Skip to content

Instantly share code, notes, and snippets.

@fujiokayu

fujiokayu/ios14-3-a12-frida.md

Last active June 12, 2023 15:44
Show Gist options
  • Save fujiokayu/35512b9342617a8053053a490e5435a2 to your computer and use it in GitHub Desktop.
Save fujiokayu/35512b9342617a8053053a490e5435a2 to your computer and use it in GitHub Desktop.
Download ZIP
Built frida environment for iOS 14.3 A12 Bionic
Raw
ios14-3-a12-frida.md

Built frida environment for iOS 14.3 A12 Bionic

Attention

This is a document for security engineers to build environments for their work and should never be used for fraudulent activities.

Environment

  • iPhone XR(A12 Bionic)
  • iOS 14.3
  • frida 15.1.17
  • frida-tools 10.5.4
  • Python 3.6.5

7, march, 2022.

Jailbreak

use Taurine, because

  • checkra1ne does not support A12 devices
  • Chimera does not support iOS 14
  • unc0ver, I tried to jailbreak and got an error. Not sure why. restored rootFS, but that didn't help.

Install frida-server, and Cydia

after jailbroke, install frida-server and Cydia Installer by Sileo app.

Install frida-tools

using frida, with some troubleshootings

frida-ps

  • Connect your computer and iPhone via USB
  • Run frida-ps -Uai in your terminal app

If you get the following error, something is wrong.
Maybe, it's not Disk Image or Xcode's fault.

Failed to enumerate applications: this feature requires an iOS Developer Disk Image to be mounted; run Xcode briefly or use ideviceimagemounter to mount one manually

In my case, restore rootFS with Taurine, jailbreak again, reinstall frida-server and Cydia Installer, then it works.

run python script

Next, I tried to use frida-ios-dump and got the following error.

need Gadget to attach on jailed iOS; its default location is: /Users/username/.cache/frida/gadget-ios.dylib

Follow this issue, downloaded frida-gadget-15.1.17-ios-universal.dylib.gz from release page.

$ gunzip ~/Downloads/frida-gadget-15.1.17-ios-universal.dylib.gz
$ mkdir -p ~/.cache/frida
$ mv ~/Downloads/frida-gadget-15.1.17-ios-universal.dylib ~/.cache/frida/gadget-ios.dylib

then it works. At this point, objection was working as well, so I thought I had it all worked out.

Beware of jailbroken detection bypassing tools

When doing security assesments on jailbroken devices, I would use a tweak to bypass jailbroken detection. For iOS 13 and below, you can use Liberty light or something like that, but I don't think this works on iOS 14.

A-Bypass or something may works, but frida.ServerNotRunningError occurs when using frida-trace, and Process terminated occurs when trying to start frida while injecting scripts. This is probably Tweak interfering with Frida like Magisk Hide. After a lot of testing, frida worked in the weakest mode of HideJB.

If your security assesments of an application that cannot bypass by HideJB, I recommend that you use Frida scripts to bypass detection yourself, or use a tweak such as Flex.
If you don't know the detection method, I recommended to reverse engineer it using Ghidra, Radare or objection's ios hooking list or ios hooking search.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment