[Temp workaround found]Clutch does not work on iOS 12 with unc0ver

[esterTion]

Previously reported in #228 , opening a new issue for some infos gathered.

Same binary built from a6f6aee, signed using
ldid -Sclutch-ent.xml -K/usr/share/jailbreak/signcert.p12 Clutch-2.0.4-Debug
which clutch-ent.xml is Clutch.entitlements, and signcert.p12 is from unc0ver [Signing Certificate] package

iOS 9.3.2 iPhone SE (working)

root# Clutch-2.0.4-Debug -v -b se.aksys.tydlig
ClutchPrint.m : 77 | using bundle identifier
Now dumping se.aksys.tydlig
ClutchPrint.m : 77 | ######## bundle URL file:///private/var/containers/Bundle/Application/8C34F912-9679-4D1E-9B6F-3EFD1BD15525
Preparing to dump <Tydlig>
Path: /var/containers/Bundle/Application/8C34F912-9679-4D1E-9B6F-3EFD1BD15525/Tydlig.app/Tydlig
ClutchPrint.m : 77 | Finding compatible dumper for binary <Tydlig> with arch cputype: 16777228
ClutchPrint.m : 77 | Segment cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Dumper supports cputype 16777228
ClutchPrint.m : 77 | Found compatible dumper <ARM64Dumper: 0x127cda9e0> for binary <Tydlig> with arch arm64
ClutchPrint.m : 77 | 64bit dumping: arch arm64 offset 0
ClutchPrint.m : 77 | FOUND __TEXT SEGMENT
ClutchPrint.m : 77 | FOUND ENCRYPTION INFO: cryptoff 16384 | cryptsize 950272 | cryptid 1
ClutchPrint.m : 77 | FOUND CODE SIGNATURE: dataoff 1255936 | datasize 26048
ClutchPrint.m : 77 | found all required load commands for <Tydlig> arm64
ClutchPrint.m : 77 | to MH_PIE or not to MH_PIE, that is the question
ClutchPrint.m : 77 | got the pid 61229 /var/containers/Bundle/Application/8C34F912-9679-4D1E-9B6F-3EFD1BD15525/Tydlig.app/Tydlig
ClutchPrint.m : 77 | 0 1255936 872415232
ClutchPrint.m : 77 | Found CSSLOT_CODEDIRECTORY
ClutchPrint.m : 77 | Codesign Pages 307
ClutchPrint.m : 77 | Found main binary mach-o image @ 0x100070000!
ASLR slide: 0x100070000
ClutchPrint.m : 77 | checksum size 6140
Dumping <Tydlig> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
ClutchPrint.m : 77 | Done writing checksum
ClutchPrint.m : 77 | done dumping
ClutchPrint.m : 77 | Sucessfully dumped arm64 segment of <Tydlig>
Finished dumping se.aksys.tydlig to /var/tmp/clutch/F7B2109A-D729-4841-945A-05609DC246F5
Finished dumping se.aksys.tydlig in 0.8 seconds

iOS 12.1.2 iPhone 8 (not working)

root# Clutch-2.0.4-Debug -v -b se.aksys.tydlig
ClutchPrint.m : 77 | using bundle identifier
Now dumping se.aksys.tydlig
ClutchPrint.m : 77 | ######## bundle URL file:///private/var/containers/Bundle/Application/41E5C2E5-37A1-4873-BAF3-E5C267745AD4
Preparing to dump <Tydlig>
Path: /var/containers/Bundle/Application/41E5C2E5-37A1-4873-BAF3-E5C267745AD4/Tydlig.app/Tydlig
ClutchPrint.m : 77 | Finding compatible dumper for binary <Tydlig> with arch cputype: 16777228
ClutchPrint.m : 77 | Segment cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Device cputype: 16777228, cpusubtype: 0
ClutchPrint.m : 77 | Dumper supports cputype 16777228
ClutchPrint.m : 77 | Found compatible dumper <ARM64Dumper: 0x10852f190> for binary <Tydlig> with arch arm64
ClutchPrint.m : 77 | 64bit dumping: arch arm64 offset 0
ClutchPrint.m : 77 | FOUND __TEXT SEGMENT
ClutchPrint.m : 77 | FOUND ENCRYPTION INFO: cryptoff 16384 | cryptsize 950272 | cryptid 1
ClutchPrint.m : 77 | FOUND CODE SIGNATURE: dataoff 1255936 | datasize 42352
ClutchPrint.m : 77 | found all required load commands for <Tydlig> arm64
ClutchPrint.m : 77 | to MH_PIE or not to MH_PIE, that is the question
ClutchPrint.m : 77 | got the pid 15530 /var/containers/Bundle/Application/41E5C2E5-37A1-4873-BAF3-E5C267745AD4/Tydlig.app/Tydlig
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!

