Frida console: typing Swift. crashes the app process

[jpstotz]

Observed on iOS 14.2. Just typing on the Frida console: Swift. crashes the app. It happens on any pre-installed app that belongs to iOS (Messages, App Store, ...).

If I use Twitter app from App Store (I get v9.44 for iOS 14.2) I get a tiny bit further: It crashes after executing the command Swift.available.

frida -U Messages
     ____
    / _  |   Frida 16.0.10 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Apple iPhone (id=00008020-0001695C2EC3002E)

[Apple iPhone::Messages ]-> Swift.Process crashed: SIGABRT

***
Incident Identifier: 38CF3D02-0417-4456-9147-3B47BE1AAEEE
CrashReporter Key:   595f1e4e8d21aa3eadc5f578b8a3de5870f9ef0f
Hardware Model:      iPhone11,8
Process:             MobileSMS [2174]
Path:                /Applications/MobileSMS.app/MobileSMS
Identifier:          com.apple.MobileSMS
Version:             6000 (14.0)
Code Type:           ARM-64 (Native)
Role:                Foreground
Parent Process:      launchd [1]
Coalition:           com.apple.MobileSMS [1038]


Date/Time:           2023-02-24 12:04:47.4189 +0100
Launch Time:         2023-02-24 12:04:24.1619 +0100
OS Version:          iPhone OS 14.2 (18B92)
Release Type:        User
Baseband Version:    3.01.01
Report Version:      104

Exception Type:  EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note:  EXC_CORPSE_NOTIFY
Triggered by Thread:  10

[jpstotz]

I tried to understand what is going wrong by identifying the code that makes the app crash. Therefore I checked out and built this project as described. Then tried to add console.log statements to the code to narrow down the problematic code part.

Unfortunately this Typescript project seems to be configured rather strange as there is no console.log available and I am not familiar with such projects to make it work :(

[osown]

Same here, after typing Swift. frida dies.

frida -U -f com.apple.mobilesafari
     ____
    / _  |   Frida 16.0.11 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to iOS Device (id=fe3ade8c294adf31dc08d43e3e069cffa288840a)
Spawned `com.apple.mobilesafari`. Resuming main thread!
[iOS Device::com.apple.mobilesafari ]-> Swift.Process terminated
[iOS Device::com.apple.mobilesafari ]-> Swift.

Thank you for using Frida!

[NSEcho]

This is due to using Module.unsureInitialized("CoreFoundation"), if there is no CoreFoundation loaded gum throws an error which crashes the app. This should probably be replaced with non-crashing code and at least make Swift.available return false.

[taoyuliang]

Same issue happens on Android. Process terminated once typing Java or Java.available.
But this only happens to one specific apk, maybe there is some anti-frida/debugger machenism included(this apk has one .so file and used o-llvm, so it's hard to follow init_proc function which o-llvmed)

[novitae]

Also happening to me

[SpiritOfLogic]

Still happening to me with Frida 16.5.2 on iOS 16.7.10 rootless jailbroken with palera1n. Did anyone find a solution/workaround?

CrashReporter Key:   c1496e033838aa2f9c2858c40c91e1dea93bbcc9
Hardware Model:      iPhone10,6
Process:             CameraTest [3557]
Path:                /private/var/containers/Bundle/Application/DE121378-25CA-4C67-9AF1-EFE0AAC3147F/CameraTest.app/CameraTest
Identifier:          com.spiritoflogic.CameraTest
Version:             1.0 (1)
Code Type:           ARM-64 (Native)
Role:                Foreground
Parent Process:      launchd [1]
Coalition:           com.spiritoflogic.CameraTest [662]

Date/Time:           2024-10-05 00:22:16.4275 +0200
Launch Time:         2024-10-05 00:22:11.3436 +0200
OS Version:          iPhone OS 16.7.10 (20H350)
Release Type:        User
Baseband Version:    6.01.01
Report Version:      104

Exception Type:  EXC_BAD_ACCESS (SIGABRT)
Exception Subtype: KERN_INVALID_ADDRESS at 0x000000025ccbef81
Exception Codes: 0x0000000000000001, 0x000000025ccbef81
VM Region Info: 0x25ccbef81 is not in any region.  Bytes after previous region: 119893890  Bytes before following region: 590614655
      REGION TYPE                 START - END      [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      unused __TEXT            255a64000-255a68000 [   16K] r--/r-- SM=COW  ...ed lib __TEXT
--->  GAP OF 0x2a598000 BYTES
      MALLOC_NANO              280000000-2a0000000 [512.0M] rw-/rwx SM=COW  
Triggered by Thread:  6

