search

evelyneee / ellekit

yet another tweak injector / tweak hooking library for darwin systems
BSD 3-Clause "New" or "Revised" License
452 stars 59 forks source link

My tweak, ported from rootful and substrate, causes safe modes #33

Closed hacx closed 1 year ago

hacx commented 1 year ago

I updated my tweak to use @rpaths and it still references (optionally) to mobilesubtrate. It works well in palera1n rootless but not on Dopamine. It hooks several c functions in mediaserverd.

Users are experiencing a safe mode when the tweak loads. this is the crash report:

CrashReporter Key:   0147f2ab04213c7d57e422d09fe72e559741bbcd
Hardware Model:      iPhone13,4
Process:             mediaserverd [5212]
Path:                /usr/sbin/mediaserverd
Identifier:          mediaserverd
Version:             ???
Code Type:           ARM-64 (Native)
Role:                Unspecified
Parent Process:      launchd [1]
Coalition:           com.apple.mediaserverd [592]
Date/Time:           2023-07-16 17:00:30.4134 +0300
Launch Time:         2023-07-16 17:00:29.9521 +0300
OS Version:          iPhone OS 15.1.1 (19B81)
Release Type:        User
Baseband Version:    2.11.04
Report Version:      104

Exception Type:  EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000001991c7384
Exception Note:  EXC_CORPSE_NOTIFY
Termination Reason: SIGNAL 5 Trace/BPT trap: 5
Terminating Process: exc handler [5212]

Triggered by Thread:  0

Application Specific Information:

Thread 0 name:   Dispatch queue: com.apple.main-thread

Thread 0 Crashed:

0   libobjc.A.dylib               
       0x1991c7384 readClass(objc_class*, bool, bool) + 116

1   libobjc.A.dylib               
       0x1991c851c map_images_nolock + 3080

2   libobjc.A.dylib               
       0x1991c851c map_images_nolock + 3080

3   libobjc.A.dylib               
       0x1991c923c map_images + 88

4   dyld                          
       0x104d102b8 dyld4::RuntimeState::notifyLoad(dyld3::Array<dyld4::Loader const*> const&) + 584

5   dyld                          
       0x104d15b44 dyld4::APIs::dlopen_from(char const*, int, void*) + 496

6   libinjector.dylib             
       0x104ca3abc injection_init + 2040

7   dyld                          
       0x104d14794 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164

8   dyld                          
       0x104d48364 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340

9   dyld                          
       0x104d12490 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532

10  dyld                          
       0x104d11698 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168

11  dyld                          
       0x104d109f8 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192

12  dyld                          
       0x104d1debc dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516

13  dyld                          
       0x104d1aa10 dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172

14  dyld                          
       0x104d163c4 dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 208

15  dyld                          
       0x104d1c570 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 124

16  dyld                          
       0x104d15b54 dyld4::APIs::dlopen_from(char const*, int, void*) + 512

17  systemhook.dylib              
       0x104c47490 initializer + 500

18  dyld                          
       0x104d14794 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164

19  dyld                          
       0x104d48364 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340

20  dyld                          
       0x104d12490 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532

21  dyld                          
       0x104d11698 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168

22  dyld                          
       0x104d109f8 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192

23  dyld                          
       0x104d1debc dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516

24  dyld                          
       0x104d1aa10 dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172

25  dyld                          
       0x104d163c4 dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 208
26  dyld                          
       0x104d1c570 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 124
27  dyld                          
       0x104d3bd44 dyld4::APIs::runAllInitializersForMain() + 312

28  dyld                          
       0x104d273ac dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 2820

