iOS rootless jailbreak package

[XeR]

Hello,

iOS devices with bootrom vulnerable to the checkm8 exploit can be jailbroken up to version 15.7 by using palera1n rootless.
This jailbreak requires applications to be installed in /var/jb/ (which is a symbolic link).

I managed to install Frida by :

• Downloading the iOS .deb file
• Pushing the deb file on the target device
• Running (as root) : dpkg --vextract ./frida*.deb /var/jb ; chmod go+rx /var/jb/
• Modifying the /var/jb/Library/LaunchDaemons/re.frida.server.plist to have the proper references to /var/jb/…
• Running (as root) : launchctl load /var/jb/Library/LaunchDaemons/re.frida.server.plist

I can contact the frida-server deamon with e.g. frida-ps -U, but trying to hook an application results in the following error :

Failed to attach: module not found at "/usr/lib/frida/frida-agent.dylib"

Which happens because the frida-agent.dylib file is in the /var/jb/ directory too.

Can you provide a Frida version for "rootless" jailbreaks on the iOS repo ?
According to the palera1n documentation, the architecture for these packages should be iphoneos-arm64 (as opposed to the current iphoneos-arm)

[senolatac]

+1

[ayekta]

me 2

[cleverhu]

+1

[cleverhu]

@oleavr Could you take a look, recently, IOS 15.0-15.1 rootless jail break has been tested. I also encountered this problem. Thank you in advance.

[oleavr]

You can set CRYPTEX_MOUNT_PATH to e.g. /var/jb, and Frida will look for its agent at /var/jb/usr/lib/frida/frida-agent.dylib. I probably won't have the bandwidth to set up CI for packaging anytime soon, but PRs are always welcome! 🙌

[961905]

@oleavr Could you take a look, recently, IOS 15.0-15.1 rootless jail break has been tested. I also encountered this problem. Thank you in advance.

Have you solved it?

[cleverhu]

You can set CRYPTEX_MOUNT_PATH to e.g. /var/jb, and Frida will look for its agent at /var/jb/usr/lib/frida/frida-agent.dylib. I probably won't have the bandwidth to set up CI for packaging anytime soon, but PRs are always welcome! 🙌

@oleavr
Thanks for you reply, it worked, but it also crashed off when execute frida-trace.

[cleverhu]

@oleavr Could you take a look, recently, IOS 15.0-15.1 rootless jail break has been tested. I also encountered this problem. Thank you in advance.

Have you solved it?

I havn't, the device will crash off all the time. See #2345.

[961905]

My Frida can't start.

@oleavr Could you take a look, recently, IOS 15.0-15.1 rootless jail break has been tested. I also encountered this problem. Thank you in advance.

Have you solved it?

I havn't, the device will crash off all the time. See #2345.

My Frida can't start.

[cukingpro]

@oleavr @cleverhu
Set CRYPTEX_MOUNT_PATH in computer or in iOS device? Thanks

[lauritzh]

Hi there :)
Is there any chance Frida will support rootless Jailbreaks out-of-the-box in the nearer future?

I probably won't have the bandwidth to set up CI for packaging anytime soon, but PRs are always welcome!

I suppose this is the Build Config that would need to be adjusted?

• https://github.com/frida/frida/blob/main/.github/actions/package-ios-assets/action.yml
• https://github.com/frida/frida-core/blob/main/tools/package-server-ios.sh

[miticollo]

Hi everyone! I created a Gist where you can find the build instructions to compile your frida version.

@tmm1 confirmed to me that it works like a charm on iOS 16+ jailbroken with palera1n rootless.

But there are some feature doesn't work with Dopamine on iOS 15:

• frida-ps -Ua: No running applications.
• frida -U -f com.apple.mobilesafari: Failed to attach: process with pid 4334 either refused to load frida-agent, or terminated during injection

[Lunascaped]

Hi everyone! I created a Gist where you can find the build instructions to compile your frida version.

@tmm1 confirmed to me that it works like a charm on iOS 16+ jailbroken with palera1n rootless.

