debugserver crash Killed: 9

[MartinPrusa]

Device: iPhone9,3 (iPhone 7) 128GB
iOS: 12.0.1
unc0ver: 3.0.0~b32

Extraction of debugserver:

• hdiutil attach /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/12.0/DeveloperDiskImage.dmg
• cp /Volumes/DeveloperDiskImage/usr/bin/debugserver ./
• codesign -s - --entitlements entitlements.plist -f debugserver
• scp ./debugserver root@10.0.1.7:/usr/bin/

Entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>platform-application</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
    <key>com.apple.backboardd.debugapplications</key>
    <true/>
    <key>com.apple.springboard.debugapplications</key>
    <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>com.apple.private.librarian.can-get-application-info</key>
    <true/>
    <key>com.apple.private.mobileinstall.allowedSPI</key>
    <array>
        <string>Lookup</string>
        <string>CopyInstalledAppsForLaunchServices</string>
    </array>
</dict>
</plist>

Run debugserver:

• debugserver *:6666 -a Preferences

Debugserver crashes:

/usr/local/bin/debugserver: line 11:  2234 Killed: 9               /usr/bin/debugserver > /dev/null 2>&1
WARNING: -H is only present for compatibility with a fork of ldid
         you should NOT be manually specifying the hash algorithm
Killed: 9

[jayb1239]

Have you tried signing with a real certificate?

[jayb1239]

@MartinPrusa sign with a real developer certificate or sign with the one provided by Unc0ver

ldid -S -M -K/usr/share/jailbreak/signcert.p12 debugserver

Doing so appears to get it working however I haven't thoroughly tested debugserver

[MartinPrusa]

@jayb1239 running ldid -S -M -K /usr/share/jailbreak/signcert.p12 debugserver on iPhone will give me

ldid.cpp(693): _assert(): false
ldid.cpp(3000): _assert(): errno=2

I will try it to sign it with my own cert

[jayb1239]

There shouldn't be a space between -K /usr/share/jailbreak/signcert.p12 it should be exactly as above

[MartinPrusa]

ldid -S -M -K/usr/share/jailbreak/signcert.p12 debugserver gives me:
ldid.cpp(3000): _assert(): errno=2

[MartinPrusa]

my fault debugserver was write protected

[MartinPrusa]

now running debugserver *:6666 -a Preferences it gives me:

debugserver-@(#)PROGRAM:LLDB  PROJECT:lldb-900.3.85
 for arm64.
Attaching to process Preferences...
error: failed to attach to process named: "" (os/kern) invalid argument
Exiting.

[jayb1239]

is there a process named Preferences running?

[badheli]

How to use debugserver in unc0ver for iOS 12

i have a way! but Failed to get connection from a remote gdb process

1. get debugserver

cp /Developer/usr/bin/debugserver  /var/root/
scp root@ip:/var/root/debugserver ./

2. use lipo

lipo -thin arm64 debugserver  -output debugserver_arm64

3. copy debugserver_arm64 to iphone

scp debugserver_arm64 root@ip:/usr/bin/debugserver_arm64

4. to use ldid on iphone

ldid -S/usr/share/entitlements/debugserver.xml /usr/bin/debugserver_arm64

/usr/share/entitlements/debugserver.xml provided by Unc0ver

5. use inject command on iphone

inject /usr/bin/debugserver_arm64 

OK

iPhone:~ root# inject /usr/bin/debugserver_arm64 
got persisted port!
Injecting to trust cache...
/usr/bin/debugserver_arm64: OK
Actually injecting 1 keys
1 new hashes to inject
Successfully injected [1/1] to trust cache.
iPhone:~ root# debugserver_arm64 
debugserver-@(#)PROGRAM:LLDB  PROJECT:lldb-900.3.85
 for arm64.
Usage:
  debugserver host:port [program-name program-arg1 program-arg2 ...]
  debugserver /path/file [program-name program-arg1 program-arg2 ...]
  debugserver host:port --attach=<pid>
  debugserver /path/file --attach=<pid>
  debugserver host:port --attach=<process_name>
  debugserver /path/file --attach=<process_name>

But failed to get connection from a remote gdb process

iPhone:~ root# debugserver_arm64  localhost:1234 -a AppStore
debugserver-@(#)PROGRAM:LLDB  PROJECT:lldb-900.3.85
 for arm64.
Attaching to process AppStore...
Listening to port 1234 for a connection from localhost...
Failed to get connection from a remote gdb process.
Exiting.

