Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Temp workaround found]Clutch does not work on iOS 12 with unc0ver #233

Open
esterTion opened this issue Mar 16, 2019 · 14 comments

Comments

@esterTion
Copy link

commented Mar 16, 2019

Previously reported in #228 , opening a new issue for some infos gathered.

Same binary built from a6f6aee, signed using
ldid -Sclutch-ent.xml -K/usr/share/jailbreak/signcert.p12 Clutch-2.0.4-Debug
which clutch-ent.xml is Clutch.entitlements, and signcert.p12 is from unc0ver [Signing Certificate] package

iOS 9.3.2 iPhone SE (working)
root# Clutch-2.0.4-Debug -v -b se.aksys.tydlig
ClutchPrint.m : 77 | using bundle identifier
Now dumping se.aksys.tydlig
ClutchPrint.m : 77 | ######## bundle URL file:///private/var/containers/Bundle/Application/8C34F912-9679-4D1E-9B6F-3EFD1BD15525
Preparing to dump <Tydlig>
Path: /var/containers/Bundle/Application/8C34F912-9679-4D1E-9B6F-3EFD1BD15525/Tydlig.app/Tydlig
ClutchPrint.m : 77 | Finding compatible dumper for binary <Tydlig> with arch cputype: 16777228
ClutchPrint.m : 77 | Segment cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Dumper supports cputype 16777228
ClutchPrint.m : 77 | Found compatible dumper <ARM64Dumper: 0x127cda9e0> for binary <Tydlig> with arch arm64
ClutchPrint.m : 77 | 64bit dumping: arch arm64 offset 0
ClutchPrint.m : 77 | FOUND __TEXT SEGMENT
ClutchPrint.m : 77 | FOUND ENCRYPTION INFO: cryptoff 16384 | cryptsize 950272 | cryptid 1
ClutchPrint.m : 77 | FOUND CODE SIGNATURE: dataoff 1255936 | datasize 26048
ClutchPrint.m : 77 | found all required load commands for <Tydlig> arm64
ClutchPrint.m : 77 | to MH_PIE or not to MH_PIE, that is the question
ClutchPrint.m : 77 | got the pid 61229 /var/containers/Bundle/Application/8C34F912-9679-4D1E-9B6F-3EFD1BD15525/Tydlig.app/Tydlig
ClutchPrint.m : 77 | 0 1255936 872415232
ClutchPrint.m : 77 | Found CSSLOT_CODEDIRECTORY
ClutchPrint.m : 77 | Codesign Pages 307
ClutchPrint.m : 77 | Found main binary mach-o image @ 0x100070000!
ASLR slide: 0x100070000
ClutchPrint.m : 77 | checksum size 6140
Dumping <Tydlig> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
ClutchPrint.m : 77 | Done writing checksum
ClutchPrint.m : 77 | done dumping
ClutchPrint.m : 77 | Sucessfully dumped arm64 segment of <Tydlig>
Finished dumping se.aksys.tydlig to /var/tmp/clutch/F7B2109A-D729-4841-945A-05609DC246F5
Finished dumping se.aksys.tydlig in 0.8 seconds
iOS 12.1.2 iPhone 8 (not working)
root# Clutch-2.0.4-Debug -v -b se.aksys.tydlig
ClutchPrint.m : 77 | using bundle identifier
Now dumping se.aksys.tydlig
ClutchPrint.m : 77 | ######## bundle URL file:///private/var/containers/Bundle/Application/41E5C2E5-37A1-4873-BAF3-E5C267745AD4
Preparing to dump <Tydlig>
Path: /var/containers/Bundle/Application/41E5C2E5-37A1-4873-BAF3-E5C267745AD4/Tydlig.app/Tydlig
ClutchPrint.m : 77 | Finding compatible dumper for binary <Tydlig> with arch cputype: 16777228
ClutchPrint.m : 77 | Segment cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Dumper supports cputype 16777228
ClutchPrint.m : 77 | Found compatible dumper <ARM64Dumper: 0x10852f190> for binary <Tydlig> with arch arm64
ClutchPrint.m : 77 | 64bit dumping: arch arm64 offset 0
ClutchPrint.m : 77 | FOUND __TEXT SEGMENT
ClutchPrint.m : 77 | FOUND ENCRYPTION INFO: cryptoff 16384 | cryptsize 950272 | cryptid 1
ClutchPrint.m : 77 | FOUND CODE SIGNATURE: dataoff 1255936 | datasize 42352
ClutchPrint.m : 77 | found all required load commands for <Tydlig> arm64
ClutchPrint.m : 77 | to MH_PIE or not to MH_PIE, that is the question
ClutchPrint.m : 77 | got the pid 15530 /var/containers/Bundle/Application/41E5C2E5-37A1-4873-BAF3-E5C267745AD4/Tydlig.app/Tydlig
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!

