miticollo

#!/usr/bin/env bash
#
# Build Frida DEB.

# register the cleanup function to be called on the EXIT signal
trap cleanup INT

#######################################
# Deletes the temp directory.
# Globals:

miticollo

#!/usr/bin/env bash
#
# Perform iOS and iPadOS downgrade using gaster and futurerestore.

set -e

BOLD=$(tput bold)
readonly BOLD
NC=$(tput sgr0)
readonly NC

miticollo

IOS_MINVER = 15.0
IOS_CC := $(shell xcrun --sdk iphoneos -f clang)
IOS_CFLAGS := -Wall -Wextra -pipe -Oz -isysroot $(shell xcrun --sdk iphoneos --show-sdk-path) -miphoneos-version-min=$(IOS_MINVER)
IOS_LDFLAGS := -dynamiclib -install_name "@rpath/"$@
TARGET = libTS2JailbreakEnv.dylib

.PHONY: sign clean

sign: $(TARGET)
	@ldid -S $^

miticollo

const LIBSYSTEM_KERNEL_PATH: string = '/usr/lib/system/libsystem_kernel.dylib';

// https://github.com/apple-oss-distributions/xnu/blob/aca3beaa3dfbd42498b42c5e5ce20a938e6554e5/libsyscall/wrappers/spawn/posix_spawn.c#L2820-L2945
const posix_spawn = new NativeFunction(
    Module.getExportByName(LIBSYSTEM_KERNEL_PATH, 'posix_spawn'),
    'int',
    ['pointer', 'pointer', 'pointer', 'pointer', 'pointer', 'pointer'],
);
// https://github.com/apple-oss-distributions/xnu/blob/aca3beaa3dfbd42498b42c5e5ce20a938e6554e5/libsyscall/wrappers/spawn/posix_spawn.c#L1415-L1455
const posix_spawn_file_actions_init = new NativeFunction(

miticollo

const SYSTEMCONFIGURATION_PATH = '/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration';
const CAPTIVENETWORK_PATH = '/System/Library/PrivateFrameworks/CaptiveNetwork.framework/CaptiveNetwork';
const FOUNDATION_PATH = '/System/Library/Frameworks/Foundation.framework/Foundation';

Interceptor.attach(Module.getExportByName(SYSTEMCONFIGURATION_PATH, "CNCopyCurrentNetworkInfo"), {
    onEnter(args) {
        console.log("onEnter CNCopyCurrentNetworkInfo");
    },
    onLeave(retval) {
        console.log("onLeave CNCopyCurrentNetworkInfo");

miticollo

const GRDB_PATH: string = Process.enumerateModules().find((x: Module): boolean => x.name === "GRDB")!.path;

declare let Swift: any;

if (Swift.available) {
    // Tested on iOS 14.4.2 and iOS 15.1b1.
    const mangled: string = "$s4GRDB8DatabaseC13usePassphraseyy10Foundation4DataVKF";
    const demangled: NativePointer = Swift.api.swift_demangle(Memory.allocUtf8String(mangled), mangled.length, NULL, NULL, 0);
    console.log(`Function hooked: ${demangled.readUtf8String()}`);

miticollo

/*
 * This is example shows how to use CModule, Typescript, and ObjC.
 * It lets us see what files are opened by the target process (`getpid()`).
 * It is lsof for iOS but implemented in frida.
 *
 * How to run?
 *  frida -U -n <target> -l proc.ts
 * In REPL:
 *  rpc.exports.fds();
 *

miticollo

Here you can find a list of panic log and how to get them using frida REPL:

1. NULL.add(1).readUtf8String()

miticollo

#!/usr/bin/env python3
import signal
import threading

import _frida
import frida
from frida.core import Device, Session, Script, ScriptMessage

signal_event: threading.Event = threading.Event()

miticollo

#!/usr/bin/env python3
import json

import frida
from frida.core import Device, Session, Script, ScriptExportsSync

compiler: frida.Compiler = frida.Compiler()
compiler.on("diagnostics", lambda diag: print(f"on_diagnostics: {diag}"))
bundle: str = compiler.build('permissions.ts', compression='terser')