Crash with "Killed: 9" message

nowsecure / fsmon

monitor filesystem on iOS / OS X / Android / FirefoxOS / Linux

https://www.nowsecure.com

MIT License

903 stars 153 forks source link

Crash with "Killed: 9" message #43

Open interference-security opened 4 years ago

interference-security commented 4 years ago

I am trying to run fsmon on iOS 12.1.2 (iPhone 6S) jailbroken using Unc0ver. When running fsmon it returns error message Killed:9.

What I have already tried: lipo and ldid (Source: https://medium.com/@felipejfc/the-ultimate-guide-for-live-debugging-apps-on-jailbroken-ios-12-4c5b48adf2fb) On Mac: lipo -thin arm64 fsmon-ios -output fsmon-ios-arm64 On iOS: ldid -Sentity.xml fsmon-ios-arm64

interference-security commented 4 years ago

iDevice:~ root#ldid -e `which bash` > ent.xml iDevice:~ root# cat ent.xml

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>platform-application</key>
        <true/>
        <key>com.apple.private.security.no-container</key>
        <true/>
        <key>com.apple.private.skip-library-validation</key>
        <true/>
</dict>
</plist>

iDevice:~ root#ldid -Sent.xml fsmon-ios iDevice:~ root#chmod 755 fsmon-ios iDevice:~ root#inject ./fsmon-ios

Actually injecting 1 keys
1 new hashes to inject
Successfully injected [1/1] to trust cache.

iDevice:~ root# ./fsmon-ios

dyld: Symbol not found: ___chkstk_darwin
  Referenced from: /private/var/root/./fsmon-ios (which was built for iOS 13.2)
  Expected in: /usr/lib/libSystem.B.dylib
 in /private/var/root/./fsmon-ios
Abort trap: 6

interference-security commented 4 years ago

Fails for fsmon 1.7.0 only. Works for fsmon 1.6.1 and 1.6.

wget https://github.com/nowsecure/fsmon/releases/download/1.6.1/fsmon-ios -O fsmon161
chmod 755 fsmon161
ldid -Sent.xml fsmon161
./fsmon161 --help
Usage: ./fsmon161 [-Jjc] [-a sec] [-b dir] [-B name] [-p pid] [-P proc] [path]
 -a [sec]  stop monitoring after N seconds (alarm)
 -b [dir]  backup files to DIR folder (EXPERIMENTAL)
 -B [name] specify an alternative backend
 -c        follow children of -p PID
 -f        show only filename (no path)
 -h        show this help
 -j        output in JSON format
 -J        output in JSON stream format
 -n        do not use colors
 -L        list all filemonitor backends
 -p [pid]  only show events from this pid
 -P [proc] events only from process name
 -v        show version
 [path]    only get events from this path

evandrix commented 4 years ago

reporting that v1.7.0 works for me on iPhone 7 Plus,

after make ios on macOS v10.15.4, Xcode 11.4.1 Build version 11E503a

then

ldid -e $(which bash) >entitlement.xml
ldid -Sentitlement.xml fsmon