Dopamine is not supported
huyongnd opened this issue · comments
Describe the bug
砸壳过程正常,但是生成的 ipa 仍然处于加密状态
To Reproduce
Steps to reproduce the behavior:使用bagcak 金铲铲之战命令进行砸壳,期间一切正常
Screenshots
Desktop (please complete the following information):
- OS: MacOS 13.4
- nodejs: v19.7.0
- frida-node: [e.g. v12.9.6]
- frida on device version: 16.0.19
- iOS and jailbreak version: 15.0.1
- The app you are trying to work on [e.g. com.example.app]: 金铲铲之战(com.tencent.jkchess)
Additional context
Add any other context about the problem here.
再来补充下,又刷了一遍你公众号文章,把 node 切成了 lts 版本重新又来了一遍还是这样,手机是 iPhone 13 mini
npm i -g bagbak@latest 升级最新(当前 3.0.8)试试,如果还不行烦请带 DEBUG 参数然后把日志发上来
DEBUG=1 bagbak 金铲铲之战 --raw -f
感谢回复。升级了最新 3.0.9,现在不管是带不带 DEBUG现在都报错,报错内容相同:
chmod: changing permissions of '/private/var/containers/Bundle/Application/BF34B336-8101-4876-A9B4-B4832B1ECA5E/WeChat.app/WeChat': Operation not permitted
file:///opt/homebrew/lib/node_modules/bagbak/index.js:82
reject(new Error(`remote command "${cmd}" exited with code ${code}`));
^
Error: remote command "chmod +xX '/private/var/containers/Bundle/Application/BF34B336-8101-4876-A9B4-B4832B1ECA5E/WeChat.app/WeChat'" exited with code 1
at Channel.<anonymous> (file:///opt/homebrew/lib/node_modules/bagbak/index.js:82:20)
at Channel.emit (node:events:524:35)
at doClose (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/utils.js:101:21)
at onCHANNEL_CLOSE (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/utils.js:108:7)
at CHANNEL_CLOSE (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/client.js:705:11)
at 97 (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/protocol/handlers.misc.js:999:16)
at Protocol.onPayload (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/protocol/Protocol.js:2052:10)
at ChaChaPolyDecipherBinding.decrypt (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/protocol/crypto.js:851:26)
at Protocol.parsePacket [as _parse] (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/protocol/Protocol.js:2021:25)
at Protocol.parse (/opt/homebrew/lib/node_modules/bagbak/node_modules/ssh2/lib/protocol/Protocol.js:306:16)
Node.js v19.7.0
Dopamine越狱需要修改默认的 ssh 密码,所以密码改过。已上传 Mac 公钥,使用 ssh 命令可以正常连接到手机
没想到这么快收到回复,注释后报错:
main executable => /private/var/containers/Bundle/Application/BF34B336-8101-4876-A9B4-B4832B1ECA5E/WeChat.app/WeChat
pid => 3951
node:internal/process/promises:289
triggerUncaughtException(err, true /* fromPromise */);
^
[Error: Unable to find process with pid 3951]
Node.js v19.7.0
放弃吧,证明这个版本上的 frida 不完全支持 spawn
iOS 14 Unc0ver 和 16 checkm8 都没有问题
好的 谢谢啦~
i can reproduce this issue on macos mojave. iphone 7 with rootful palera1n on ios 14.8:
this issue does not exist on any version before v3.
@asdfzxcvbn it’s a bug on 3.0.x-3.0.7, please check if it still reproduces on 3.0.9
@asdfzxcvbn it’s a bug on 3.0.x-3.0.7, please check if it still reproduces on 3.0.9
my screenshot shows the bug happening on v3.0.9.
@asdfzxcvbn do you have debug logs?
@asdfzxcvbn do you have debug logs?
yeah, here: https://f.zxcvbn.fyi/bagbak-debug.txt
@asdfzxcvbn do you have debug logs?
yeah, here: https://f.zxcvbn.fyi/bagbak-debug.txt
Thanks. I am on my phone now, will get back to you later
@asdfzxcvbn it should be fixed in v3.0.11
d7121f0#diff-8ca1d3a7e38fa539bf8a44bd7806039caab17e6e0861bf11a1340f325cf48103L109
@asdfzxcvbn it should be fixed in v3.0.11 d7121f0#diff-8ca1d3a7e38fa539bf8a44bd7806039caab17e6e0861bf11a1340f325cf48103L109
otool reports back that it's decrypted like it should be, but the apps themselves crash on launch
@asdfzxcvbn it should be fixed in v3.0.11 d7121f0#diff-8ca1d3a7e38fa539bf8a44bd7806039caab17e6e0861bf11a1340f325cf48103L109
otool reports back that it's decrypted like it should be, but the apps themselves crash on launch
Some times app have self protection against running when repacked. Please add get-task-allow to the app and debug what caused the termination, or at least give me some idevicecrashreport logs.
➜ ipastuff git:(main) ideviceinstaller -i ./decrypted/com.sanfordguide.amt-6.3.1.ipa
WARNING: could not locate iTunesMetadata.plist in archive!
