Inspired by https://infosec.exchange/@jjtech/112612685494089718
Reboot into Recovery OS + Disable SIP
csrutil disable
Launch the binary via lldb. It will exit immedicately.
lldb /System/Applications/iPhone\ Mirroring.app/Contents/MacOS/iPhone\ Mirroring
(lldb) run
Process 3819 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 3819 exited with status = 0 (0x00000000)
Add a breakpoint to the SwiftUI App main entry to investigate. It still exits.
b 0x10000c840
(lldb) run
Process 5078 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 5078 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x000000010000c840 iPhone Mirroring`static SwiftUI.App.main() -> ()
iPhone Mirroring`static SwiftUI.App.main() -> ():
-> 0x10000c840 <+0>: adrp x17, 4
0x10000c844 <+4>: add x17, x17, #0x200 ; (void *)0x500f0001b5aa00fc
0x10000c848 <+8>: ldr x16, [x17]
0x10000c84c <+12>: braa x16, x17
Target 0: (iPhone Mirroring) stopped.
(lldb) c
Process 5078 resuming
Process 5078 exited with status = 0 (0x00000000)
Add a breakpoint to exit stub (0x10000c9c0) and get the backtrace.
lldb /System/Applications/iPhone\ Mirroring.app/Contents/MacOS/iPhone\ Mirroring
b 0x10000c840
b 0x10000c9c0
(lldb) run
Process 5113 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 5113 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x000000010000c840 iPhone Mirroring`static SwiftUI.App.main() -> ()
iPhone Mirroring`static SwiftUI.App.main() -> ():
-> 0x10000c840 <+0>: adrp x17, 4
0x10000c844 <+4>: add x17, x17, #0x200 ; (void *)0x500f0001b5aa00fc
0x10000c848 <+8>: ldr x16, [x17]
0x10000c84c <+12>: braa x16, x17
Target 0: (iPhone Mirroring) stopped.
(lldb) c
Process 5113 resuming
Process 5113 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
frame #0: 0x000000010000c9c0 iPhone Mirroring`exit
iPhone Mirroring`exit:
-> 0x10000c9c0 <+0>: adrp x17, 4
0x10000c9c4 <+4>: add x17, x17, #0x2c0 ; (void *)0x0c568001865c9730
0x10000c9c8 <+8>: ldr x16, [x17]
0x10000c9cc <+12>: braa x16, x17
Target 0: (iPhone Mirroring) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
* frame #0: 0x000000010000c9c0 iPhone Mirroring`exit
frame #1: 0x000000010000aa78 iPhone Mirroring`___lldb_unnamed_symbol473 + 116
frame #2: 0x00000001b6304148 SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 948
frame #3: 0x00000001b630470c SwiftUI`merged @objc SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 140
frame #4: 0x00000001867eb504 CoreFoundation`__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 148
frame #5: 0x000000018687bf04 CoreFoundation`___CFXRegistrationPost_block_invoke + 88
frame #6: 0x000000018687be4c CoreFoundation`_CFXRegistrationPost + 436
frame #7: 0x00000001867b9a24 CoreFoundation`_CFXNotificationPost + 732
frame #8: 0x000000018793c954 Foundation`-[NSNotificationCenter postNotificationName:object:userInfo:] + 88
frame #9: 0x000000018a2e11b8 AppKit`-[NSApplication finishLaunching] + 248
frame #10: 0x000000018a2e0e84 AppKit`-[NSApplication run] + 252
frame #11: 0x000000018a2b74a8 AppKit`NSApplicationMain + 888
frame #12: 0x00000001b541bea0 SwiftUI`merged generic specialization <SwiftUI.TestingAppDelegate> of function signature specialization <Arg[0] = Existential To Protocol Constrained Generic> of SwiftUI.runApp(__C.NSResponder & __C.NSApplicationDelegate) -> Swift.Never + 160
frame #13: 0x00000001b57d05d0 SwiftUI`SwiftUI.runApp<τ_0_0 where τ_0_0: SwiftUI.App>(τ_0_0) -> Swift.Never + 84
frame #14: 0x00000001b5aa01dc SwiftUI`static SwiftUI.App.main() -> () + 224
frame #15: 0x0000000100008a20 iPhone Mirroring`___lldb_unnamed_symbol437 + 92
frame #16: 0x000000018638d298 dyld`start + 2876
We have almost got there. The problem is it will call exit(0)
on -[iPhone_Mirroring.AppDelegate applicationWillFinishLaunching:]
So we can just add a breakpoint and return the thread here.
(lldb) run
(lldb) b 0x000000010000aa04
Breakpoint 3: where = iPhone Mirroring`___lldb_unnamed_symbol473, address = 0x000000010000aa04
(lldb) c
Process 6907 resuming
Process 6907 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
frame #0: 0x000000010000aa04 iPhone Mirroring`___lldb_unnamed_symbol473
iPhone Mirroring`___lldb_unnamed_symbol473:
-> 0x10000aa04 <+0>: pacibsp
0x10000aa08 <+4>: stp x20, x19, [sp, #-0x20]!
0x10000aa0c <+8>: stp x29, x30, [sp, #0x10]
0x10000aa10 <+12>: add x29, sp, #0x10
Target 0: (iPhone Mirroring) stopped.
(lldb) thread return
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
frame #0: 0x00000001b6304148 SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 948
SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> ():
-> 0x1b6304148 <+948>: mov x0, x21
0x1b630414c <+952>: bl 0x1b665cae8 ; symbol stub for: swift_unknownObjectRelease
0x1b6304150 <+956>: mov x0, x19
0x1b6304154 <+960>: bl 0x1b665c388 ; symbol stub for: objc_release
(lldb) continue
That's all. Done.
git clone https://github.com/Kyle-Ye/iPhoneMirroringInject.git
cd iPhoneMirroringInject
./build.sh
See detail on iPhoneMirroringInject repo
Do you guys know whether or not changing your App Store account to an EU based account is enough to allow the use and download of third party browsers? I really want a chromium based browser on my iPhone even though I'm in the US