Closed fenfenS closed 5 months ago
1: are you running lldb on ios ? (or other platforms) 2: which debugserver are you using? 3: does this problem only occur when debugging a specific process?
Status: install ok installed
Priority: optional
Section: Development
Installed-Size: 8
Maintainer: RootHide <RootHideDev@twitter>
Architecture: iphoneos-arm64e
Version: 14.0.0~5.7.2~RELEASE
Depends: roothide (>= 0.0.6), lldb-14 (= 14.0.0~5.7.2~RELEASE)
Description: Next generation, high-performance debugger
Homepage: https://www.llvm.org/
After add
<key>get-task-allow</key>
<true/>
entitlement to the binary file, lldb can work correctly with it.
btw, debugserver works fine on iOS 12.1.2 w/ Unc0ver JB didn't try chimera.
on Unc0ver you need to enable "allow task" from it's options before jailbreaking
on chimera if i remember correctly uses jailbreakd to grant "task for pid" to processes
so sth like ".path/to/jailbreakd binary-name" might work.
after some search, find similar error from iosgods I wonder if we need a kernel patch to make it work same as other jb
adding
<key>run-unsigned-code</key>
<true/>
entitlement also works. it's not a bug from lldb or roothide. lldb need to change .text segment to set the breakpoint, in other word, the app need JIT privilege, which requires "run-unsigned-code" or "get-task-allow". in spite of that, is there another way to make it work without resign or kernel patch?
adding
<key>run-unsigned-code</key> <true/>
entitlement also works. it's not a bug from lldb or roothide. lldb need to change .text segment to set the breakpoint, in other word, the app need JIT privilege, which requires "run-unsigned-code" or "get-task-allow". in spite of that, is there another way to make it work without resign or kernel patch?
Bootstrap will automatically add get-task-allow entitlement to the binary when installing the package(deb), but it will not be automatically added to the binary in /basebin
adding
<key>run-unsigned-code</key> <true/>
entitlement also works. it's not a bug from lldb or roothide. lldb need to change .text segment to set the breakpoint, in other word, the app need JIT privilege, which requires "run-unsigned-code" or "get-task-allow". in spite of that, is there another way to make it work without resign or kernel patch?
In the case where there is only a signature vulnerability, re-signing the binary is our only option. otherwise we would need a complete jailbreak(krw and pac/ppl bypass) to achieve this.
ipadOS 16.3 with BootStrap.tipa
and it keeps got EXC_BAD_ACCESS signal while debugging