Frida not working on latest Unc0ver 6.0.0 jailbreak with my A12 device.

[gilshahar7]

I just jailbroke my A12 iPad on iOS 14.3 with the latest Unc0ver 6.0.0 release and i am getting the same error that people got when unc0ver 5.0.0 was released:

"Failed to spawn: this feature requires an iOS Developer Disk Image to be mounted; run Xcode briefly or use ideviceimagemounter to mount one manually"

Will this need a new update on Frida's part?

[JeffResc]

I am facing a similar issue, it looks like frida-server does not start on the device. When running the frida-server command, it returns /usr/sbin/frida-server: Bad CPU type in executable. This is on my iPhone 11 Pro Max running iOS 14.3 and Unc0ver 6.0.0. This is for the "Frida for A12+ devices" package.

[brandonkovacs]

I just jailbroke my A12 iPad on iOS 14.3 with the latest Unc0ver 6.0.0 release and i am getting the same error that people got when unc0ver 5.0.0 was released:

"Failed to spawn: this feature requires an iOS Developer Disk Image to be mounted; run Xcode briefly or use ideviceimagemounter to mount one manually"

Will this need a new update on Frida's part?

I am experiencing the same issue as you. Running iOS 14.0 on an iPhone XS.

[i0sa]

Same

[oleavr]

The issue is that our existing A12+ binaries target the old arm64e ABI, whereas iOS 14 uses the new ABI. If this is the only issue, you should be able to work around it by building frida-server yourself using the latest stable Xcode 12 release. (Xcode 11 will generate arm64e binaries targeting the old ABI.) Please let me know how this goes! (Wish I had a jailbreakable A12+ device.)

[Manouchehri]

Yep, I can confirm what @oleavr said is correct. I built frida-server on one of my M1 Macs, and seems to work in my brief test!

git clone --recurse-submodules https://github.com/frida/frida.git
cd frida
IOS_CERTID="Apple Development: asdf@icloud.com (asdf)" make gum-ios core-ios gadget-ios
scp ./build/frida-ios-arm64e/bin/frida-server root@172.1.2.3:/tmp/
ssh root@172.1.2.3
cd /tmp/
./frida-server -D 

[JeffResc]

@AlanScott — This error is because you are using @Manouchehri's signing certificate still. Just swap the value in IOS_CERTID for your own certificate that is on your machine. For Frida's documentation note on this, see here.

[Manouchehri]

@AlanScott Use at your own risk, but here's a signed frida-server arm64e binary.

frida-server.gz

[ImBatou]

I have the same problem but on windows, is there a workaround while waiting for the update on windows ?

[Manouchehri]

@LeBatou Erm, are you running frida-server on iOS or Windows? If it's the latter, that's completely unrelated. If it's the former, you can either follow #1647 (comment), or use my prebuilt binary from #1647 (comment).

[ImBatou]

Hey sorry for the late response, yeah frida-server is on my IOS, sorry for the misunderstanding.

This is probably a dumb question, but the prebuilt file isn't a .deb file, is it still possible to install it like a normal tweak ?

UPDATE : Ok I just had to start it with SSH on my iphone, thank you so much for the precompiled version :)

UPDATE 2: Now I'm getting this everytime I do a frida-ps on my windows to the frida-server:

(Screenshot from frida-server)

I don't know if it could be a problem with my version of my iphone :

frida-ps -Uai return absolutely nothing just an "PID Name Identifier line", I don't know if that could be the reason why

[SolorzanoJose]

@Manouchehri When I use your binary, I get this error on a jailbroken iPhone 12 pro max running 14.2.1:

Failed to spawn: unable to launch iOS app: The operation couldn’t be completed. Application info provider (FBSApplicationLibrary) returned nil for "Calculator"

[oleavr]

@Manouchehri When I use your binary, I get this error on a jailbroken iPhone 12 pro max running 14.2.1:

Failed to spawn: unable to launch iOS app: The operation couldn’t be completed. Application info provider (FBSApplicationLibrary) returned nil for "Calculator"

This should be fixed in git (thanks @mrmacete! 🥳) – so if you build frida-server yourself from git it should resolve this issue.