Error: Failed to dump <Tydlig> with arch arm64

2019-03-16 23:54:37.729 Clutch-2.0.4-Debug[15527:211844] failed operation :(
2019-03-16 23:54:37.729 Clutch-2.0.4-Debug[15527:211844] application <NSOperationQueue: 0x107ecc000>{name = 'NSOperationQueue 0x107ecc000'}
ClutchPrint.m : 77 | operation hash 4435572032
ClutchPrint.m : 77 | operation hash 4201234
Error: Failed to dump <Tydlig>

2019-03-16 23:54:37.730 Clutch-2.0.4-Debug[15527:211844] failed operation :(
2019-03-16 23:54:37.730 Clutch-2.0.4-Debug[15527:211844] application <NSOperationQueue: 0x107ecc000>{name = 'NSOperationQueue 0x107ecc000'}
ClutchPrint.m : 77 | operation hash 4201234
Error: Failed to dump se.aksys.tydlig :(

The problem seems to be at task_for_pid, pwn20wndstuff/Undecimus#728 seems has addressed this issue with swigger/debugserver-ios


Update:
Clearly I didn't thought of reading syslog before, there's this kernel complaint:

Mar 17 14:02:45 esterTion kernel(Sandbox)[0] <Error>: Sandbox: hook..execve() killing <unsigned>[pid=714, uid=0]: only launchd is allowed to spawn untrusted binaries

I guess it's officially an unc0ver issue now

@esterTion

This comment has been minimized.

Copy link
Author

commented Mar 17, 2019

Temporary workaround

After found it's sandbox issue, I messed around with it, and now it correctly dumps app.
Problem: This workaround requires resigning binary, which will lost original developer group info, and make it both generate new container for app preferences, and also no able to share data within original app-group. (e.g. Google shares account info across apps)

Therefore, this dump method might not be good for crack ipa generating, but is good enough for reverse engineer researching.

  1. Find the app you want to dump, extract its original entitlements using ldid -e Binary >app-ent.xml. Also keep a copy of original binary if you want to restore later to avoid preferences lost.
  2. add new entitlements below to the file
new entitlements
		<key>platform-application</key>
		<true/>
		<key>get-task-allow</key>
		<true/>
		<key>run-unsigned-code</key>
		<true/>
		<key>com.apple.private.skip-library-validation</key>
		<true/>
		<key>com.apple.private.security.no-container</key>
		<true/>
  1. Run clutch on original untouched binary, which should fail by Could not obtain mach port (This step is important, or newly signed binary won't spawn with error AppleFairplayTextCrypterSession:fairplayOpen() failed, error -42022 )
  2. Resign binary with ldid -Sapp-ent.xml Binary
  3. Run Clutch -b com.bundle.id, now clutch can spawn and decrypt the binary

Still, I think this is a unc0ver issue, not fully patching kernel (Probably won't happen in KPPless)

Example shell script
cd /User/Documents/App-link/App/$id
app=(*.app)
binary=${app%.app}
echo "Resigning [$binary]"

cd "$app"
cp -p "$binary" "${binary}_backup"