But there are some feature doesn't work with Dopamine on iOS 15:

• frida-ps -Ua: No running applications.
• frida -U -f com.apple.mobilesafari: Failed to attach: process with pid 4334 either refused to load frida-agent, or terminated during injection

So is it possible to use frida on dopamine with your repo? I got confused by your response

[miticollo]

Hi everyone! I created a Gist where you can find the build instructions to compile your frida version.

@tmm1 confirmed to me that it works like a charm on iOS 16+ jailbroken with palera1n rootless.

But there are some feature doesn't work with Dopamine on iOS 15:

• frida-ps -Ua: No running applications.
• frida -U -f com.apple.mobilesafari: Failed to attach: process with pid 4334 either refused to load frida-agent, or terminated during injection

So is it possible to use frida on dopamine with your repo? I got confused by your response

Yes, but there are two limitations: spawn and enumerate_applications don't work. While if you use palera1n rootless everything works. I tested frida rootless on palera1n rootless with iPhone 8 Plus and iOS 16.4.1(a).
While I tested frida rootless on Dopamine using my fork of frida-ios-dump. I used an iPhone XR with iOS 15.1b1.

@tmm1 supposed that these limitations depend on iOS version indeed it seems that they are present on palera1n rootless and iOS 15.

[zhaoboy9692]

大家好！我创建了一个 Gist，您可以在其中找到编译 frida 版本的构建说明。
@tmm1向我确认，它在 iOS 16+ 上就像一个魅力 越狱 帕莱拉1n 无根.
但是有些功能不适用于iOS 15上的多巴胺：

• frida-ps -Ua:No running applications.
• frida -U -f com.apple.mobilesafari:Failed to attach: process with pid 4334 either refused to load frida-agent, or terminated during injection

那么是否可以在您的回购中使用多巴胺上的弗里达？我对你的回答感到困惑

是的，但有两个限制：并且不起作用。而如果你使用 palera1n 无根，一切正常。我在 palera1n 上用 iPhone 8 Plus 和 iOS 16.4.1（a） 测试了 frida Rootless。当我使用我的弗里达-ios-dump叉子在多巴胺上测试弗里达无根时。我用了装有iOS 15.1b1的iPhone XR。spawn``enumerate_applications

@tmm1认为这些限制取决于iOS版本，确实似乎它们存在于palera1n无根和iOS 15上。
会修复吗

[miticollo]

Did you use my fork: https://github.com/miticollo/frida-ios-dump?

[zhaoboy9692]

Did you use my fork: https://github.com/miticollo/frida-ios-dump?

no，use your build frida for arm64e

[zhaoboy9692]

Did you use my fork: https://github.com/miticollo/frida-ios-dump?
use you frida-ios-dump ，bad

[miticollo]

I know there is this problem (see above) if you use Dopamibe.
And a person with an iPhone 7 and iOS 15.7.5 jailbroken with palera1n rootless said to me that the same issues happen. Probably there is a bug in frida on iOS 15.

[zhaoboy9692]

I know there is this problem (see above) if you use Dopamibe. And a person with an iPhone 7 and iOS 15.7.5 jailbroken with palera1n rootless said to me that the same issues happen. Probably there is a bug in frida on iOS 15.

yes It's okay to use iPhone8 rootful

[miticollo]

Did you use my fork: https://github.com/miticollo/frida-ios-dump?
use you frida-ios-dump ，bad

I have just updated my fork. So git pull the new commit.

Then:

1. Open the target app on your iDevice.
2. Run python dump.py -l and search the process of your target app.
3. Finally run python ./dump.py -H <iDevice_IP> -u mobile -P <mobile_password> <target>, where <target> is the name of process that you discovered using dump.py -l in the previous step.

If you prefer you can use an iDevice with rootfull JB.

[zhaoboy9692]

There are still many problems ，I gave up，use iphone8

[zhaoboy9692]

phone reboot and app Stuck etc.

[miticollo]

There are still many problems ，I gave up，use iphone8

Anyway it seems that on your iDevice there are two app called WeChat.

[zhaoboy9692]

There are still many problems ，I gave up，use iphone8

Anyway it seems that on your iDevice there are two app called WeChat.
iphone8 ios16.5 rootless palera1n no problem
iphone12pro max rootless bad

thanks https://gist.github.com/miticollo/6e65b59d83b17bacc00523a0f9d41c11#file-how-to-build-frida-server-for-ios-md