Closed ViRb3 closed 3 years ago
jankais3r
commented
3 years ago iOS rejects debug packets coming from loopback network devices. If you find a way to fake the source network device with an app running locally on the device, this would work.
jakibaki
commented
3 years ago I think using a fake vpn that just redirects outgoing traffic back to the device with a spoofed sender might work.
At the very least people have successfully remote debugged when using an openvpn server (but only when on wifi, not mobile data?).
https://stackoverflow.com/questions/49267354/iphone-remote-debugging-over-vpn-connection
That also seems like a solution apple can't really ever fully "fix" unless remote debugging working over a vpn is unintended behavior.
ViRb3
commented
3 years ago Very interesting share @jakibaki! I will test this tonight and report back.
ViRb3
commented
3 years ago I am really excited to share that this showed really promising results! Creating a simple WireGuard VPN and "reflecting" the traffic back to the phone, I was able to go up to the stage of mounting the developer image. Unfortunately, for some reason that I still don't know, it seems to be very slow, so it eventually times out after a few minutes of trying to mount the image. I will be investigating this in the coming days, but it has huge potential for becoming a revolutionary JIT bypass.
For those interested, here are my iptables rules used to reflect back the traffic:
iptables -t nat -A PREROUTING -d 10.8.0.69/32 -j DNAT --to-destination 10.8.0.101
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE10.8.0.101 = Phone IP address 10.8.0.69 = Imaginary IP address that will simply reflect back the traffic
osy
commented
3 years ago Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). https://github.com/osy/Jitterbug/commit/d701acf49dc159fc5d5dc19772424a1f19b64f56
ViRb3
commented
3 years ago @osy you are absolutely on fire, thank you!
jakibaki
commented
3 years ago Thank you! I'm really happy to hear that this works!
iMonZ
commented
3 years ago Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf
Hey, i have this kind of certificate! How can I do that? And does it work on iOS 15 too?
iMonZ
commented
3 years ago Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf
Hey, i have this kind of certificate! How can I do that? And does it work on iOS 15 too?
Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf @osy
And should I sign Jitterbug and Jitterbug tunnel? Because I only have one bundle id with that specific feature
ViRb3
commented
3 years ago You need to sign both, two bundle ids are required.
iMonZ
commented
3 years ago You need to sign both, two bundle ids are required.
Oh thanks. Hey can you help me I have on my primary device the same bug as in the Delta emulator: When I try to import the support files and press on a file in the files selection window, nothing will happen :(
iMonZ
commented
3 years ago Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf
Hey, i have this kind of certificate! How can I do that? And does it work on iOS 15 too?
All right that's sad but in iOS 15 the apps are crashing when you launch them
edit: it worked on iOS 15b1 on my iPhone 12 pro max, I love it!!! But the diskimage was not recognized properly and on macOS I get the error: Couldn't mount disk image.
Hello. Looking at the code, it seems to me that it should be possible to launch an app with JIT on the same device instead of having a secondary device. libmobiledevice supports detached debug mode which doesn't need a daemon to be tethered to the JIT app. Is there a technical limitation that I'm missing? Thanks