Frida-ps -U 导致iPad崩溃重启

需求:

使用 frida-ps -U 命令后,越狱机立马崩溃重启。

日志:

|默认|20:12:22.909693 +0800|amfid|MacOS error: -67062|
|---|---|---|---|
|默认|20:12:22.928019 +0800|amfid|MacOS error: -67062|
|默认|20:12:22.964464 +0800|amfid|MacOS error: -67062|
|默认|20:12:22.978784 +0800|amfid|MacOS error: -67062|
|默认|20:12:22.995348 +0800|symptomsd|L2 Metrics on ifname en0: rssi: -60 (txFrames/txReTx/txFail) 4/0/0 -> (was/is) 0/0|
|默认|20:12:23.061722 +0800|amfid|MacOS error: -67062|
|默认|20:12:23.072554 +0800|amfid|MacOS error: -67062|
|错误|20:12:23.573514 +0800|SpringBoard|Unable to obtain a task name port right for pid 845: (os/kern) failure (0x5)|
|默认|20:12:23.573687 +0800|SpringBoard|[FBProcessManager] Adding: <FBProcess: 0x1c430aef0; frida-server; pid: 845>|
|默认|20:12:23.688649 +0800|amfid|UNIX error exception: 2|
|默认|20:12:23.696104 +0800|amfid|MacOS error: -67068|
|默认|20:12:23.703181 +0800|amfid|Failure creating static code: -67068|
|错误|20:12:23.705459 +0800|amfid|unrecognized status -67068 from codesigning library|
|默认|20:12:23.705655 +0800|amfid|Could not copy code signature (error 0xe8008001).|
|默认|20:12:23.721980 +0800|kernel|int _validateCodeDirectoryHashInDaemon(const char *, struct cs_blob *, unsigned int *, unsigned int *, int, bool, bool, char *): verify_code_directory server is dead|
|默认|20:12:23.722132 +0800|kernel|AMFI: code signature validation failed.|
|错误|20:12:23.742255 +0800|kernel|Library Validation failed: Rejecting '/usr/lib/substrate/SubstrateBootstrap.dylib' (Team ID: none, platform: no) for process 'ReportCrash(856)' (Team ID: none, platform: yes), reason: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)|
|错误|20:12:23.743108 +0800|kernel|Library Validation failed: Rejecting '/usr/lib/substrate/SubstrateBootstrap.dylib' (Team ID: none, platform: no) for process 'ReportCrash(856)' (Team ID: none, platform: yes), reason: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)|


操作步骤:

运行了 frida-ps -U 命令,iPad崩溃重启。

另外在frida的issue上面,https://github.com/frida/frida/issues/582
使用了以下命令的尝试也是一样崩溃:

// server side:

/usr/sbin/frida-server -l 192.168.1.4

// client side:

frida-ps -H 192.168.1.4

结果

➜  ~ frida-ps -U
Failed to enumerate processes: unable to connect to remote frida-server: Unable to connect (connection refused)

任何其他描述:

目前机子可以正常的ssh。

ssh root@192.168.1.4

网上有人说可能是版本问题,我的Mac上的frida版本是12.3.1, 在Cydia安装的版本也是12.3.1

环境:
device: iPadAir
system: iOS 11.0.3
jailbreak: unc0ver

安装过的组件:
AFC2 for iOS11(来源于Cydiaba)
AppList
AppSync Unified
Frida (源:build.frida.re)
OpenSSH


主要目的是为了使用AloneMonkey的 frida-ios-dump 来进行砸壳。结果在frida这一步好像卡住了,请大佬们不吝提点一下解决问题的思路,或者是我哪个步骤错误了,非常感谢!

:grinning:

1 Like

注意arm版本,32 or 64

我也遇到这个问题了,发现是iOS端server端新版的问题,
1.从这里 下载旧版(12.2.27)的替换手机里 /usr/sbin/frida-server 可能要改下权限。 2.重启设备,再越狱,再试试看。

这个旧版有时可能也会出问题,不过重启设备,重新越狱就没问题了。

2 Likes

非常感谢您的方法! 您的方法可以成功! 更换了iOS端的 frida-server,目前 frida-ps -U 这个命令可以正常工作了,可以获取到手机端的进程信息。

不过我又遇到一个新的问题:

无论是运行AloneMonkey的 frida-ios-dump,还是运行ChiChou的frida-ipa-dump。依旧是引发崩溃。(我的目标是想要使用一键砸壳的效果)

日志:

|错误|22:57:53.653551 +0800|SpringBoard|Unable to obtain a task name port right for pid 330: (os/kern) failure (0x5)|
|---|---|---|---|
|错误|22:57:53.655156 +0800|SpringBoard|Unable to obtain a task name port right for pid 330: (os/kern) failure (0x5)|
|错误|22:57:53.656709 +0800|SpringBoard|Unable to obtain a task name port right for pid 330: (os/kern) failure (0x5)|
|错误|22:57:53.658257 +0800|SpringBoard|Unable to obtain a task name port right for pid 330: (os/kern) failure (0x5)|
|错误|22:57:53.682730 +0800|SpringBoard|Unable to obtain a task name port right for pid 330: (os/kern) failure (0x5)|
|错误|22:57:53.692614 +0800|SpringBoard|Unable to obtain a task name port right for pid 330: (os/kern) failure (0x5)|
|默认|22:57:53.783246 +0800|amfid|UNIX error exception: 2|
|默认|22:57:53.792744 +0800|amfid|MacOS error: -67068|
|默认|22:57:53.799298 +0800|amfid|Failure creating static code: -67068|
|错误|22:57:53.799845 +0800|amfid|unrecognized status -67068 from codesigning library|
|默认|22:57:53.800075 +0800|amfid|Could not copy code signature (error 0xe8008001).|
|默认|22:57:53.808703 +0800|kernel|int _validateCodeDirectoryHashInDaemon(const char *, struct cs_blob *, unsigned int *, unsigned int *, int, bool, bool, char *): verify_code_directory server is dead|
|默认|22:57:53.808905 +0800|kernel|AMFI: code signature validation failed.|

运行命令:


➜  frida-ipa-dump git:(master) ./dump.py com.laiwang.DingTalk
[info] attaching to target
Traceback (most recent call last):
  File "./dump.py", line 246, in <module>
    main()
  File "./dump.py", line 242, in main
    task.run()
  File "./dump.py", line 220, in run
    self.dump()
  File "./dump.py", line 142, in dump
    pid = self.device.spawn(self.app.identifier)
  File "/Library/Python/2.7/site-packages/frida/core.py", line 98, in spawn
    return self._impl.spawn(program, argv, envp, env, cwd, stdio, aux_options)
frida.TransportError: the connection is closed

你要先启动这个应用,再砸

或者用这个 很稳定的。

iOS的unc0ver越狱的问题,你用elctra越狱iOS11的就没问题,这个我亲测过了.在iOS11,frida-ios-dump没问题!!!

非常感谢!我将进行测试。

以前稳定性堪忧,但你现在用 unc0ver 基本上不会有事了

1 (arch == x32) ? x32 : x64
2 版本号对应。mac和iOS端都更新一下。
3 如果是最近有更新才出现的可以在iOS端单方面降级一个版本

我的iOS10.0.2也不能用frida砸壳了,一砸就重启

我的10.0.2也不行,别的砸壳也不行了