Application Specific Information:
abort() called


Thread 0 name:   Dispatch queue: com.apple.main-thread
Thread 0:
0   libsystem_kernel.dylib        	       0x1ed299030 mach_msg2_trap + 8
1   libsystem_kernel.dylib        	       0x1ed2aab18 mach_msg2_internal + 75
2   libsystem_kernel.dylib        	       0x1ed2aadb8 mach_msg_overwrite + 483
3   libsystem_kernel.dylib        	       0x1ed299524 mach_msg + 19
4   CoreFoundation                	       0x1b1ae8148 __CFRunLoopServiceMachPort + 155
5   CoreFoundation                	       0x1b1ae92e0 __CFRunLoopRun + 1207
6   CoreFoundation                	       0x1b1aedd20 CFRunLoopRunSpecific + 583
7   GraphicsServices              	       0x1e9bbd998 GSEventRunModal + 159
8   UIKitCore                     	       0x1b3d8034c -[UIApplication _run] + 867
9   UIKitCore                     	       0x1b3d7ffc4 UIApplicationMain + 311
10  SwiftUI                       	       0x1b52a7c68 0x1b52a7bbd + 171
11  SwiftUI                       	       0x1b5221f1c 0x1b5221e91 + 139
12  SwiftUI                       	       0x1b520ef6c 0x1b520ef0d + 95
13  CameraTest                    	       0x10446ec00 main + 28
14  dyld                          	       0x104654344 start + 1860

Thread 1:
0   libsystem_kernel.dylib        	       0x1ed29a800 kevent + 8
1   ???                           	       0x1048c5320 ???
2   ???                           	       0x1048c47d4 ???
3   ???                           	       0x1048c49a8 ???
4   ???                           	       0x1047401a0 ???
5   ???                           	       0x10472427c ???
6   libsystem_pthread.dylib       	       0x1fc8240ec _pthread_start + 115
7   libsystem_pthread.dylib       	       0x1fc82272c thread_start + 7

Thread 2 name:  pool-spawner
Thread 2:
0   libsystem_kernel.dylib        	       0x1ed29987c __psynch_cvwait + 8
1   libsystem_pthread.dylib       	       0x1fc82360c _pthread_cond_wait$VARIANT$armv81 + 1219
2   ???                           	       0x1048e6e70 ???
3   ???                           	       0x1048b2040 ???
4   ???                           	       0x1048d3ce8 ???
5   ???                           	       0x1048d2d7c ???
6   libsystem_pthread.dylib       	       0x1fc8240ec _pthread_start + 115
7   libsystem_pthread.dylib       	       0x1fc82272c thread_start + 7

Thread 3 name:  gmain
Thread 3:
0   libsystem_kernel.dylib        	       0x1ed29a800 kevent + 8
1   ???                           	       0x1048c5320 ???
2   ???                           	       0x1048c47d4 ???
3   ???                           	       0x1048c4858 ???
4   ???                           	       0x1048c56c0 ???
5   ???                           	       0x1048d2d7c ???
6   libsystem_pthread.dylib       	       0x1fc8240ec _pthread_start + 115
7   libsystem_pthread.dylib       	       0x1fc82272c thread_start + 7

Thread 4 name:  pool-frida
Thread 4:
0   libsystem_kernel.dylib        	       0x1ed29987c __psynch_cvwait + 8
1   libsystem_pthread.dylib       	       0x1fc823638 _pthread_cond_wait$VARIANT$armv81 + 1263
2   ???                           	       0x1048e6f7c ???
3   ???                           	       0x1048b2034 ???
4   ???                           	       0x1048b2098 ???
5   ???                           	       0x1048d3b18 ???
6   ???                           	       0x1048d2d7c ???
7   libsystem_pthread.dylib       	       0x1fc8240ec _pthread_start + 115
8   libsystem_pthread.dylib       	       0x1fc82272c thread_start + 7

