【求助】iOS 12.4 越狱环境下 Hook 代码 Respring 后系统崩溃

我在用 “rocketbootstrap” 写进程间通信的功能,主要 hook “com.apple.backboardd”,但是我插件安装进去后 Respring 下就进不了桌面了。从日志看来有点像是 com.apple.backboardd 启动失败了,不知道该怎么解决。

日志

Aug 26 15:50:47 iPhone syncdefaultsd[2456] <Notice>: MS:Notice: Injecting: com.apple.syncdefaultsd [syncdefaultsd] (1575.17)
Aug 26 15:50:50 iPhone backboardd[2523] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:50:50 iPhone backboardd[2523] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:50:50 iPhone ReportCrash[2525] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:50:50 iPhone ReportCrash[2525] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 26 15:50:50 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2523]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2523]
Aug 26 15:50:50 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:50:50 iPhone SpringBoard[2524] <Notice>: MS:Notice: Injecting: com.apple.springboard [SpringBoard] (1575.17)
Aug 26 15:51:00 iPhone backboardd[2526] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:51:00 iPhone backboardd[2526] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:51:00 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2526]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2526]
Aug 26 15:51:00 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:51:00 iPhone ReportCrash[2527] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:51:00 iPhone ReportCrash[2527] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 26 15:51:10 iPhone backboardd[2528] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:51:10 iPhone backboardd[2528] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:51:10 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2528]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2528]
Aug 26 15:51:10 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:51:10 iPhone ReportCrash[2529] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:51:10 iPhone ReportCrash[2529] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 26 15:51:20 iPhone backboardd[2530] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:51:20 iPhone backboardd[2530] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:51:20 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2530]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2530]
Aug 26 15:51:20 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:51:20 iPhone ReportCrash[2531] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:51:20 iPhone ReportCrash[2531] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 26 15:51:30 iPhone backboardd[2532] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:51:30 iPhone backboardd[2532] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:51:30 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2532]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2532]
Aug 26 15:51:30 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:51:30 iPhone ReportCrash[2533] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:51:30 iPhone ReportCrash[2533] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 26 15:51:40 iPhone backboardd[2534] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:51:40 iPhone backboardd[2534] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:51:40 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2534]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2534]
Aug 26 15:51:40 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:51:40 iPhone ReportCrash[2535] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:51:40 iPhone ReportCrash[2535] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 26 15:51:50 iPhone backboardd[2536] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:51:50 iPhone backboardd[2536] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:51:50 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2536]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2536]
Aug 26 15:51:50 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:51:50 iPhone ReportCrash[2537] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:51:50 iPhone ReportCrash[2537] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 26 15:52:00 iPhone backboardd[2538] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:52:00 iPhone backboardd[2538] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:52:00 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2538]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2538]
Aug 26 15:52:00 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:52:00 iPhone ReportCrash[2539] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:52:00 iPhone ReportCrash[2539] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 26 15:52:10 iPhone backboardd[2540] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:52:10 iPhone backboardd[2540] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:52:10 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2540]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2540]
Aug 26 15:52:10 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:52:10 iPhone ReportCrash[2541] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:52:10 iPhone ReportCrash[2541] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 26 15:52:21 iPhone backboardd[2542] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:52:21 iPhone backboardd[2542] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:52:21 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2542]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2542]
Aug 26 15:52:21 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:52:21 iPhone ReportCrash[2543] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:52:21 iPhone ReportCrash[2543] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 26 15:52:31 iPhone backboardd[2544] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:52:31 iPhone backboardd[2544] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:52:31 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2544]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2544]
Aug 26 15:52:31 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:52:31 iPhone ReportCrash[2545] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:52:31 iPhone ReportCrash[2545] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 26 15:52:41 iPhone backboardd[2546] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:52:41 iPhone backboardd[2546] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:52:41 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2546]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2546]
Aug 26 15:52:41 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:52:41 iPhone ReportCrash[2547] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:52:41 iPhone ReportCrash[2547] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 26 15:52:51 iPhone backboardd[2548] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:52:51 iPhone backboardd[2548] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:52:51 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2548]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2548]
Aug 26 15:52:51 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:52:51 iPhone ReportCrash[2549] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:52:51 iPhone ReportCrash[2549] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Aug 26 15:53:01 iPhone backboardd[2550] <Notice>: MS:Notice: Injecting: com.apple.backboardd [backboardd] (1575.17)
Aug 26 15:53:01 iPhone backboardd[2550] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
Aug 26 15:53:01 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd[2550]) <Notice>: Service exited due to SIGSEGV | sent by exc handler[2550]
Aug 26 15:53:01 iPhone com.apple.xpc.launchd[1] (com.apple.backboardd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Aug 26 15:53:01 iPhone ReportCrash[2551] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1575.17)
Aug 26 15:53:01 iPhone ReportCrash[2551] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib

代码

Makefile

TWEAK_NAME = SimulateHIDEvent
SimulateHIDEvent_FILES = SimulateHIDEvent.x
SimulateHIDEvent_CFLAGS = -fobjc-arc
SimulateHIDEvent_LDFLAGS = -lsubstrate -lrocketbootstrap
SimulateHIDEvent_LIBRARIES = rocketbootstrap
SimulateHIDEvent_FRAMEWORKS = Foundation CoreFoundation UIKit