Error: Failed to dump <Tydlig> with arch arm64

2019-03-16 23:54:37.729 Clutch-2.0.4-Debug[15527:211844] failed operation :(
2019-03-16 23:54:37.729 Clutch-2.0.4-Debug[15527:211844] application <NSOperationQueue: 0x107ecc000>{name = 'NSOperationQueue 0x107ecc000'}
ClutchPrint.m : 77 | operation hash 4435572032
ClutchPrint.m : 77 | operation hash 4201234
Error: Failed to dump <Tydlig>

2019-03-16 23:54:37.730 Clutch-2.0.4-Debug[15527:211844] failed operation :(
2019-03-16 23:54:37.730 Clutch-2.0.4-Debug[15527:211844] application <NSOperationQueue: 0x107ecc000>{name = 'NSOperationQueue 0x107ecc000'}
ClutchPrint.m : 77 | operation hash 4201234
Error: Failed to dump se.aksys.tydlig :(

The problem seems to be at task_for_pid, pwn20wndstuff/Undecimus#728 seems has addressed this issue with swigger/debugserver-ios

---

Update:
Clearly I didn't thought of reading syslog before, there's this kernel complaint:

Mar 17 14:02:45 esterTion kernel(Sandbox)[0] <Error>: Sandbox: hook..execve() killing <unsigned>[pid=714, uid=0]: only launchd is allowed to spawn untrusted binaries

I guess it's officially an unc0ver issue now

[esterTion]

Temporary workaround

After found it's sandbox issue, I messed around with it, and now it correctly dumps app.
Problem: This workaround requires resigning binary, which will lost original developer group info, and make it both generate new container for app preferences, and also no able to share data within original app-group. (e.g. Google shares account info across apps)

Therefore, this dump method might not be good for crack ipa generating, but is good enough for reverse engineer researching.

1. Find the app you want to dump, extract its original entitlements using ldid -e Binary >app-ent.xml. Also keep a copy of original binary if you want to restore later to avoid preferences lost.
2. add new entitlements below to the file

new entitlements

		<key>platform-application</key>
		<true/>
		<key>get-task-allow</key>
		<true/>
		<key>run-unsigned-code</key>
		<true/>
		<key>com.apple.private.skip-library-validation</key>
		<true/>
		<key>com.apple.private.security.no-container</key>
		<true/>

3. Run clutch on original untouched binary, which should fail by Could not obtain mach port (This step is important, or newly signed binary won't spawn with error AppleFairplayTextCrypterSession:fairplayOpen() failed, error -42022 )
4. Resign binary with ldid -Sapp-ent.xml Binary
5. Run Clutch -b com.bundle.id, now clutch can spawn and decrypt the binary

Still, I think this is a unc0ver issue, not fully patching kernel (Probably won't happen in KPPless)

Example shell script

cd /User/Documents/App-link/App/$id
app=(*.app)
binary=${app%.app}
echo "Resigning [$binary]"

cd "$app"
cp -p "$binary" "${binary}_backup"

