iOS 14 seems to SIGKILL the ptrace trick

[saagarjha]

Describe the bug Just tried it out in a sample app and got a SIGKILL due to codesigning. I can confirm that CS_DEBUGGED is no longer being set for the process if you try to ptrace yourself.

To Reproduce Steps to reproduce the behavior:

1. ptrace yourself.
2. Allocate a writable page and put shellcode in it.
3. Mark the page R-X.
4. Run it.

let ptrace = unsafeBitCast(dlsym(dlopen(nil, RTLD_LAZY), "ptrace"), to: (@convention(c) (CInt, pid_t, caddr_t?, CInt) -> CInt).self)
print(ptrace(0, 0, nil, 0))

let page = mmap(nil, 0x1000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0)
memcpy(page, [
    // mov x0, 1
    0x20,
    0x00,
    0x80,
    0xd2,

    // ret
    0xc0,
    0x03,
    0x5f,
    0xd6,
] as [UInt8], 8)
mprotect(page, 0x1000, PROT_READ | PROT_EXEC)
guard unsafeBitCast(page, to: (@convention(c) () -> Int).self)() == 1 else {
    preconditionFailure("wrong return")
}

Crash log

GetTaskAllowTest 6-24-20, 11-18.log

[ghost]

I updated my iPhone XR to iOS 14.2 beta 2 and UTM (1.0) is suddenly working without jailbreak or being connected to debugserver. It's signed with a paid dev cert (iOS Development). Does not work on 14.0.1.

[iamrecursion]

I can reproduce this. UTM 1.0 signed with a dev certificate is now launching fine and I can launch a VM. 14.2b2.

[ghost]

@iamrecursion Was this on an A12/A13 device? Because I had two other people test it and so far it seems like JIT in iOS 14.2 may only work on arm64e.

(Coincidentally, they also seem to have broken AltStore on arm64e in this beta – it crashes with KERN_PROTECTION_FAILURE and so do any apps sideloaded with it, but other sideloading methods are still working fine.)

[iamrecursion]

It was on an A13 device, yes.

[brunocastello]

I would test 14.2b2 with my A10 2nd gen iPad Pro, but I would lose the ability to downgrade to 13.6.1, where I have UTM 2.0 working great, albeit with the old UI.

So apparently Apple has changed something in newest betas? I need to read their release notes.

[ghost]

@brunocastello Is it a cellular or Wi-Fi iPad? If it's a Wi-Fi model you can futurerestore to 13.4 or higher with blobs, but on cellular models it's not possible because of incompatible baseband.

[OatmealDome]

This must be a regression...? I don't think something like this would last to the GM if Apple notices.

[saagarjha]

Would be very curious to know if the profile was loosened to allow ptrace or there is something else going on. Can someone try the sample at the top of this issue and see how it fares?

[ghost]

I sideloaded with my dev cert on 14.0.1 and it crashed when launching the VM, but upon updating to 14.2b2 it started working with the same signed IPA.

This may be more complicated than I thought, XS users are reporting different behavior (AltStore working and UTM not working), so this may be limited to XR and 11 only. Wouldn't be too surprised since they had to pull 14.2 beta 1 for those devices for some reason.

[Spidy123222]

I sideloaded with my dev cert on 14.0.1 and it crashed when launching the VM, but upon updating to 14.2b2 it started working with the same signed IPA.

This may be more complicated than I thought, XS users are reporting different behavior (AltStore working and UTM not working), so this may be limited to XR and 11 only. Wouldn't be too surprised since they had to pull 14.2 beta 1 for those devices for some reason.

That's actually interesting. I would test it but I don't want to lose dios 3.0.0 njb. I have a friend that will test on their devices also when they get time. I'll share what they say when they get to it.

[brunocastello]

I might be able to convince my dad to install iOS 14.2b2 and install UTM 1.0 or 2.0 to try it out. He tested one of the iOS 14.0 betas last month so hes not that scared. The only problem is that it is a first gen 2015 iPad Pro, so it’s A9X. Mine is 2nd gen 2017, A10X.

[maciekish]

I tried installing UTM on my iOS 14.2b2 iPad but just shows a white screen and crashes. I was under the impression that it works on iOS 14.2b2? It launched correctly before the upgrade from iOS 14, but wouldn't run any VMs, after the upgrade it doesn't even open. I tried reinstalling it after the upgrade to 14.2b2.

[ghost]

Maybe read more than just one comment, someone said it's not working on XS either, so as I said this is sounding more and more like a bug specific to XR and 11.

[obbcth]

Working on iPad Air 3 (A12 Chip) on 14.2b2 with UTM v2.0b5.

[kkebo]

Still works on iPadOS 14.2 Developer Beta 3.

[brunocastello]

Still works on iPadOS 14.2 Developer Beta 3.

Wait, iPadOS 14.2b3 unjailbroken? Really? If true I'll need to try it out with 14.2 GM when they release it.

[kkebo]

@brunocastello Really. My iPad is not jailbroken.

[saagarjha]

ptrace was patched from day one, see the original comment on this thread. Still unsure what's going on with these developer betas, as I don't have a A12+ device to test with.

[brunocastello]

@kkk669

@brunocastello Really. My iPad is not jailbroken.

Which iPad it is?

[kkebo]

@brunocastello

I write further information. Besides, I also reproduced on my iPhone XS running iOS 14.2 DB 3.