debugserver.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.backboardd.debugapplications</key>
	<true/>
	<key>com.apple.backboardd.launchapplications</key>
	<true/>
	<key>com.apple.diagnosticd.diagnostic</key>
	<true/>
	<key>com.apple.frontboard.debugapplications</key>
	<true/>
	<key>com.apple.frontboard.launchapplications</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>
	<key>com.apple.springboard.debugapplications</key>
	<true/>
	<key>com.apple.system-task-ports</key>
	<true/>
	<key>get-task-allow</key>
	<true/>
	<key>platform-application</key>
	<true/>
	<key>run-unsigned-code</key>
	<true/>
	<key>seatbelt-profiles</key>
	<array>
		<string>debugserver</string>
	</array>
	<key>task_for_pid-allow</key>
	<true/>
</dict>
</plist>

[holyswordman]

i got the Failed to get connection from a remote gdb process error too
im using iphone 6s 12.1.2 unc0ver v3.0.0 beta38
debugserver doesn't work in iOS12?

[holyswordman]

iPhone:~ root# debugserver *:6666 --attach=Reddit
debugserver-@(#)PROGRAM:LLDB PROJECT:lldb-900.3.86
for arm64.
Attaching to process Reddit...
Listening to port 6666 for a connection from *...
Failed to get connection from a remote gdb process.
Exiting.
iPhone:~ root#

Console log in mac:
預設值 20:31:26.086394 +0800 debugserver debugserver will use ASL for internal logging.
預設值 20:31:26.159243 +0800 debugserver debugserver will use ASL for internal logging.
預設值 20:31:26.512377 +0800 debugserver Warning: Libinfo call to mDNSResponder on main thread
錯誤 20:31:26.512834 +0800 kernel Sandbox: debugserver(997) deny(1) network-outbound /private/var/run/mDNSResponder
預設值 20:31:26.513454 +0800 debugserver dnssd_clientstub ConnectToServer: connect()-> No of tries: 1
預設值 20:31:27.550943 +0800 debugserver dnssd_clientstub ConnectToServer: connect()-> No of tries: 2
預設值 20:31:28.553120 +0800 debugserver dnssd_clientstub ConnectToServer: connect()-> No of tries: 3
預設值 20:31:29.570938 +0800 debugserver dnssd_clientstub ConnectToServer: connect() failed path:/var/run/mDNSResponder Socket:6 Err:-1 Errno:1 Operation not permitted
預設值 20:31:29.575520 +0800 kernel Sandbox: 3 duplicate reports for debugserver deny(1) network-outbound /private/var/run/mDNSResponder
錯誤 20:31:29.575619 +0800 kernel Sandbox: debugserver(997) deny(1) system-socket
錯誤 20:31:29.575772 +0800 debugserver socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL) failed: Operation not permitted
錯誤 20:31:29.576274 +0800 debugserver socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL) failed: Operation not permitted
預設值 20:31:29.577772 +0800 kernel Sandbox: 1 duplicate report for debugserver deny(1) system-socket
錯誤 20:31:29.577819 +0800 kernel Sandbox: debugserver(997) deny(1) network-bind:6666*
預設值 20:31:29.578459 +0800 debugserver 1 +0.000000 sec [03e5/0403]: ::listen or ::bind failed err = 0x00000000
預設值 20:32:02.300697 +0800 kernel Sandbox: 3 duplicate reports for debugserver deny(1) network-bind:6666*

[s84088722]

Failed to get connection from a remote gdb process.
I got the same problem！！

[EthanArbuckle]

same, seems to be an unc0ver issue (both 11.3 and 12.1 dont work)

[lslfly]

Failed to get connection from a remote gdb process.
got the same problem too~

[s84088722]

Failed to get connection from a remote gdb process.
I got the same problem！！

[s84088722]

@pwn20wndstuff

[liaogang]

same problem +1

[holyswordman]

i have figured it out.

1. To solve failed to get connection from a remote gdb process issue: removes "seatbelt-profiles" from /usr/share/entitlements/debugserver.xml and resign debugserver. (They have fixed it already, so "seatbelt-profiles" has been removed from the newest version of debugserver.xml)

2. To solve another EXC_BAD_ACCESS issue: The target process being debugged needs the get-task-allow entitlement. Resign the target app being debugged with the get-task-allow entitlement as a temporary workaround and it will work!

[liaogang]

@holyswordman I got it work, thanks.

[breadchris]

ur the best @holyswordman <3. The entitlements are fixed, but the debugserver binary isn't being signed with them?

[qrx]

2. To solve another EXC_BAD_ACCESS issue: The target process being debugged needs the get-task-allow entitlement. Resign the target app being debugged with the get-task-allow entitlement as a temporary workaround and it will work!

@holyswordman
What exactly do you mean by sign the target app?
Is this using ldid on the binary, on the phone, or by codesign on the desktop?