Thread 5 name:  gdbus
Thread 5:
0   libsystem_kernel.dylib        	       0x1ed29a800 kevent + 8
1   ???                           	       0x1048c5320 ???
2   ???                           	       0x1048c47d4 ???
3   ???                           	       0x1048c49a8 ???
4   ???                           	       0x10487dd08 ???
5   ???                           	       0x1048d2d7c ???
6   libsystem_pthread.dylib       	       0x1fc8240ec _pthread_start + 115
7   libsystem_pthread.dylib       	       0x1fc82272c thread_start + 7

Thread 6 name:  gum-js-loop
Thread 6 Crashed:
0   libsystem_kernel.dylib        	       0x1ed29f198 __pthread_kill + 8
1   libsystem_pthread.dylib       	       0x1fc82e5f8 pthread_kill + 207
2   libsystem_c.dylib             	       0x1b893d80c __abort + 123
3   libsystem_c.dylib             	       0x1b88e84c4 abort + 135
4   ???                           	       0x104765784 ???
5   ???                           	       0x104792624 ???
6   ???                           	       0x1047938b4 ???
7   ???                           	       0x104798bc0 ???
8   ???                           	       0x104943218 ???
9   ???                           	       0x10494c1e4 ???
10  ???                           	       0x10494d234 ???
11  ???                           	       0x104947230 ???
12  ???                           	       0x104947710 ???
13  ???                           	       0x10494db1c ???
14  ???                           	       0x104947230 ???
15  ???                           	       0x104952b1c ???
16  ???                           	       0x104958754 ???
17  ???                           	       0x104952ca8 ???
18  ???                           	       0x10495ecf8 ???
19  ???                           	       0x104943218 ???
20  ???                           	       0x10494c1e4 ???
21  ???                           	       0x10494d0cc ???
22  ???                           	       0x10494d0cc ???
23  ???                           	       0x10494d0cc ???
24  ???                           	       0x10494bfc0 ???
25  ???                           	       0x104943218 ???
26  ???                           	       0x10494c1e4 ???
27  ???                           	       0x10494bfc0 ???
28  ???                           	       0x10495eb30 ???
29  ???                           	       0x10494d3a0 ???
30  ???                           	       0x10494d0cc ???
31  ???                           	       0x10494bfc0 ???
32  ???                           	       0x104798220 ???
33  ???                           	       0x1047982bc ???
34  ???                           	       0x104797ed0 ???
35  ???                           	       0x10478b860 ???
36  ???                           	       0x1048c45f0 ???
37  ???                           	       0x1048c47f8 ???
38  ???                           	       0x1048c49a8 ???
39  ???                           	       0x10478b784 ???
40  ???                           	       0x1048d2d7c ???
41  libsystem_pthread.dylib       	       0x1fc8240ec _pthread_start + 115
42  libsystem_pthread.dylib       	       0x1fc82272c thread_start + 7

Thread 7:
0   libsystem_pthread.dylib       	       0x1fc822718 start_wqthread + 0

Thread 8:
0   libsystem_pthread.dylib       	       0x1fc822718 start_wqthread + 0

Thread 9:
0   libsystem_pthread.dylib       	       0x1fc822718 start_wqthread + 0

Thread 10 name:  com.apple.uikit.eventfetch-thread
Thread 10:
0   libsystem_kernel.dylib        	       0x1ed299030 mach_msg2_trap + 8
1   libsystem_kernel.dylib        	       0x1ed2aab18 mach_msg2_internal + 75
2   libsystem_kernel.dylib        	       0x1ed2aadb8 mach_msg_overwrite + 483
3   libsystem_kernel.dylib        	       0x1ed299524 mach_msg + 19
4   CoreFoundation                	       0x1b1ae8148 __CFRunLoopServiceMachPort + 155
5   CoreFoundation                	       0x1b1ae92e0 __CFRunLoopRun + 1207
6   CoreFoundation                	       0x1b1aedd20 CFRunLoopRunSpecific + 583
7   Foundation                    	       0x1abe3cef8 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 207
8   Foundation                    	       0x1abe3cdf4 -[NSRunLoop(NSRunLoop) runUntilDate:] + 59
9   UIKitCore                     	       0x1b3ea2818 -[UIEventFetcher threadMain] + 403
10  Foundation                    	       0x1abe54a5c __NSThread__start__ + 703
11  libsystem_pthread.dylib       	       0x1fc8240ec _pthread_start + 115
12  libsystem_pthread.dylib       	       0x1fc82272c thread_start + 7

