frida.InvalidOperationError: script has been destroyed

[owiofwm2i]

in frizzer/fuzzer.py file FridaFuzzer.load_script crashed on self.frida_script.prepare() it shows

[+] Project: {'fuzzer': {'log_level': 3}, 'target': {'process_name': 'bluetoothd', 'frida_script': 'harness.js', 'remote_frida': True, 'recv_timeout': 0.1, 'fuzz_in_process': True, 'modules': ['/usr/sbin/bluetoothd']}}
[+] Loading script: ./harness.js
Traceback (most recent call last):
  File "../../frizzer/fuzzer.py", line 665, in <module>
    main()
  File "../../frizzer/fuzzer.py", line 647, in main
    if not fuzzer.attach():
  File "../../frizzer/fuzzer.py", line 519, in attach
    self.load_script()
  File "../../frizzer/fuzzer.py", line 150, in load_script
    self.frida_script.prepare()
  File "/Users/freedom/Desktop/MyCodes/toothpicker/venv/lib/python3.8/site-packages/frida/core.py", line 468, in method
    return script._rpc_request('call', js_name, args, **kwargs)
  File "/Users/freedom/Desktop/MyCodes/toothpicker/venv/lib/python3.8/site-packages/frida/core.py", line 26, in wrapper
    return f(*args, **kwargs)
  File "/Users/freedom/Desktop/MyCodes/toothpicker/venv/lib/python3.8/site-packages/frida/core.py", line 400, in _rpc_request
    raise result[2]
frida.InvalidOperationError: script has been destroyed

here is my frida-compile commands

frida-compile ../projects/sample_magicpairing/magic_pairing.js -o ../projects/sample_magicpairing/harness.js

OS version: macos 11.4 with m1 chip frida version:15.1.1 and frida ios also 15.1.1

[jiska2342]

Hi,

which iOS version and iPhone model are you using?

Can you attach to bluetoothd with Frida in general? For example, can you execute frida-trace -U bluetoothd -m '*[CB* *]'?

I haven't tried ToothPicker since a few iOS versions but have a couple of iPhones over here and can have a look. However, the error that you get seems to be rather generic, indicating that something with the Frida setup seems to be wrong. Might be your Frida setup or changes within Frida regarding the v8 engine.

[owiofwm2i]

I haven't tried ToothPicker since a few iOS versions but have a couple of iPhones over here and can have a look. However, the error that you get seems to be rather generic, indicating that something with the Frida setup seems to be wrong. Might be your Frida setup or changes within Frida regarding the v8 engine.

Wow, you're so quick to reply! I've solved it, I'm fuzzing ios14.7 (iphone7), thank you for open source.

[jiska2342]

There are currently no symbols for iOS 14.7 (see symbols.js). I have two iPhones with iOS 14.7 and 14.8 over here and can diff later this week. You can also try diffing on your own with the existing symbols if you don't want to wait.

I think your issue originates from symbols set to another version. The fuzzing target function is likely set (but to a wrong version) when the prepare() function is called. However, since you are running a different iOS version, you might try to attach to something that is not a function or even invalid memory.

[owiofwm2i]

I think your issue originates from symbols set to another version. The fuzzing target function is likely set (but to a wrong version) when the prepare() function is called. However, since you are running a different iOS version, you might try to attach to something that is not a function or even invalid memory.

i find symbol address by using bindiff in IDA, but still 3 symbols not found hci_handle_exists,btstack_free and is_internal_build ,I don't know if the lack of these 3 functions has any effect ，I just ran it first, I haven't read the code in detail.I hope to learn binary-only fuzz well through this code, do you have any other recommended reading material?

[jiska2342]

Hi @n0thing2speak,

took me a bit longer to find some time for diffing and testing, but I just pushed symbols for iOS 14.4, 14.7, and 14.8, which I tested on iPhone 7/8. I might still be on a slightly outdated Frida version on some of these devices, but it worked.

I used BinDiff+IDA against my iOS 13.6 symbols of an iPhone 8, and added some comments to symbols.js, because there were three false positives, and one function wasn't detected at all.

You can now change the symbol setting here and start fuzzing:

https://github.com/seemoo-lab/toothpicker/blob/master/harness/bluetoothd.js#L6

Please let me know if you still get some errors or not. At least it works on my machine :)

[n3000]

I have the same error, but i pull /usr/sbin/bluetoothd from iphone without symbols, can you share the way to find the symbols? my iphone version: iPhone SE with IOS14.4

[jiska2342]

You need to apply the symbols of one version in this repo to an IDA/Ghidra/... database for that version and then use BinDiff, Ghidra versioning, etc. to the target version. For some functions, this can produce false positive matches, so you also have to check strings in those functions manually if the match confidence is below 90%. It's definitely some manual work, but there's no way around creating a proper database of the bluetoothd version you're fuzzing, since you also need to verify crashes and their causes later on.

[n3000]

Thanks for your detailed reply！It seems i have to get an IPhone7/8. :)

[jiska2342]

Hi @n3000, an iPhone 7/8 probably won't get you any closer to having symbols, because you can't downgrade iOS and only upgrade it to currently signed versions. It's very likely that the iPhone 7/8 you buy is on the wrong version and you need to diff again.

[n3000]

Thanks for reminding, i will pay attention to the IOS version.