## prevent dumping plugins and frameworks
if [[ -e PlugIns ]]; then
	hasplugin=1
	mv PlugIns PlugIns-
fi
if [[ -e Frameworks ]]; then
	hasfmwk=1
	mv Frameworks Frameworks-
fi

ent_tmp=$(mktemp)
ldid -e "$binary" >$ent_tmp
plutil -key platform-application -true $ent_tmp >/dev/null
plutil -key get-task-allow -true $ent_tmp >/dev/null
plutil -key run-unsigned-code -true $ent_tmp >/dev/null
plutil -key com.apple.private.skip-library-validation -true $ent_tmp >/dev/null
plutil -key com.apple.private.security.no-container -true $ent_tmp >/dev/null
#cat $ent_tmp

echo "Dumping original to fail"
Clutch-2.0.4-Debug -b $id

ldid -S$ent_tmp "$binary"

echo "Dumping again"
Clutch-2.0.4-Debug -b $id

rm -f $ent_tmp
mv -f "${binary}_backup" "$binary"

if [[ $hasplugin != "" ]]; then
	mv PlugIns- PlugIns
fi
if [[ $hasfmwk != "" ]]; then
	mv Frameworks- Frameworks
fi

esterTion:~ root# clutch-dump jp.co.cygames.princessconnectredive
Resigning [princessconnectredive]
Dumping original to fail
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!

Error: Failed to dump <princessconnectredive> with arch arm64

2019-03-17 15:34:19.664 Clutch-2.0.4-Debug[845:7624] failed operation :(
2019-03-17 15:34:19.664 Clutch-2.0.4-Debug[845:7624] application <NSOperationQueue: 0x105cf2b80>{name = 'NSOperationQueue 0x105cf2b80'}
Error: Failed to dump <princessconnectredive>

2019-03-17 15:34:19.664 Clutch-2.0.4-Debug[845:7624] failed operation :(
2019-03-17 15:34:19.664 Clutch-2.0.4-Debug[845:7624] application <NSOperationQueue: 0x105cf2b80>{name = 'NSOperationQueue 0x105cf2b80'}
Error: Failed to dump jp.co.cygames.princessconnectredive :(

Dumping again
ASLR slide: 0x100cd8000
Dumping <princessconnectredive> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
Finished dumping jp.co.cygames.princessconnectredive to /var/tmp/clutch/CA4FA568-0970-441B-8F07-BC9DFFD1766C
Finished dumping jp.co.cygames.princessconnectredive in 21.8 seconds

[holyswordman]

我認為自從iOS 11.1 開始已封了Clutch的運作方法, 可能Clutch要重新設計.
即使能通過簽名執行也不能解密App, 不能正常運作, 不關uncover的事.

[esterTion]

@holyswordma
注意步骤3，必须要先对原始进行一次dump，不然会导致FairPlay报错。
原理我也不清楚，大概是解密缓存吧

这个是内核限制的问题，本来越狱就是尽可能解除限制

[Halo-Michael]

Temporary workaround

After found it's sandbox issue, I messed around with it, and now it correctly dumps app.
Problem: This workaround requires resigning binary, which will lost original developer group info, and make it both generate new container for app preferences, and also no able to share data within original app-group. (e.g. Google shares account info across apps)

Therefore, this dump method might not be good for crack ipa generating, but is good enough for reverse engineer researching.

1. Find the app you want to dump, extract its original entitlements using ldid -e Binary >app-ent.xml. Also keep a copy of original binary if you want to restore later to avoid preferences lost.
2. add new entitlements below to the file

new entitlements

1. Run clutch on original untouched binary, which should fail by Could not obtain mach port (This step is important, or newly signed binary won't spawn with error AppleFairplayTextCrypterSession:fairplayOpen() failed, error -42022 )
2. Resign binary with ldid -Sapp-ent.xml Binary
3. Run Clutch -b com.bundle.id, now clutch can spawn and decrypt the binary

Still, I think this is a unc0ver issue, not fully patching kernel (Probably won't happen in KPPless)

Example shell script

Perhaps you should keep a backup of the original entitlement file (app-ent.xml) and re-use the original entitlement file signature dumped binary after spawn and decrypt the binary?

[esterTion]

Perhaps you should keep a backup of the original entitlement file (app-ent.xml) and re-use the original entitlement file signature dumped binary after spawn and decrypt the binary?

It's not about entitlements, app group is determined by signing private key, which only developer has.
Once you resigned the binary, it can never turn back to original signature.
In fact, Clutch only update the CDHash part, but ldid will overwrite entire signature

[Halo-Michael]

Perhaps you should keep a backup of the original entitlement file (app-ent.xml) and re-use the original entitlement file signature dumped binary after spawn and decrypt the binary?

