debugserver fails due to task_for_pid error 5 on iOS 10.1.1

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

debugserver fails due to task_for_pid error 5 on iOS 10.1.1

Postby c69c73 » Tue Dec 20, 2016 5:04 pm

I am running as root on iOS 10.1.1 using the exploit from Ian Beer.
I set up debugserver and I can attach to AdHoc apps - i.e. apps I compiled myself.

However when I try to attach to an AppStore app or launch an AppStore app from debugserver, I see the task_for_pid error 5 in the console:
debugserver 2 +0.085158 sec [00dd/0403]: error: ::task_for_pid ( target_tport = 0x0103, pid = 222, &task ) => err = 0x00000005 ((os/kern) failure) err = ::task_for_pid ( target_tport = 0x0103, pid = 222, &task ) => err = 0x00000005 ((os/kern) failure) (0x00000005)

Why would debugserver work for AdHoc apps but not for AppStore apps?

Any idea?
Thanks!
c69c73
 
Posts: 7
Joined: Sat Dec 17, 2016 9:49 am

Re: debugserver fails due to task_for_pid error 5 on iOS 10.

Postby morpheus » Fri Dec 23, 2016 6:34 am

Entitled apps need a get_task_allow to make them debuggable and yield their task port. If the kernel is patched this can be overridden, of course, but otherwise AMFI will refuse the task port, making the rest of the mach_vm and thread_ APIs moot.

You can get past this by removing the LC_CODE_SIGNATURE load command (jtool -rC) and self-signing (jtool --sign). Bear in mind the apps in question are also encrypted, so you might need to decrypt first.
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm

Re: debugserver fails due to task_for_pid error 5 on iOS 10.

Postby darkknight » Fri Dec 23, 2016 5:18 pm

Administrator wrote:Entitled apps need a get_task_allow to make them debuggable and yield their task port. If the kernel is patched this can be overridden, of course, but otherwise AMFI will refuse the task port, making the rest of the mach_vm and thread_ APIs moot.

You can get past this by removing the LC_CODE_SIGNATURE load command (jtool -rC) and self-signing (jtool --sign). Bear in mind the apps in question are also encrypted, so you might need to decrypt first.

Speaking of which I noticed that the latest version of procexp still doesn't have the dump binary option enabled. Still gonna push that update? Also did you ever get around to pushing the updated Filemon where you are able to filter on pid instead of using grep?

Respect for your work as usual. Greatly appreciated!
darkknight
 
Posts: 65
Joined: Mon Apr 18, 2016 10:49 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 5 guests