Copying './decrypted/com.sanfordguide.amt-6.3.1.ipa' to device... AFC Write error: 30
Error: wrote only 0 of 1048576
here's one thing i could find from logs. maybe this plist missing is the cause?
➜ ipastuff git:(main) ideviceinstaller -i ./decrypted/com.sanfordguide.amt-6.3.1.ipa WARNING: could not locate iTunesMetadata.plist in archive! Copying './decrypted/com.sanfordguide.amt-6.3.1.ipa' to device... AFC Write error: 30 Error: wrote only 0 of 1048576here's one thing i could find from logs. maybe this plist missing is the cause?
no, a lot of apps dont have iTunesMetadata.plist.
oh okay, well the AFC write error looks related then. the metadata plist is just a warning
@asdfzxcvbn it should be fixed in v3.0.11 d7121f0#diff-8ca1d3a7e38fa539bf8a44bd7806039caab17e6e0861bf11a1340f325cf48103L109
otool reports back that it's decrypted like it should be, but the apps themselves crash on launch
Some times app have self protection against running when repacked. Please add
get-task-allowto the app and debug what caused the termination, or at least give me someidevicecrashreportlogs.
spotify doesnt have sideload detection, and the dumped app works on bagbak v2.6.6. here's the crash log though: https://f.zxcvbn.fyi/Spotify-2023-06-17-140206.ips.txt
here's another error, i guess its a better one
➜ ipastuff git:(main) ✗ bash ./download-ipa.sh https://apps.apple.com/in/app/sanford-guide/id863196620
⬇️ Installing com.sanfordguide.amt to the phone...
ERROR: Install failed. Got error "ApplicationVerificationFailed" with code 0xe8008001: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.6AswP9/extracted/Payload/sanfordguideiapamt.app : 0xe8008001 (An unknown error has occurred.)
❌ Failed to install com.sanfordguide.amt. Exiting.here's another error, i guess its a better one
➜ ipastuff git:(main) ✗ bash ./download-ipa.sh https://apps.apple.com/in/app/sanford-guide/id863196620 ⬇️ Installing com.sanfordguide.amt to the phone... ERROR: Install failed. Got error "ApplicationVerificationFailed" with code 0xe8008001: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.6AswP9/extracted/Payload/sanfordguideiapamt.app : 0xe8008001 (An unknown error has occurred.) ❌ Failed to install com.sanfordguide.amt. Exiting.
i dont think that has anything to do with bagbak. you need to codesign your app before installing it.
oh yeah 😂 i forgot
@asdfzxcvbn Confirmed. v3.0.0-3.0.13 have a critical bug
1f4aba1#diff-3782ce3815652539832b31d11e68943cc074f23a3cd8527ac9159be5008afaea
@asdfzxcvbn Confirmed. v3.0.0-3.0.13 have a critical bug
1f4aba1#diff-3782ce3815652539832b31d11e68943cc074f23a3cd8527ac9159be5008afaea
finally working as intended! THANK YOU !!
➜ ipastuff git:(main) ideviceinstaller -i ./decrypted/com.sanfordguide.amt-6.3.1.ipa WARNING: could not locate iTunesMetadata.plist in archive! Copying './decrypted/com.sanfordguide.amt-6.3.1.ipa' to device... AFC Write error: 30 Error: wrote only 0 of 1048576here's one thing i could find from logs. maybe this plist missing is the cause?
is this the log that helped figure out the problem?
➜ ipastuff git:(main) ideviceinstaller -i ./decrypted/com.sanfordguide.amt-6.3.1.ipa WARNING: could not locate iTunesMetadata.plist in archive! Copying './decrypted/com.sanfordguide.amt-6.3.1.ipa' to device... AFC Write error: 30 Error: wrote only 0 of 1048576here's one thing i could find from logs. maybe this plist missing is the cause?
is this the log that helped figure out the problem?
It shouldn’t have anything to do with afc
He mentioned that v2.6.6 works so I just binary diff-ed two artifacts
@huyongnd 3.2.0 更改了 spawn 的实现,但手上没有设备,我无法确认是否可以支持 Dopamine
系统版本 15.4.1 Dopamine 越狱 报错
node:internal/process/promises:289
triggerUncaughtException(err, true /* fromPromise */);
^
[Error: Process with pid 91283 either refused to load frida-agent, or terminated during injection]
系统版本 15.4.1 Dopamine 越狱 报错 node:internal/process/promises:289 triggerUncaughtException(err, true /* fromPromise */); ^
[Error: Process with pid 91283 either refused to load frida-agent, or terminated during injection]
frida 附加进程的时候崩了,这个得看 Console.app 或者 idevicesyslog 才能知道是谁
之前也是砸壳过程正常,生成的 ipa 仍然处于加密状态
升级到最新版就开始报错
之前也是砸壳过程正常,生成的 ipa 仍然处于加密状态 升级到最新版就开始报错
找 ReportCrash 进程的日志,而且 idevicecrashreport 工具(或者 Xcode)可以导出完整的 ips 报告
<redacted>
运行完就生成了这个ips
<redacted>运行完就生成了这个ips
感谢 @CodeTips。我推送了另一个分支 https://github.com/ChiChou/bagbak/tree/dopamine
git clone https://github.com/ChiChou/bagbak.git
pushd bagbak
git checkout dopamine
npm i
./bin/bagbak.js --raw com.google.chrome.ios
试试看呢
info] pulling app bundle from device, please be patient
[info] downloaded 3257 files and 2626 folders
[info] app bundle downloaded
Failed to attach to pid 11047, skipping...