[ouraigua-zz]

I'm using Chimera Jailbreak on iPhone 6+ running 12.1.2 and these are my steps to get debugserver running and attaching successfully.

1. copy debugserver to your mac from your device from /Developer/usr/bin/debugserver
2. resign debugserver using the following command:
   codesign -s - --entitlements entitlements.plist -f debugserver
3. Use this entitlements.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.backboardd.debugapplications</key>
    <true/>
    <key>com.apple.backboardd.launchapplications</key>
    <true/>
    <key>com.apple.diagnosticd.diagnostic</key>
    <true/>
    <key>com.apple.frontboard.debugapplications</key>
    <true/>
    <key>com.apple.frontboard.launchapplications</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.springboard.debugapplications</key>
    <true/>
    <key>com.apple.system-task-ports</key>
    <true/>
    <key>get-task-allow</key>
    <true/>
    <key>platform-application</key>
    <true/>
    <key>run-unsigned-code</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
</dict>
</plist>

4. copy back debugserver to the device into /usr/bin/debugserver
5. respring
   killall -9 SpringBoard
6. then run debugserver using
   debugserver localhost:1234 -x backboard path_to_binary
7. on your mac run lldb and connect as usual

[Mr007jd]

#Installation of debugserver on 12.1.1 ios version with uncoverjailbreak iphone6+

Required:
1. Mac with the latest XCode installed.
2. jailbroken iPhone installed.

#Installation:
$ ls /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/

-> Choose the iOS version running on your iOS device. Let it be 12.1 Extract debugserver for iOS 12.1

$ hdiutil attach /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/12.1/DeveloperDiskImage.dmg


1. get debugserver
	$ cp /Volumes/DeveloperDiskImage/usr/bin/debugserver ./
2. use lipo
	$ lipo -thin arm64 debugserver  -output debugserver_arm64

3. copy debugserver_arm64 to iphone
	$ scp debugserver_arm64 root@ip:/usr/bin/debugserver_arm64

4. $ ldid -S/usr/share/entitlements/debugserver.xml /usr/bin/debugserver_arm64
	-> /usr/share/entitlements/debugserver.xml provided by Unc0ver
5. use inject command on iphone
	iPhone:~ root# inject /usr/bin/debugserver_arm64 
	got persisted port!
	Injecting to trust cache...
	/usr/bin/debugserver_arm64: OK
	Actually injecting 1 keys
	1 new hashes to inject
	Successfully injected [1/1] to trust cache.
	
6. iPhone:~ root# debugserver_arm64 
	debugserver-@(#)PROGRAM:LLDB  PROJECT:lldb-900.3.85
	 for arm64.
	Usage:
	  debugserver host:port [program-name program-arg1 program-arg2 ...]
	  debugserver /path/file [program-name program-arg1 program-arg2 ...]
	  debugserver host:port --attach=<pid>
	  debugserver /path/file --attach=<pid>
	  debugserver host:port --attach=<process_name>
	  debugserver /path/file --attach=<process_name>
7. ps -ax | grep Preferences	-> start setting app in iphone.
8. debugserver_arm64  0.0.0.0:6666 -a Preferences
	Attaching to process Preferences...
	Listening to port 6666 for a connection from *...

7. Now, open a new Mac console and run

$ lldb
(lldb) platform select remote-ios
(lldb) process connect connect://10.1.24.72:6666

-> Wait 1-2 min and, finally, you'll get the result

Result:
	Process 400 stopped
	* thread #1: tid = 0x118f, 0x38bfda58 libsystem_kernel.dylib`mach_msg_trap + 20, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
	    frame #0: 0x38bfda58 libsystem_kernel.dylib`mach_msg_trap + 20
	libsystem_kernel.dylib`mach_msg_trap:
	->  0x38bfda58 <+20>: pop    {r4, r5, r6, r8}
	    0x38bfda5c <+24>: bx     lr

	libsystem_kernel.dylib`mach_msg_overwrite_trap:
	    0x38bfda60 <+0>:  mov    r12, sp
	    0x38bfda64 <+4>:  push   {r4, r5, r6, r8}

(lldb)continue			-> thats all ...done.

[joanbono]

Solved with ldid2 from cydia.radare.org repo and the following Entity:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>platform-application</key>
    <true/>
    <key>com.apple.private.security.container-required</key>
    <false/>
</dict>
</plist>

iPhone-Testing:/tmp root# ./roplevel1
Killed: 9
iPhone-Testing:/tmp root# ldid2  -SEntity.xml roplevel1
iPhone-Testing:/tmp root# ./roplevel1
Welcome to ROPLevel1 for ARM64! Created by Billy Ellis (@bellis1000)