Software Environment:

• iPadOS 14.2 Developer Beta 3 (18B5072f) or iOS 14.2 Developer Beta 3 (18B5072f)
• UTM v2.0b5

Hardware Environment:

• iPad Pro (11-inch) (2nd generation) (MXE42J/A) or iPhone XS (MTE02J/A)

Requirements:

• Xcode 12.2 Beta 3 and Mac
• Apple Developer Program
• iOS App Signer 1.13.1

Steps to reproduce:

1. [Mac] Download UTM v2.0b5 ipa file from here
2. [Mac] Open iOS App Signer
3. [Mac] Select the ipa file you downloaded in the first step as an input file
4. [Mac] Select "Apple Development: *** (***)" for "Signing Certificate" (*** is my name and identifier)
5. [Mac] Select "iOS Team Provisioning Profile: * (***)" for "Provisioning Profile" (*** is my identifier)
6. [Mac] Click "Start" button to save a resigned ipa file as another filename e.g. UTM-resigned.ipa
7. [Mac] Open Xcode-beta
8. Plug your device into your Mac
9. [iPad/iPhone] If your device is not prepared for development, iOS ask if you trust this computer, so tap "Trust" button.
10. [Mac] Open "Devices and Simulators" from Xcode's "Window" menu
11. [Mac] Select your device on the sidebar
12. [Mac] Click "+" button on the bottom of the "INSTALLED APPS" section
13. [Mac] Select the file you created in the step 6
14. [iPad/iPhone] Open and play with UTM

See this video.

[ghost]

One more thing, if you sideload UTM with AltStore it seems to not work, so make sure to use another method to try even if AltStore works for you.

[kkebo]

@IIWare No. UTM is able to run even if the Mac is shutdown.

[Spidy123222]

@IIWare No. UTM is able to run even if the Mac is shutdown.

I'm not sure if this a permanent thing they are implementing so don't get hopes up all the way. Could just be accidental but it can also be a new thing they are implementing without people having to set a hacky/buggy debugger. We just don't know, if you know any more info let us know in UTm discord or if you have some info do it here to keep this issue thread clean.

[obbcth]

Still works on DB4 without debugger.

[Taek-2]

Since the IPA file is over 200MB, Altstore crashes. Altstore beta 1.4.1 now supports DB2~,and I could install apps with it. But it still can’t install UTM2.0. (UTM 1.0 can be installed, but VM just doesn’t work.)

[Spidy123222]

We seem to have confirmation imo that Xcode 12.2 beta 3 includes on device debugging. https://developer.apple.com/documentation/xcode-release-notes/xcode-12_2-beta-release-notes

[saagarjha]

This isn't anything new.

https://developer.apple.com/documentation/xcode-release-notes/xcode-12_2-beta-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-12_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-12_0_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-12-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_7-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_6-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_5-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_4_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_4-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_3_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_3-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_2_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_2-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-10_3-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-10_2_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-10_2-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-10_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-10-release-notes

[Spidy123222]

This isn't anything new.

https://developer.apple.com/documentation/xcode-release-notes/xcode-12_2-beta-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-12_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-12_0_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-12-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_7-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_6-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_5-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_4_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_4-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_3_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_3-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_2_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_2-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-11-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-10_3-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-10_2_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-10_2-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-10_1-release-notes https://developer.apple.com/documentation/xcode-release-notes/xcode-10-release-notes

Darn I legit thought it was new. I do wonder why they would say that when they can't? If they were meaning remote debugging then they would of said that I would think.

I saw it in this thinking it was new welp back to researching. https://www.macrumors.com/2020/09/17/ios-14-2-beta-coming-soon/

[Taek-2]

Rickpactor works fine. But it requires an appleid without two-factor security.

[osy]

iOS 14.2 GM with iPhone 12 Pro and UTM v2.0 beta 6 working without Xcode tether. Tested with paid dev certificate signed by Xcode.

[brunocastello]

So I can now upgrade my iPad Pro “12.9 2017 (2nd gen) to iOS 14.2 and run UTM 2.0?

[osy]

Don’t know, wait for other people to test other configs first. I think Altstore doesn’t work yet.

[brunocastello]

Ok, I will wait. I have a dev account, I can install the ipa re-signing with my certificate.

[osy]

More people reported back and it seems like paid certs work for any device. Free certs work for no device.

[brunocastello]

I will hold back for a bit more. My dad has a 1st gen iPad Pro so I will ask him to try there first.

[osy]

Path to closure: there is a new way to get bulletproof JIT working on iOS 14.2 (doesn't work on anything lower) that does not depend on ptrace() hack.

Thanks to people above for discovering it but after extensive testing it seems like the key is a codedirectory signature version 0x20400 and the Executable Segment flags set to 0x11. This along with the get-task-allow entitlement disables the CS checks.

Using iOS App Signer or Xcode directly works. AltStore requires additional changes:

https://github.com/rileytestut/ldid/pull/3 https://github.com/rileytestut/AltSign/pull/15 https://github.com/rileytestut/AltStore/pull/415

(last two are unrelated to this issue but prevents UTM from starting up)

[iamrecursion]

@osy86, does this mean you need to release a new build, or is this something that will work with the latest prerelease?

[osy]

I will release a new build with other fixes but if you patch altstore it should work with the latest prerelease.

[iamrecursion]

I'm self-signing with a paid dev certificate, so I'll hold out for the next build!

[ghost]

Any idea on how to apply the apporiate patches to zsign like AltStore to get it to work? Currently when opening a VM in UTM it does not crash but hangs on a black screen. Signing via appdb works fine.

[osy]

Look at the changes for https://github.com/rileytestut/ldid/pull/3 and make similar changes for zsign.