[Manouchehri]

Untested, but here ya go (this is for arm64e).

frida-server.gz

[SolorzanoJose]

@oleavr @Manouchehri Thanks guys, but the problem persists, now the output is even an empty string and not the Display name I pass to it:

unable to launch iOS app: The operation couldn’t be completed. Application info provider (FBSApplicationLibrary) returned nil for ""

[Manouchehri]

@SolorzanoJose Could you paste the command you're running?

e.g.

frida -U --runtime=v8 -n SpringBoard

Also, what version and device are you running?

iphone11:~ root# sw_vers 
ProductName:    iPhone OS
ProductVersion: 14.2
BuildVersion:   18B92
iphone11:~ root# uname -a
Darwin iphone11 20.1.0 Darwin Kernel Version 20.1.0: Fri Oct 30 00:34:17 PDT 2020; root:xnu-7195.42.3~1/RELEASE_ARM64_T8030 iPhone12,1 arm64 N104AP Darwin

[SolorzanoJose]

@Manouchehri I'm a goof, I thought frida-ios-dump was a frida project. Anyways, I'm trying to dump an ipa through frida-ios-dump and bagdak and neither work, seemingly because of the same thing "Can't find an app with that display name", bagbak can't even list the installed apps. Do we know if there's breaking changes in the latest versions turning these tools incompatible? I don't see anything in their github issues.

ProductName:    iPhone OS
ProductVersion: 14.2.1
BuildVersion:   18B121```

[SolorzanoJose]

@Manouchehri I'm not so crazy after all, check this out

% frida-ps -U -a
PID  Name  Identifier

No results

[Manouchehri]

Ah yeah, listing applications seems to be broken.

[Manouchehri]

bagbak requires enumerateApplications() to work.

https://github.com/ChiChou/bagbak/blob/master/lib/device.js#L40-L44

[oleavr]

@Manouchehri Thanks! I just realized I haven't bumped the frida-core submodule since the fix – did you remember to git checkout master && git pull before doing a clean build?

That app-listing issue must be a missing entitlement. Anybody up for a little reversing to figure out which one it is? 😊

[oleavr]

@Manouchehri FWIW to be sure I have the latest code I usually do: git pull && git submodule foreach 'git checkout master && git pull'

[Manouchehri]

I did git pull --recurse-submodules, didn't force each submodule to be updated. After updating all the submodules to HEAD, can't build anymore.

dave@mini frida % make core-ios
. build/frida-meson-env-ios-arm64.rc && /Users/dave/frida/releng/ninja-macos-arm64 -C build/tmp-ios-arm64/frida-core src/frida-helper lib/agent/frida-agent.dylib
ninja: Entering directory `build/tmp-ios-arm64/frida-core'
[1/5] Compiling C object lib/payload/libfrida-payload.a.p/libc-shim.c.o
FAILED: lib/payload/libfrida-payload.a.p/libc-shim.c.o 
/Users/dave/frida/build/frida-ios-arm64-clang -Ilib/payload/libfrida-payload.a.p -Ilib/payload -I../../../frida-core/lib/payload -Ilib/interfaces -I../../../frida-core/lib/interfaces -I/Users/dave/frida/build/sdk-ios-arm64/include -I/Users/dave/frida/build/sdk-ios-arm64/include/glib-2.0 -I/Users/dave/frida/build/sdk-ios-arm64/lib/glib-2.0/include -I/Users/dave/frida/build/sdk-ios-arm64/include/gee-0.8 -I/Users/dave/frida/build/sdk-ios-arm64/include/json-glib-1.0 -I/Users/dave/frida/build/frida-ios-arm64/include/frida-1.0 -I/Users/dave/frida/build/sdk-ios-arm64/include/capstone -I/Users/dave/frida/build/sdk-ios-arm64/include/quickjs -I/Users/dave/frida/build/sdk-ios-arm64/include/v8-8.0 -I/Users/dave/frida/build/sdk-ios-arm64/include/v8-8.0/v8 -I/Users/dave/frida/build/sdk-ios-arm64/include/gio-unix-2.0 -I/Users/dave/frida/build/sdk-ios-arm64/include/libsoup-2.4 -I/Users/dave/frida/build/sdk-ios-arm64/include/libxml2 -I/Users/dave/frida/build/frida-ios-arm64/include -Xclang -fcolor-diagnostics -DNDEBUG -pipe -Wall -Winvalid-pch -std=gnu99 -Os -g -include config.h '-DG_LOG_DOMAIN="Frida"' -miphoneos-version-min=8.0 -include /Users/dave/frida/build/frida-version.h -DG_DISABLE_ASSERT -DG_DISABLE_CHECKS -DG_DISABLE_CAST_CHECKS -MD -MQ lib/payload/libfrida-payload.a.p/libc-shim.c.o -MF lib/payload/libfrida-payload.a.p/libc-shim.c.o.d -o lib/payload/libfrida-payload.a.p/libc-shim.c.o -c ../../../frida-core/lib/payload/libc-shim.c
../../../frida-core/lib/payload/libc-shim.c:459:1: error: conflicting types for 'read'
read (int fildes, const void * buf, size_t nbyte)
^
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS14.4.sdk/usr/include/unistd.h:472:10: note: previous declaration is here
ssize_t  read(int, void *, size_t) __DARWIN_ALIAS_C(read);
         ^
1 error generated.
[2/5] Linking target src/frida-helper
ninja: build stopped: subcommand failed.
make[1]: *** [build/tmp-ios-arm64/frida-core/.frida-helper-and-agent-stamp] Error 1
make: *** [core-ios] Error 2