Warning: Unable to dump Chrome
Frameworks/ChromeInternal.framework/ChromeInternal
Frameworks/ChromeSSOInternal.framework/ChromeSSOInternal
Failed to attach to pid 11048, skipping...
Warning: Unable to dump PlugIns/content_widget_extension.appex/content_widget_extension
Failed to attach to pid 11049, skipping...
Warning: Unable to dump PlugIns/credential_provider_extension.appex/credential_provider_extension
Failed to attach to pid 11050, skipping...
Warning: Unable to dump PlugIns/intents_extension.appex/intents_extension
Failed to attach to pid 11051, skipping...
Warning: Unable to dump PlugIns/open_extension.appex/open_extension
Failed to attach to pid 11052, skipping...
Warning: Unable to dump PlugIns/search_widget_extension.appex/search_widget_extension
Failed to attach to pid 11053, skipping...
Warning: Unable to dump PlugIns/share_extension.appex/share_extension
Failed to attach to pid 11054, skipping...
Warning: Unable to dump PlugIns/widget_kit_extension.appex/widget_kit_extension
file:///Users/x/Documents/Github/bagbak/index.js:233
await this.#device.kill(SpringBoard);
^
ReferenceError: SpringBoard is not defined
at BagBak.dump (file:///Users/x/Documents/Github/bagbak/index.js:233:29)
at async main (file:///Users/x/Documents/Github/bagbak/bin/bagbak.js:143:7)
Node.js v21.5.0
这次就只有Chrome相关的ips
info] pulling app bundle from device, please be patient [info] downloaded 3257 files and 2626 folders [info] app bundle downloaded Failed to attach to pid 11047, skipping... Warning: Unable to dump Chrome Frameworks/ChromeInternal.framework/ChromeInternal Frameworks/ChromeSSOInternal.framework/ChromeSSOInternal Failed to attach to pid 11048, skipping... Warning: Unable to dump PlugIns/content_widget_extension.appex/content_widget_extension Failed to attach to pid 11049, skipping... Warning: Unable to dump PlugIns/credential_provider_extension.appex/credential_provider_extension Failed to attach to pid 11050, skipping... Warning: Unable to dump PlugIns/intents_extension.appex/intents_extension Failed to attach to pid 11051, skipping... Warning: Unable to dump PlugIns/open_extension.appex/open_extension Failed to attach to pid 11052, skipping... Warning: Unable to dump PlugIns/search_widget_extension.appex/search_widget_extension Failed to attach to pid 11053, skipping... Warning: Unable to dump PlugIns/share_extension.appex/share_extension Failed to attach to pid 11054, skipping... Warning: Unable to dump PlugIns/widget_kit_extension.appex/widget_kit_extension file:///Users/x/Documents/Github/bagbak/index.js:233 await this.#device.kill(SpringBoard); ^
ReferenceError: SpringBoard is not defined at BagBak.dump (file:///Users/x/Documents/Github/bagbak/index.js:233:29) at async main (file:///Users/x/Documents/Github/bagbak/bin/bagbak.js:143:7)
Node.js v21.5.0 这次就只有Chrome相关的ips
@CodeTips 说明从 launchd posix_spawn 也不行,只能走 _launch_job_routine,是个参数很复杂的私有函数。我还是想看看 ips 提示什么。另外 Console.app 里面有没有 kernel 进程类似这样的日志?
hook..execve() killing [pid= 11047, uid=0]: only launchd is allowed to spawn untrusted binaries
hook..execve()相关的就只有这个日志
<redacted>
上面是生成的ips,每个extension 都有, 我看内容基本一样
I think that this issue could be closed because Dopamine 2.0.9 solves the long standing issue about Frida spawn.
@ChiChou I think I wrote too early!
Describe the bug
- The app is not decrypted.
- After decryption the app on jailbroken device can't launch anymore. Because (from
Console.app) SpringBoard claims:[com.spotify.client - signature state: Unknown, reason: Error - 49165: reason: An unexpected error was encountered (0xC00D)
To Reproduce
$ export SSH_USERNAME='mobile'
$ export SSH_PASSWORD='alpine'
$ export SSH_PORT=22
$ export DEBUG_SCP=1
$ npx -- bagbak -U -d 'com.spotify.client'Video
https://we.tl/t-02SuRiT4FL
Desktop:
- OS: macOS 13.6.4 (22G513)
- nodejs: v21.6.2
- frida on device version: 16.2.1
- iOS and jailbreak version: 15.6 (19G69) and Dopamine 2.0.9
- The app you are trying to work on
com.spotify.client, AppStore link bagbakversion: 3.2.2 (commit9ddf8b9fromorigin/main)
@miticollo I am implementing another workaround totaly ignoring posix_spawn right now