Logos

#import <Foundation/Foundation.h>
#import <CoreFoundation/CoreFoundation.h>
#import <UIKit/UIKit.h>
#import <rocketbootstrap.h>

#pragma mark - Initialize

#define MACH_PORT_NAME "com.corehell.finger"

static CFDataRef messageCallBack(CFMessagePortRef local, SInt32 msgid, CFDataRef cfData, void *info) {
    NSLog(@"[SE] Receive Message Id: %d", (int)msgid);
    return NULL;
}

#pragma mark - Constructor

%ctor {
    CFMessagePortRef local = CFMessagePortCreateLocal(NULL, CFSTR(MACH_PORT_NAME), messageCallBack, NULL, NULL);
    if (rocketbootstrap_cfmessageportexposelocal(local) != 0) {
        NSLog(@"[SE] RocketBootstrap failed");
        return;
    }
    
    CFRunLoopSourceRef source = CFMessagePortCreateRunLoopSource(NULL, local, 0);
    CFRunLoopAddSource(CFRunLoopGetCurrent(), source, kCFRunLoopDefaultMode);
    
    NSLog(@"[SE] Mach port initialized successfully.");
}

操作步骤:

  1. make package
  2. make install
  3. ldrestart
  4. 卡死,重启

其他描述:

手机黑屏(没有熄屏)

环境:

iOS 12.4 unco0ver 越狱

补充

我改了 hook 的程序为我自己的程序,死在了 rocketbootstrap_cfmessageportexposelocal 控制台提示:

2019-08-26 16:57:35.100512+0800 Fun2[3679:17932] *** CFMessagePort: bootstrap_register(): failed 1100 (0x44c) 'Permission denied', port = 0x2903, name = 'com.corehell.finger'
See /usr/include/servers/bootstrap_defs.h for the error codes.
(lldb) 

socat 日志如下, 有点像没有签名的输出,可是我用 ldid -S 手动签名后任然报下面的log:

Aug 26 17:47:49 yujieteki-iPhone com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent) <Warning>: Unknown key for integer: _DirtyJetsamMemoryLimit
Aug 26 17:47:49 yujieteki-iPhone Fun2[4356] <Notice>: MS:Notice: Injecting: com.apple.backboarddgm [Fun2] (1575.17)
Aug 26 17:47:49 yujieteki-iPhone Fun2[4356] <Error>: MS:Error: process is not CS_VALID
Aug 26 17:47:49 yujieteki-iPhone Fun2[4356] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SimulateHIDEvent.dylib
1 个赞

/User/Library/Logs/CrashReporter/下边应该有崩溃日志, 看起来像rocketbootstrap不支持

感谢回复。
我把被 hook 的 app 跑起来后,socat 得到 <Error>: MS:Error: process is not CS_VALID 但是我使用 ldid -S 后仍然报这个错误。

ldid不支持sha256的签名,用jtool试试

1 个赞

使用 jtool 签名(SHA256)之后虽然会报<Error>: MS:Error: process is not CS_VALID 但是没有 Crash 了。

我最后还有一个疑问,我在 unc0ver 越狱工具中开启了“Set CS_DEBUGGED” 为什么还需要签名。

这个不清楚

我弄明白为啥会 Crash 了。
在 iOS12 下 tweak 调用 CFMessagePortCreateLocal 会返回 NULL,然后我用了 NULL 去掉用 rocketbootstrap_cfmessageportexposelocal 导致进程(backboardd) 被杀死,然后就进程起不来了,连续起不起来系统就自动重启了。
然后我测试了下代码没有修改前提下,在 springboard 中CFMessagePortCreateLocal正常返回对应实例,以上是 iOS 12 的情况。
我在iOS 11下 hook backboardd 后 CFMessagePortCreateLocal 不会返回 NULL. 服务正常运行。
所以问题就是为啥 iOS12 的 backboardd 调用 CFMessagePortCreateLocal 会返回空。。。难道是backboardd变成了沙盒了么(乱说的 ;]

1 个赞
ldid -Hsha256 -S/usr/share/entitlements/debugserver.xml /private/var/tmp/debugserver

纠正一下, uncover里的ldid支持sha256的

签名和 代码段hash 是两个层面的事

backboardd hook之后如何重启?指导一下小白

是指的 Makefile 怎么写?
最下面写:

after-install::
	install.exec "killall -9 SpringBoard"

backboardd hook成功了吗?
MSInitialize {
STTouches = [[NSMutableDictionary alloc] init];
NSLog(@“MSInitialize successfully”);
if (objc_getClass(“BKHIDSystemInterface”)) {
iOS7 = YES;
}else{
iOS7 = NO;
}
MSHookFunction(&IOHIDEventSystemOpen, &new_IOHIDEventSystemOpen ,&orig_IOHIDEventSystemOpen);
}

backboardd 一直重启

请问一下, ”iOS12 下 tweak 调用 CFMessagePortCreateLocal 会返回 NULL“,这个问题解决了吗?