Electra越狱的iOS11设备,使用平常的方式是无法用debugserver调试的。这是由于Electra本身的原因,使用unc0ver越狱iOS11则没有此问题,通过如下操作解决:
- 获取一个签名的debugserver。如果手头没有,可以在iphone连接mac后,在iphone的/Developer/usr/bin/debugserver取到,将其放在/usr/bin/下。后面如果/usr/bin下签名失败,可以换个位置签名,只要出现kill 9,就需要删掉重新来
- 将debugserver签名。xml如下
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>platform-application</key>
<true/>
<key>com.apple.backboardd.debugapplications</key>
<true/>
<key>com.apple.backboardd.launchapplications</key>
<true/>
<key>com.apple.diagnosticd.diagnostic</key>
<true/>
<key>com.apple.frontboard.debugapplications</key>
<true/>
<key>com.apple.frontboard.launchapplications</key>
<true/>
<key>com.apple.springboard.debugapplications</key>
<true/>
<key>com.apple.springboard.launchapplications</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<key>com.apple.assertiond.app-state-monitor</key>
<true/>
<key>com.apple.private.network.socket-delegate</key>
<true/>
<key>com.apple.mobileactivationd.network-security-disabled</key>
<true/>
<key>com.apple.networkd_privileged</key>
<true/>
<key>run-unsigned-code</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>task_for_pid-allow</key>
<true/>
<key>com.apple.system-task-ports</key>
<true/>
</dict>
</plist>
保存为xml,和debugserver一起传到iphone上,放在同一目录 在该目录执行 ldid -S1.xml debugserver,如果失败则尝试在其他目录执行, 签名后debugserver放在/usr/bin/下
- 执行debugserver
IP地址为要运行lldb的mac主机的ip, 执行:
debugserver 192.168.1.12:111 -waitfor app
- 执行jailbreakd_client
另开一个iphone的ssh,找到debugserver的pid,例如1234,然后执行
/electra/jailbreakd_client 1234 1
-
启动app
-
mac上lldb连接
lldb
proess connect connect://192.168.1.10:111