Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iphone always crash off in 15.0 rootless jail break #2345

Open
cleverhu opened this issue Dec 3, 2022 · 7 comments
Open

iphone always crash off in 15.0 rootless jail break #2345

cleverhu opened this issue Dec 3, 2022 · 7 comments

Comments

@cleverhu
Copy link

cleverhu commented Dec 3, 2022
edited

According to #2288, I set CRYPTEX_MOUNT_PATH to /var/jb, and when I use command such as frida-ps -U, the phone will crash off. I didn't know the reason of it.
This is the phone log:

  ssh root@192.168.8.104
2022-12-03 20:23:11.600 bash[627:8524] send fixOurProcAndRoot 627
2022-12-03 20:23:11.601 bash[627:8524] 收到回复fixOurProcAndRoot完成
iPhone-12-Pro-Max:~ root# uname -a
Darwin iPhone-12-Pro-Max 21.0.0 Darwin Kernel Version 21.0.0: Sun Aug 15 20:55:58 PDT 2021; root:xnu-8019.12.5~1/RELEASE_ARM64_T8101 iPhone13,4 arm64 D54pAP Darwin
iPhone-12-Pro-Max:~ root# /var/bin/frida-server --version
16.0.7
^CiPhone-12-Pro-Max:~ root# export CRYPTEX_MOUNT_PATH=/var/jb
iPhone-12-Pro-Max:~ root# /var/bin/frida-server
client_loop: ssh_packet_write_poll: Connection to 192.168.8.104 port 22: Host is down
  ~/Desktop/Payload/ArticleBroth.app 

This the mac log:

~  frida-ps -U                        [20:23:57 12/03]
Traceback (most recent call last):
  File "/opt/homebrew/bin/frida-ps", line 8, in <module>
    sys.exit(main())
  File "/opt/homebrew/lib/python3.10/site-packages/frida_tools/ps.py", line 279, in main
    app.run()
  File "/opt/homebrew/lib/python3.10/site-packages/frida_tools/application.py", line 386, in run
    self._reactor.run()
  File "/opt/homebrew/lib/python3.10/site-packages/frida_tools/reactor.py", line 44, in run
    self._run_until_return(self)
  File "/opt/homebrew/lib/python3.10/site-packages/frida_tools/application.py", line 71, in await_enter
    input_with_cancellable(reactor.ui_cancellable)
  File "/opt/homebrew/lib/python3.10/site-packages/frida_tools/application.py", line 59, in input_with_cancellable
    rlist, _, _ = select.select([sys.stdin, cancellable_fd], [], [])
ValueError: file descriptor cannot be a negative integer (-42)
Waiting for USB device to appear...

However if I didn't set the CRYPTEX_MOUNT_PATH, the command of frida-ps didn't cause the phone to crash off and it worked, but it didn't work for frida -UF -l demo.js and reported the error: Failed to attach: module not found at "/usr/lib/frida/frida-agent.dylib"
@cleverhu cleverhu mentioned this issue Dec 3, 2022
Closed
@961905
Copy link

961905 commented Dec 4, 2022

my log,My Frida can't start.
shoutentekiiPhone:~ root# /var/sbin/frida-server
**
Frida:ERROR:../../../frida-core/src/darwin/policy-softener.vala:197:frida_electra_policy_softener_constructor: assertion failed: (libjailbreak != null)
Bail out! Frida:ERROR:../../../frida-core/src/darwin/policy-softener.vala:197:frida_electra_policy_softener_constructor: assertion failed: (libjailbreak != null)
Abort trap: 6

@cleverhu
Copy link
Author

cleverhu commented Dec 6, 2022

my log,My Frida can't start. shoutentekiiPhone:~ root# /var/sbin/frida-server ** Frida:ERROR:../../../frida-core/src/darwin/policy-softener.vala:197:frida_electra_policy_softener_constructor: assertion failed: (libjailbreak != null) Bail out! Frida:ERROR:../../../frida-core/src/darwin/policy-softener.vala:197:frida_electra_policy_softener_constructor: assertion failed: (libjailbreak != null) Abort trap: 6

I also encountered this situation after reinstalling frida and didn't know how to solve it. Howerer, frida -UF -l xx.js seems workable for me without start frida-server, you can try it locally with latest frida version.

@xiaozhuai
Copy link

Same problem.

@xiaozhuai
Copy link

xiaozhuai commented Dec 7, 2022
edited

I test 16.0.6, it also show this error

ValueError: file descriptor cannot be a negative integer (-42)

But it didn't make device crash off and works well

@oleavr
Copy link
Member

oleavr commented Dec 7, 2022

file descriptor cannot be a negative integer (-42)

This part is fixed in frida-tools 12.0.4, just released.

@crifan
Copy link

crifan commented Jan 12, 2023
edited

as @oleavr said, so:

  • solution: upgrade frida-tools to latest version: v12.0.4
    • how to do: pip install --upgrade frida_tools
      • if installed frida via pip: pip install frida
      • Note: check installed version: pip show frida_tools

updated 20230118:

  • still not work
    • use frida(frida/frida-ls/frida-trace) will cause iPhone 11 to reboot.
      • iPhone11: iOS 15.1, rootless jailbreak by XinaA15

Update 20230324:

  • iPhone8: iOS 15.0, rootless jailbreak by XinaA15
    • frida work normally

@krapgras
Copy link

I'm still getting a similar issue i can do frida-ps -Uia but i can't inject into an app as it throws "Unable to connect to the frida server: need Gadget to attach on jailed iOS"

I'm using XinaA15, but couldn't this be linked to sandbox protections?
Unfortunately can't find much on how the XinaA15 jailbreak is implemented so not sure if it's a frida or jb thing or both.

Anyone with ideas on how we could test this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@oleavr @crifan @xiaozhuai @krapgras @961905 @cleverhu