It's not about entitlements, app group is determined by signing private key, which only developer has.
Once you resigned the binary, it can never turn back to original signature.
In fact, Clutch only update the CDHash part, but ldid will overwrite entire signature

Thanks for Notes

[jeffli678]

@esterTion I tried your workaround very hard and it unfortunately doesn't work. The related error message is still the mach port. I am on iOS 12.1.2 with unc0ver 3.3.8

[esterTion]

Did you dumped the original binary first?
It need to be attempted on original, or decryption will fail.

Sadly I’ve been in jail for months now, so can’t test anything.

[jeffli678]

I did. Not sure what went wrong.

[esterTion]

You can connect your phone to pc and use idevicesyslog from libimobiledevice to grab syslog, and see what’s the error
If you have Mac you can use Apple Configurator 2 app

[jeffli678]

Thanks for your advice. I will give it a try when I have free time.

[esterTion]

@jeffli678
So hi,
Thanks to Apple bringing back the old exploit, now I'm free on 12.4.
And I've tested again, it is clearly working for me.

console logs

esterTion:/User/Documents/App-link/App/jp.co.bandainamcoent.BNEI0242 root# clutch-dump jp.co.bandainamcoent.BNEI0242
Resigning [BNEI0242]
Dumping original to fail
Error: Could not obtain mach port, either the process is dead (codesign error?) or entitlements were not properly signed!

Error: Failed to dump <BNEI0242> with arch arm64

2019-08-20 11:29:26.758 Clutch-2.0.4-Debug[8973:191992] failed operation :(
2019-08-20 11:29:26.759 Clutch-2.0.4-Debug[8973:191992] application <NSOperationQueue: 0x1015abd50>{name = 'NSOperationQueue 0x1015abd50'}
Error: Failed to dump <BNEI0242>

2019-08-20 11:29:26.759 Clutch-2.0.4-Debug[8973:191992] failed operation :(
2019-08-20 11:29:26.760 Clutch-2.0.4-Debug[8973:191992] application <NSOperationQueue: 0x1015abd50>{name = 'NSOperationQueue 0x1015abd50'}
Error: Failed to dump jp.co.bandainamcoent.BNEI0242 :(

Dumping again
ASLR slide: 0x104150000
Dumping <BNEI0242> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
Finished dumping jp.co.bandainamcoent.BNEI0242 to /var/tmp/clutch/23D1BCAE-6922-4B01-9BE8-78B6A0CF94EE
Finished dumping jp.co.bandainamcoent.BNEI0242 in 34.3 seconds

So i'm not sure which part did you do wrong
If you are straight grabbing that script, then there are some missing pieces before you can use
e.g. $id is not defined, also /User/Documents/App-link/App/$id is a link directory to the actual app container

[jeffli678]

Ironically, I also tried the latest jailbreak on another phone running 12.4. The jailbreak was successful, but I cannot get Cydia to work, it says no Internet connection.

That said, I somehow believe I previously followed your steps closely. I will try again and post logs later.

Discloser: I am reletively new to iOS reverse engineering.

[esterTion]

I cannot get Cydia to work, it says no Internet connection.

Delete /var/preferences/com.apple.networkextension.plist, reboot

[klmitchell2]

I spent some time yesterday trying to get Clutch working on a iPhone 7 (iOS 12.4) jailbroken with Chimera and did not succeed. No idea if they are compatible, but I was able to to frida-ios-dump as an alternative.

[TRGoCPftF]

You can get around some of these app issues with unc0ver or 12.* Clutch use in general. Couple of other devs found some ways with 12.1-12.4 before. Check out https://github.com/Alderon86/hydraDump

Can likely be done without as many external requirements, but it worked for me when i was unable to dump anything on 12.* unc0ver stuff

[esterTion]

Check out https://github.com/Alderon86/hydraDump

See inside and you will find out it’s exactly my code from here🤔

[TRGoCPftF]

Well no s***, they seemed so proud of what they did when they showed me 😂 I'll have to call em out for proper accreditation.