@sskaje

Install DebugServer for iOS

Extract DebugServer

$ ls /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/

...

$ hdiutil mount /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/15.5/DeveloperDiskImage.dmg
正在检查“Whole_Disk”的校验和…
..................................................................................................................................................................................................................................................
                          Whole_Disk:已验证CRC32 $D034FA6C
已验证CRC32 $8E250F8D
/dev/disk4          	                               	/Volumes/DeveloperDiskImage

$ cp /Volumes/DeveloperDiskImage/usr/bin/debugserver . 
$ hdiutil unmount /Volumes/DeveloperDiskImage
"/Volumes/DeveloperDiskImage" unmounted successfully.

$ file debugserver 
debugserver: Mach-O universal binary with 2 architectures: [arm64:Mach-O 64-bit executable arm64] [arm64e:Mach-O 64-bit executable arm64e]
debugserver (for architecture arm64):	Mach-O 64-bit executable arm64
debugserver (for architecture arm64e):	Mach-O 64-bit executable arm64e

$ xcrun -sdk iphoneos lipo -thin arm64  debugserver -output debugserver_arm64

Entitlements

View

codesign -d -v --entitlements - --xml debugserver_arm64 
Executable=/Users/sskaje/Work/hiksemi/debugserver_arm64
Identifier=com.apple.debugserver
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=5134 flags=0x2(adhoc) hashes=150+7 location=embedded
Signature=adhoc
Info.plist entries=5
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>seatbelt-profiles</key><array><string>debugserver</string></array><key>com.apple.private.cs.debugger</key><true/><key>com.apple.private.memorystatus</key><true/><key>com.apple.security.network.client</key><true/><key>com.apple.security.network.server</key><true/><key>com.apple.private.logging.diagnostic</key><true/><key>com.apple.backboardd.debugapplications</key><true/><key>com.apple.frontboard.debugapplications</key><true/><key>com.apple.backboardd.launchapplications</key><true/><key>com.apple.frontboard.launchapplications</key><true/><key>com.apple.springboard.debugapplications</key><true/></dict></plist>

ent.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.private.cs.debugger</key><true/>
	<key>com.apple.private.memorystatus</key><true/>
	<key>com.apple.security.network.client</key><true/>
	<key>com.apple.security.network.server</key><true/>
	<key>com.apple.private.logging.diagnostic</key><true/>
	<key>com.apple.backboardd.debugapplications</key><true/>
	<key>com.apple.frontboard.debugapplications</key><true/>
	<key>com.apple.backboardd.launchapplications</key><true/>
	<key>com.apple.frontboard.launchapplications</key><true/>
	<key>com.apple.springboard.debugapplications</key><true/>

	<key>run-unsigned-code</key> <true/>
	<key>get-task-allow</key> <true/>
	<key>task_for_pid-allow</key> <true/>

</dict>
</plist>

debugserver has entitlements

	<key>seatbelt-profiles</key>
	<array>
	<string>debugserver</string>
	</array>

it causes

iPhone:~ root# debugserver 192.168.11.40:12345 -waitfor HiStor 
debugserver-@(#)PROGRAM:LLDB  PROJECT:lldb-1316.2.4.18
 for arm64.
Waiting to attach to process HiStor...
Listening to port 12345 for a connection from 192.168.11.40...
Failed to get connection from a remote gdb process.
Exiting.

Replace Entitlements

codesign -s - --entitlements ent.xml -f debugserver_arm64 
debugserver_arm64: replacing existing signature

Scp to server

scp debugserver_arm64 root@192.168.11.11:~/

If on palera1n

cp debugserver_arm64 /var/jb/usr/bin/debugserver

HiStor

$ debugserver '*:12345' -waitfor HiStor

lldb

(lldb) platform select remote-ios
  Platform: remote-ios
 Connected: no
  SDK Path: "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/iPhone8,1 15.8.2 (19H384)"
 SDK Roots: [ 0] "/Users/sskaje/Library/Developer/Xcode/iOS DeviceSupport/iPhone8,1 15.8.2 (19H384)"
(lldb) target create HiStor
Current executable set to '/Users/sskaje/Work/hiksemi/ios/Payload/HiStor.app/HiStor' (arm64).
(lldb) process connect connect://192.168.11.156:12345

Useless note

(lldb) memory read -f y -c 4 -s 1 $pc
0x105280e98: 48 61 74 94
(lldb) memory write  $pc f0 60 74 94 
(lldb) memory read -f y -c 4 -s 1 $pc
0x105280e98: f0 60 74 94

sskaje

Leave a Reply

Your email address will not be published. Required fields are marked *