This is a document for security engineers to build environments for their work and should never be used for fraudulent activities.
- iPhone XR(A12 Bionic)
- iOS 14.3
- frida 15.1.17
- frida-tools 10.5.4
- Python 3.6.5
7, march, 2022.
use Taurine, because
- checkra1ne does not support A12 devices
- Chimera does not support iOS 14
- unc0ver, I tried to jailbreak and got an error. Not sure why. restored rootFS, but that didn't help.
after jailbroke, install frida-server and Cydia Installer by Sileo app.
- https://frida.re/docs/ios/#with-jailbreak
- Frida for A12+ devices is required.
- No additional repositories are required to install the Cydia Installer.
- Connect your computer and iPhone via USB
- Run
frida-ps -Uai
in your terminal app
If you get the following error, something is wrong.
Maybe, it's not Disk Image or Xcode's fault.
Failed to enumerate applications: this feature requires an iOS Developer Disk Image to be mounted; run Xcode briefly or use ideviceimagemounter to mount one manually
In my case, restore rootFS with Taurine, jailbreak again, reinstall frida-server and Cydia Installer, then it works.
Next, I tried to use frida-ios-dump and got the following error.
need Gadget to attach on jailed iOS; its default location is: /Users/username/.cache/frida/gadget-ios.dylib
Follow this issue, downloaded frida-gadget-15.1.17-ios-universal.dylib.gz from release page.
$ gunzip ~/Downloads/frida-gadget-15.1.17-ios-universal.dylib.gz
$ mkdir -p ~/.cache/frida
$ mv ~/Downloads/frida-gadget-15.1.17-ios-universal.dylib ~/.cache/frida/gadget-ios.dylib
then it works. At this point, objection was working as well, so I thought I had it all worked out.
When doing security assesments on jailbroken devices, I would use a tweak to bypass jailbroken detection. For iOS 13 and below, you can use Liberty light or something like that, but I don't think this works on iOS 14.
A-Bypass or something may works, but frida.ServerNotRunningError
occurs when using frida-trace, and Process terminated occurs when trying to start frida while injecting scripts.
This is probably Tweak interfering with Frida like Magisk Hide.
After a lot of testing, frida worked in the weakest mode of HideJB.
If your security assesments of an application that cannot bypass by HideJB, I recommend that you use Frida scripts to bypass detection yourself, or use a tweak such as Flex.
If you don't know the detection method, I recommended to reverse engineer it using Ghidra, Radare or objection's ios hooking list
or ios hooking search
.