## prevent dumping plugins and frameworks
if [[ -e PlugIns ]]; then
	hasplugin=1
	mv PlugIns PlugIns-
fi
if [[ -e Frameworks ]]; then
	hasfmwk=1
	mv Frameworks Frameworks-
fi

ent_tmp=$(mktemp)
ldid -e "$binary" >$ent_tmp
plutil -key platform-application -true $ent_tmp >/dev/null
plutil -key get-task-allow -true $ent_tmp >/dev/null
plutil -key run-unsigned-code -true $ent_tmp >/dev/null
plutil -key com.apple.private.skip-library-validation -true $ent_tmp >/dev/null
plutil -key com.apple.private.security.no-container -true $ent_tmp >/dev/null
#cat $ent_tmp

echo "Dumping original to fail"
Clutch-2.0.4-Debug -b $id

ldid -S$ent_tmp "$binary"

echo "Dumping again"
Clutch-2.0.4-Debug -b $id

rm -f $ent_tmp
mv -f "${binary}_backup" "$binary"

if [[ $hasplugin != "" ]]; then
	mv PlugIns- PlugIns
fi
if [[ $hasfmwk != "" ]]; then
	mv Frameworks- Frameworks
fi
esterTion:~ root# clutch-dump jp.co.cygames.princessconnectredive
Resigning [princessconnectredive]
Dumping original to fail
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!

Error: Failed to dump <princessconnectredive> with arch arm64

2019-03-17 15:34:19.664 Clutch-2.0.4-Debug[845:7624] failed operation :(
2019-03-17 15:34:19.664 Clutch-2.0.4-Debug[845:7624] application <NSOperationQueue: 0x105cf2b80>{name = 'NSOperationQueue 0x105cf2b80'}
Error: Failed to dump <princessconnectredive>

2019-03-17 15:34:19.664 Clutch-2.0.4-Debug[845:7624] failed operation :(
2019-03-17 15:34:19.664 Clutch-2.0.4-Debug[845:7624] application <NSOperationQueue: 0x105cf2b80>{name = 'NSOperationQueue 0x105cf2b80'}
Error: Failed to dump jp.co.cygames.princessconnectredive :(

Dumping again
ASLR slide: 0x100cd8000
Dumping <princessconnectredive> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
Finished dumping jp.co.cygames.princessconnectredive to /var/tmp/clutch/CA4FA568-0970-441B-8F07-BC9DFFD1766C
Finished dumping jp.co.cygames.princessconnectredive in 21.8 seconds

@esterTion esterTion changed the title Clutch does not work on iOS 12 with unc0ver [Temp workaround found]Clutch does not work on iOS 12 with unc0ver Mar 17, 2019

@holyswordman

This comment has been minimized.

Copy link

commented Mar 31, 2019

我認為自從iOS 11.1 開始已封了Clutch的運作方法, 可能Clutch要重新設計.
即使能通過簽名執行也不能解密App, 不能正常運作, 不關uncover的事.

@esterTion

This comment has been minimized.

Copy link
Author

commented Apr 1, 2019

@holyswordma
注意步骤3,必须要先对原始进行一次dump,不然会导致FairPlay报错。
原理我也不清楚,大概是解密缓存吧

这个是内核限制的问题,本来越狱就是尽可能解除限制

@Halo-Michael

This comment has been minimized.

Copy link

commented Jun 18, 2019

Temporary workaround

After found it's sandbox issue, I messed around with it, and now it correctly dumps app.
Problem: This workaround requires resigning binary, which will lost original developer group info, and make it both generate new container for app preferences, and also no able to share data within original app-group. (e.g. Google shares account info across apps)

Therefore, this dump method might not be good for crack ipa generating, but is good enough for reverse engineer researching.

  1. Find the app you want to dump, extract its original entitlements using ldid -e Binary >app-ent.xml. Also keep a copy of original binary if you want to restore later to avoid preferences lost.
  2. add new entitlements below to the file

new entitlements

  1. Run clutch on original untouched binary, which should fail by Could not obtain mach port (This step is important, or newly signed binary won't spawn with error AppleFairplayTextCrypterSession:fairplayOpen() failed, error -42022 )
  2. Resign binary with ldid -Sapp-ent.xml Binary
  3. Run Clutch -b com.bundle.id, now clutch can spawn and decrypt the binary

Still, I think this is a unc0ver issue, not fully patching kernel (Probably won't happen in KPPless)

Example shell script

Perhaps you should keep a backup of the original entitlement file (app-ent.xml) and re-use the original entitlement file signature dumped binary after spawn and decrypt the binary?

@esterTion

This comment has been minimized.

