frame #0: Process 17 stopped
• thread #8: tid = 17, 0x00007f13877f5d90 fhostget(path='/sq2A.bin') + 27 at fhost.c:139, name = 'fhost/responder', stop reason = invalid address (fault address: 0x30) frame #0: 0x00007f13877f5d90 fhostget(path='/sq2A.bin') + 27 at fhost.c:139 136 get(SrvContext ctx, const char path) 137 { 138 StoredObj *obj = ctx->store->query(shurl_debase(path)); -> 139 switch (obj->type) { 140 case ObjTypeFile: 141 ctx->serve_file_id(obj->id); 142 break; (lldb) q

The above discussion is not detailed enough, and there are many problems. Do you give detailed solutions?