29  dyld                          
       0x104d25a04 start + 488

Thread 0 crashed with ARM Thread State (64-bit):

    x0: 0x0000000107f39ee0   x1: 0x0000000000000000   x2: 0x0000000000000000   x3: 0xfffffffffffffff6

    x4: 0x0000000000000000   x5: 0x0000000000000000   x6: 0x0000000000000021   x7: 0x00000000000008f0

    x8: 0x0000000107f21c48   x9: 0x000000016b202178  x10: 0x0000000000000006  x11: 0x0000000105c70000

   x12: 0x0000000105c6c000  x13: 0x0000000000000066  x14: 0xe2d4577ee0bb8544  x15: 0x000067616e614d6e

   x16: 0x00200001daa48160  x17: 0x00000001daa48160  x18: 0x0000000000000000  x19: 0x0000000107f39ee0

   x20: 0x0000000000000000  x21: 0x0000000107f0d562  x22: 0x0000000000000000  x23: 0x0000000000000000

   x24: 0x0000000000000000  x25: 0x0000000107f39ee8  x26: 0x0000000001120532  x27: 0x0000000107f39ee0

   x28: 0x0000000000000006   fp: 0x000000016b2021a0   lr: 0xec195581991c851c

    sp: 0x000000016b202150   pc: 0x00000001991c7384 cpsr: 0x20000000

   far: 0x0000000107efcee0  esr: 0xf200c472 (Breakpoint) pointer authentication trap DA

Binary Images:
       0x1991bc000 -        0x1991f5fff libobjc.A.dylib arm64e  <10fa90c6dfe538aeb3dc2251181cc272> /usr/lib/libobjc.A.dylib
       0x104d0c000 -        0x104d63fff dyld arm64e  <c21dba379df93fc7b286734030e18bb1> /usr/lib/dyld
       0x104c9c000 -        0x104ca3fff libinjector.dylib arm64e  <5e17d7464bcc3356ad78321d55215bfc> /private/preboot/5A564AB6B67F73249711094FAA1C979FDD441F128A0E2EF535D5713F9F7A92BD2AFDAB32F6862A3587ADD8ECA5F649D9/jb-nJMZIL/procursus/usr/lib/ellekit/libinjector.dylib

       0x104c40000 -        0x104c47fff systemhook.dylib arm64e  <9bcc3df8d13230d1b4cc1cc5c0831ae4> /usr/lib/systemhook.dylib

EOF

Incident Identifier: 50D9A0C6-25E0-477D-A908-F36998F79996

CrashReporter Key:   0147f2ab04213c7d57e422d09fe72e559741bbcd

Hardware Model:      iPhone13,4

Process:             mediaserverd [5211]

Path:                /usr/sbin/mediaserverd

Identifier:          mediaserverd

Version:             ???

Code Type:           ARM-64 (Native)

Role:                Unspecified

Parent Process:      launchd [1]

Coalition:           com.apple.mediaserverd [592]

Date/Time:           2023-07-16 17:00:24.9506 +0300

Launch Time:         2023-07-16 17:00:24.4799 +0300

OS Version:          iPhone OS 15.1.1 (19B81)

Release Type:        User

Baseband Version:    2.11.04

Report Version:      104

Exception Type:  EXC_BREAKPOINT (SIGTRAP)

Exception Codes: 0x0000000000000001, 0x00000001991c7384

Exception Note:  EXC_CORPSE_NOTIFY

Termination Reason: SIGNAL 5 Trace/BPT trap: 5

Terminating Process: exc handler [5211]

Triggered by Thread:  0

Application Specific Information:

Thread 0 name:   Dispatch queue: com.apple.main-thread

Thread 0 Crashed:

0   libobjc.A.dylib               
       0x1991c7384 readClass(objc_class*, bool, bool) + 116

1   libobjc.A.dylib               
       0x1991c851c map_images_nolock + 3080

2   libobjc.A.dylib               
       0x1991c851c map_images_nolock + 3080

3   libobjc.A.dylib               
       0x1991c923c map_images + 88

4   dyld                          
       0x10484c2b8 dyld4::RuntimeState::notifyLoad(dyld3::Array<dyld4::Loader const*> const&) + 584

5   dyld                          
       0x104851b44 dyld4::APIs::dlopen_from(char const*, int, void*) + 496

