Investigate problems with the iPhone on iOS 16

[baltpeter]

The silver iPhone X (currently on iOS 16, not sure if that's related) is exhibiting quite a few problems that the black one (currently on iOS 15) doesn't have:

• I wasn't able to obtain the onboard SHSH blobs (Save SHSH blobs for our iPhones #9 (comment)).
• The SSH server initially didn't work and had to be reinstalled (Decide which iPhones we want to buy and set them up #4 (comment)).
• frida.spawn() fails with This system service instance does not support "openApplication" (New method for opening apps on iOS (to replace Activator) appstraction#11 (comment)).
• frida -UF fails with No frontmost application on iOS Device even if there is in fact one.
• frida-ps -Ua always (wrongly) returns No running applications., frida-ps -Uai always wrongly returns No installed applications. (New method for opening apps on iOS (to replace Activator) appstraction#11 (comment)).
• Attaching to processes by bundle ID doesn't work (e.g. frida -U -N com.apple.Preferences with Failed to attach: unable to find process with identifier 'com.apple.Preferences'), while attaching by name (e.g. frida -U Settings¹) works. This breaks appstraction. I'm assuming the underlying problem here is the same as with the frida-ps issue.

Footnotes

1. Annoyance: on iOS 16, it's frida -U Preferences, on iOS 15, it's frida -U Settings. -.- ↩

[baltpeter]

I have tried the Tools -> Do All (UICache, Remount r/w, Launch Daemons, Respring, Activate Tweaks) option in the palera1n app multiple times. That didn't help.

[baltpeter]

Reinstalling Frida doesn't help either.

Maybe relevant: After install, it fails to load the launch daemon. But Frida is still getting started and runs.

[baltpeter]

It's entirely possible that this could be fixed by a reboot. But reapplying the jailbreak annoyingly takes like half an hour. I'll switch to the black iPhone for now and look into this again in the future.

[baltpeter]

A reboot did not fix the problem. At least I learned that re-jailbreaking after a reboot only takes like two minutes.

[zner0L]

I cannot reproduce any of the problems you encountered on my iPhone X with iOS 16.3.1 and frida-server version 16.0.19. However, setting the proxy seems to be broken somehow. The process starts to hang on saveSettingsOperation.start() in the setProxy frida script.

[zner0L]

The problems with frida-server are apparently a bug in frida (frida/frida#2375). It seems like removing LimitLoadToSessionType as suggested (frida/frida#2375 (comment)) fixed it as a workaround. What do you say, should I implement this in tweaselORG/appstraction#59?

[baltpeter]

The problems with frida-server are apparently a bug in frida (frida/frida#2375). It seems like removing LimitLoadToSessionType as suggested (frida/frida#2375 (comment)) fixed it as a workaround. What do you say, should I implement this in tweaselORG/appstraction#59?

I would like to understand what that option does before deciding. But I have had that problem as well, so a fix would be nice.

[zner0L]

Session types define the context in which a services runs. In the case of leaving this option out, the default is the Aqua context on macOS, which is the GUI context. I guess, the system context would be nicer, but considering the iPhone always has a GUI context and we cannot bind to the System context anyway this should be fine. We could also try to the the Background context. More info on session types in macOS: https://developer.apple.com/library/archive/technotes/tn2083/_index.html#//apple_ref/doc/uid/DTS10003794-CH1-SUBSUBSECTION5

I tried it out now and I didn’t encounter any problem with frida so far. But I guess, if we consider to start frida ourselves anyway (tweaselORG/appstraction#73) this isn’t as necessary anymore.

[baltpeter]

I still don't really understand the implications of these contexts, but if the default works, that's fine I guess.

I would consider the fact that the startup script doesn't work an upstream bug that I would much rather have them fix. But if we do implement a workaround, changing the startup script seems nicer, since that also fixes the problem when not using our tools.

[zner0L]

Well, I would like to implement both, I guess. The latter would of course only work if the ssh capability is enabled.

[zner0L]

I implemented the workarounds in tweaselORG/appstraction#74.

[baltpeter]

I am now on Frida 16.0.19. Somewhere along the line, the following problems seem to have been fixed:

• frida -UF fails with No frontmost application on iOS Device
• frida-ps -Ua always (wrongly) returns No running applications., frida-ps -Uai always wrongly returns No installed applications..

Those were the major ones, I guess. Running the iOS example script now works.