[SolorzanoJose]

Is there anything I can do to help?

[Manouchehri]

I think I fixed it, one second.

[SolorzanoJose]

Thanks @Manouchehri

[SolorzanoJose]

@Manouchehri Were you able to isolate the issue to being that wrong type?

[Manouchehri]

frida-server.gz
I was able to compile the latest submodules, but same issue still, unless I built it incorrectly by accident somehow.

[SolorzanoJose]

Thanks @Manouchehri I guess we'll have to wait for it to be fixed on master for real, thanks for the help

[SolorzanoJose]

That app-listing issue must be a missing entitlement.

I think this is what we need to figure out, but I'm not sure where to start looking

[Manouchehri]

@oleavr I don't think my commit actually fixes anything except the compiler error.

[SolorzanoJose]

@oleavr why did we close the ticket? :(

[oleavr]

@SolorzanoJose Oops, the PR had the phrase Doesn't seem to fix #xyz, where GitHub picked up fix #xyz and auto-closed this when I merged it.

[oleavr]

@Manouchehri Yeah that was an unfortunate sub-string in the PR's description, which I didn't notice at all 😅

[ImBatou]

frida-server.gz
I was able to compile the latest submodules, but same issue still, unless I built it incorrectly by accident somehow.

Yeah I still have the same problem as @SolorzanoJose with this binary :

% frida-ps -U -a
PID Name Identifier

I'm on IOS 14.3 but that shouldn't make a big difference

[i0sa]

I tried using "Frida for Pre-A12 devices" a long with unc0ver 6.1.1 and it worked for me.

on iPhone 12

[ImBatou]

I tried using "Frida for Pre-A12 devices" a long with unc0ver 6.1.1 and it worked for me.

on iPhone 12

Wow, for some obscure reason, it works, thanks !

[i0sa]

I tried using "Frida for Pre-A12 devices" a long with unc0ver 6.1.1 and it worked for me.

on iPhone 12

Wow, for some obscure reason, it works, thanks !

Glad to know I'm not the only one, anyone has an explanation on how this happened? Especailly that I am actually on iPhone 12?
cc @oleavr

[Manouchehri]

unc0ver 6.1.1 may have been needed to fixed the application listing entitlement issue. That along with @oleavr's secret pre-release .deb worked on my iPhone 11.

iphone11:~ root# sw_vers 
ProductName:    iPhone OS
ProductVersion: 14.2
BuildVersion:   18B92
iphone11:~ root# uname -a
Darwin iphone11 20.1.0 Darwin Kernel Version 20.1.0: Fri Oct 30 00:34:17 PDT 2020; root:xnu-7195.42.3~1/RELEASE_ARM64_T8030 iPhone12,1 arm64 N104AP Darwin

I can confirm bagbak now works.

[oleavr]

Fixed in Frida 14.2.14, released last night. Note that there is now only one single Frida package, so make sure you uninstall the one you have if it's not the main one. Cheers!