6   libinjector.dylib             
       0x1047dfabc injection_init + 2040

7   dyld                          
       0x104850794 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164

8   dyld                          
       0x104884364 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340

9   dyld                          
       0x10484e490 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532

10  dyld                          
       0x10484d698 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168

11  dyld                          
       0x10484c9f8 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192

12  dyld                          
       0x104859ebc dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516

13  dyld                          
       0x104856a10 dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172

14  dyld                          
       0x1048523c4 dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 208

15  dyld                          
       0x104858570 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 124

16  dyld                          
       0x104851b54 dyld4::APIs::dlopen_from(char const*, int, void*) + 512

17  systemhook.dylib              
       0x104783490 initializer + 500

18  dyld                          
       0x104850794 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164

19  dyld                          
       0x104884364 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340

20  dyld                          
       0x10484e490 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532

21  dyld                          
       0x10484d698 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168

22  dyld                          
       0x10484c9f8 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192

23  dyld                          
       0x104859ebc dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516

24  dyld                          
       0x104856a10 dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172

25  dyld                          
       0x1048523c4 dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 208

26  dyld                          
       0x104858570 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 124

27  dyld                          
       0x104877d44 dyld4::APIs::runAllInitializersForMain() + 312

28  dyld                          
       0x1048633ac dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 2820

29  dyld                          
       0x104861a04 start + 488

Thread 0 crashed with ARM Thread State (64-bit):

    x0: 0x0000000107ae5ee0   x1: 0x0000000000000000   x2: 0x0000000000000000   x3: 0xfffffffffffffff6

    x4: 0x0000000000000000   x5: 0x0000000000000000   x6: 0x0000000000000021   x7: 0x00000000000008f0

    x8: 0x0000000107acdc48   x9: 0x000000016b7c6178  x10: 0x0000000000000006  x11: 0x0000000104e9c000

   x12: 0x0000000104e98000  x13: 0x0000000000000066  x14: 0xe2d4577ee0bb8544  x15: 0x000067616e614d6e

   x16: 0x00200001daa48160  x17: 0x00000001daa48160  x18: 0x0000000000000000  x19: 0x0000000107ae5ee0

   x20: 0x0000000000000000  x21: 0x0000000107ab9562  x22: 0x0000000000000000  x23: 0x0000000000000000

   x24: 0x0000000000000000  x25: 0x0000000107ae5ee8  x26: 0x0000000001120532  x27: 0x0000000107ae5ee0

   x28: 0x0000000000000006   fp: 0x000000016b7c61a0   lr: 0xd352e481991c851c

    sp: 0x000000016b7c6150   pc: 0x00000001991c7384 cpsr: 0x20000000

   far: 0x0000000107aa8ee0  esr: 0xf200c472 (Breakpoint) pointer authentication trap DA

Binary Images:

       0x1991bc000 -        0x1991f5fff libobjc.A.dylib arm64e  <10fa90c6dfe538aeb3dc2251181cc272> /usr/lib/libobjc.A.dylib

       0x104848000 -        0x10489ffff dyld arm64e  <c21dba379df93fc7b286734030e18bb1> /usr/lib/dyld

       0x1047d8000 -        0x1047dffff libinjector.dylib arm64e  <5e17d7464bcc3356ad78321d55215bfc> /private/preboot/5A564AB6B67F73249711094FAA1C979FDD441F128A0E2EF535D5713F9F7A92BD2AFDAB32F6862A3587ADD8ECA5F649D9/jb-nJMZIL/procursus/usr/lib/ellekit/libinjector.dylib

       0x10477c000 -        0x104783fff systemhook.dylib arm64e  <9bcc3df8d13230d1b4cc1cc5c0831ae4> /usr/lib/systemhook.dylib
dhinakg commented 1 year ago

This seems like an old ABI crash. Compile with Xcode 13+, add a dependency on OldABI, or use Allemand to convert your tweak to the new ABI.