Thread 11:
0   libsystem_pthread.dylib       	       0x1fc822718 start_wqthread + 0

Thread 12:
0   libsystem_pthread.dylib       	       0x1fc822718 start_wqthread + 0

Thread 13:
0   libsystem_pthread.dylib       	       0x1fc822718 start_wqthread + 0


Thread 6 crashed with ARM Thread State (64-bit):
    x0: 0x0000000000000000   x1: 0x0000000000000000   x2: 0x0000000000000000   x3: 0x0000000000000000
    x4: 0x0000000000000000   x5: 0x0000000000989680   x6: 0x0000000000000800   x7: 0x0000000000000b00
    x8: 0x000000016bcdf000   x9: 0x116fbe6982dc3c15  x10: 0x0000000000000b48  x11: 0x8000000000000000
   x12: 0x0000000690064a30  x13: 0x000000087e058000  x14: 0x0000000000003fff  x15: 0x00000000000000f5
   x16: 0x0000000000000148  x17: 0x000000010461f00c  x18: 0x0000000000000000  x19: 0x0000000000000006
   x20: 0x0000000000000d03  x21: 0x000000016bcdf0e0  x22: 0x0000000690061090  x23: 0xffffffffffffffff
   x24: 0x0000000000000006  x25: 0x000000068c1ef380  x26: 0x000000068c330660  x27: 0x0000000000000003
   x28: 0x0000000000000000   fp: 0x000000016bcdbc80   lr: 0x00000001fc82e5f8
    sp: 0x000000016bcdbc60   pc: 0x00000001ed29f198 cpsr: 0x40000000
   far: 0x0000000000000000  esr: 0x56000080  Address size fault

Binary Images:
       0x104640000 -        0x1046bffff dyld arm64  <199941a595ee30548e54ae6387a9fa9a> /cores/usr/lib/dyld
       0x104464000 -        0x1044e3fff CameraTest arm64  <a5c3475e1f3c39c38c680ac6dbf9eef5> /private/var/containers/Bundle/Application/DE121378-25CA-4C67-9AF1-EFE0AAC3147F/CameraTest.app/CameraTest
       0x1045e4000 -        0x1045ebfff systemhook.dylib arm64  <b14375b3e14134dcaaaeb9a3a380e862> /cores/binpack/usr/lib/systemhook.dylib
       0x105aac000 -        0x105ab7fff libobjc-trampolines.dylib arm64  <1ab75847bb2d36f9999a72dd61f86b85> /private/preboot/Cryptexes/OS/usr/lib/libobjc-trampolines.dylib
       0x1ed298000 -        0x1ed2cdff7 libsystem_kernel.dylib arm64  <2e54c705197430d2b37181fd168f8d76> /usr/lib/system/libsystem_kernel.dylib
       0x1b1a74000 -        0x1b1e42fff CoreFoundation arm64  <55b9ba284c5c3fe79c474983337d6e83> /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
       0x1e9bbc000 -        0x1e9bc4fff GraphicsServices arm64  <bd39268bdd513b91a12da4a75a6e2308> /System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices
       0x1b3a0f000 -        0x1b5123fff UIKitCore arm64  <1242978a2c2c37818d6c9777edce2804> /System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore
       0x1b5124000 -        0x1b673bfff SwiftUI arm64  <25e5bd9fd5e830ca8531a17b580749b7> /System/Library/Frameworks/SwiftUI.framework/SwiftUI
               0x0 - 0xffffffffffffffff ??? unknown-arch  <00000000000000000000000000000000> ???
       0x1fc821000 -        0x1fc831fff libsystem_pthread.dylib arm64  <78c98f1859853be3bc4bf2a3a34ae906> /usr/lib/system/libsystem_pthread.dylib
       0x1b88cc000 -        0x1b8945fff libsystem_c.dylib arm64  <03790d8154d237b0ad532615960b3c22> /usr/lib/system/libsystem_c.dylib
       0x1abdfe000 -        0x1ac646fff Foundation arm64  <dce5e5872a0d34cf824523e1b12936a9> /System/Library/Frameworks/Foundation.framework/Foundation

EOF