Copy link
Author

commented Jun 18, 2019

Perhaps you should keep a backup of the original entitlement file (app-ent.xml) and re-use the original entitlement file signature dumped binary after spawn and decrypt the binary?

It's not about entitlements, app group is determined by signing private key, which only developer has.
Once you resigned the binary, it can never turn back to original signature.
In fact, Clutch only update the CDHash part, but ldid will overwrite entire signature

@Halo-Michael

This comment has been minimized.

Copy link

commented Jun 18, 2019

Perhaps you should keep a backup of the original entitlement file (app-ent.xml) and re-use the original entitlement file signature dumped binary after spawn and decrypt the binary?

It's not about entitlements, app group is determined by signing private key, which only developer has.
Once you resigned the binary, it can never turn back to original signature.
In fact, Clutch only update the CDHash part, but ldid will overwrite entire signature

Thanks for Notes

@jeffli678

This comment has been minimized.

Copy link

commented Aug 17, 2019

@esterTion I tried your workaround very hard and it unfortunately doesn't work. The related error message is still the mach port. I am on iOS 12.1.2 with unc0ver 3.3.8

@esterTion

This comment has been minimized.

Copy link
Author

commented Aug 17, 2019

Did you dumped the original binary first?
It need to be attempted on original, or decryption will fail.

Sadly I’ve been in jail for months now, so can’t test anything.

@jeffli678

This comment has been minimized.

Copy link

commented Aug 17, 2019

I did. Not sure what went wrong.

@esterTion

This comment has been minimized.

Copy link
Author

commented Aug 17, 2019

You can connect your phone to pc and use idevicesyslog from libimobiledevice to grab syslog, and see what’s the error
If you have Mac you can use Apple Configurator 2 app

@jeffli678

This comment has been minimized.

Copy link

commented Aug 18, 2019

Thanks for your advice. I will give it a try when I have free time.

@esterTion

This comment has been minimized.

Copy link
Author

commented Aug 20, 2019

@jeffli678
So hi,
Thanks to Apple bringing back the old exploit, now I'm free on 12.4.
And I've tested again, it is clearly working for me.

console logs
esterTion:/User/Documents/App-link/App/jp.co.bandainamcoent.BNEI0242 root# clutch-dump jp.co.bandainamcoent.BNEI0242
Resigning [BNEI0242]
Dumping original to fail
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!

Error: Failed to dump <BNEI0242> with arch arm64

2019-08-20 11:29:26.758 Clutch-2.0.4-Debug[8973:191992] failed operation :(
2019-08-20 11:29:26.759 Clutch-2.0.4-Debug[8973:191992] application <NSOperationQueue: 0x1015abd50>{name = 'NSOperationQueue 0x1015abd50'}
Error: Failed to dump <BNEI0242>

2019-08-20 11:29:26.759 Clutch-2.0.4-Debug[8973:191992] failed operation :(
2019-08-20 11:29:26.760 Clutch-2.0.4-Debug[8973:191992] application <NSOperationQueue: 0x1015abd50>{name = 'NSOperationQueue 0x1015abd50'}
Error: Failed to dump jp.co.bandainamcoent.BNEI0242 :(

Dumping again
ASLR slide: 0x104150000
Dumping <BNEI0242> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
Finished dumping jp.co.bandainamcoent.BNEI0242 to /var/tmp/clutch/23D1BCAE-6922-4B01-9BE8-78B6A0CF94EE
Finished dumping jp.co.bandainamcoent.BNEI0242 in 34.3 seconds

So i'm not sure which part did you do wrong
If you are straight grabbing that script, then there are some missing pieces before you can use
e.g. $id is not defined, also /User/Documents/App-link/App/$id is a link directory to the actual app container

@jeffli678

This comment has been minimized.

Copy link

commented Aug 20, 2019

Ironically, I also tried the latest jailbreak on another phone running 12.4. The jailbreak was successful, but I cannot get Cydia to work, it says no Internet connection.

That said, I somehow believe I previously followed your steps closely. I will try again and post logs later.

Discloser: I am reletively new to iOS reverse engineering.

@esterTion

This comment has been minimized.

Copy link
Author

commented Aug 20, 2019

I cannot get Cydia to work, it says no Internet connection.

Delete /var/preferences/com.apple.networkextension.plist, reboot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.