Okay I am working on modding ios firmware 9.3.5 with removed setup files. I was able to mod the files while maintaining all apple signitures and encryption. however somewhere in the files is a stock checksum value of what the file should be. I have narrowed it down to either the kernal cache or inside the firmware folder somewhere. I have tried using a hex editor to read the binary of the kernel cache however couldn't figure out if this checksum was writen here. Does anyone know where this checksum is stored so i can change the value and be able to push the modded firmware to the device? Any help would be very helpful. I know device doesn't obtain this information from the internet as i completely disconnected from the internet before attempting to push to the device.
the digest of the checksums is found inside the build Manifest. Ended up doing a mass search through C# program that opened all files and checked for the checksum value. Ended up being in the build Manifest
Related
For a native iOS application we are integrating a C++ library which is writing some logs to disk to json file.
During debugging, we would like to access to this logs, but currently we can only do it by downloading the whole app container to the macOS machine and searching for the file there.
Since this a very time consuming operation we were hoping that there would be some solution that would allows us to get this file quickly. I did take a look to the lldb commands, but none of them seem to let you extract a file from the phone.
Is there anyway to do this in a quick way?
Thank you
Couple options...
1 - Add debug-only code in your app to share the log file (via AirDrop would probably be a good option).
or
2 - During debug, set these two keys (in project settings / info) to Yes:
Application supports iTunes file sharing
Supports opening documents in place
Once you've done that, you can open / copy files from your app's Documents directory (assuming that's where the logs are being written) from Finder on your Mac.
I want to see the code of an iOS app.
The app I downloaded is .deb.
First question: Is it possible to install .deb file on iOS or I downloaded a wrong file?
After unpacking the .deb file, I got some files, including .nib, .storyboard and some other files.
My main question is, How to decompile these .nib files?
I tried to decompile these files using NibToXibConverter, but I didn't succeed.
Answer to your first question:
I think you downloaded the wrong file. .deb files for iOS are common for jailbreak community and not for apps, I think all of the Cydia stuffs are packed into .deb's. If your app is especially made for the jailbreak scene then you may try to install it using Cydia's auto install feature on a jailbroken device.
Answer to your main question:
This is general info about decompiling and modifying iOS apps (not specific for nibs, but you may still find it useful).
iOS apps are distibuted in .ipa archives, which are ordinary zip archives. They contain, usually one executable in the form of Mach-O file, and resources like .plist, sounds, images - every resource you include in your xcode project. Decompiling the executable file is only possible on jailbroken iDevice, because it is encrypted especially for the current device and the magic key to decrypt the binary is burned inside the device CPU and as far as I know there is no software way to read that key. The encryption system here is called FairPlay.
Briefly described, one way to decrypt that binary is to have the app installed on a jailbroken device, and launch it from command line using a debugger (gdb) which you can download from Cydia. You have to set a breakpoint somewhere, and when your code execution pauses at the breakpoint, you are doing a memory dump of the device ram - and that is your decrypted bin.
So when you have the decrypted binary, you can run one tool called "class-dump", and get the information for declared classes and their methods if the app is written in Objective C. Once you know this information you can alter the implementation of given method from some class used in your app using "Cydia Subtstrate" a.k.a "Mobile Substrate". In fact that is the way all of the jailbroken iOS tweaks are made. Basically you are hooking a method call, and when that method get invoked, it uses your implementation. Furthermore your implementation can call the original implementation, and that is really useful if you want to make some small code addition.
I am not sure whether those things possible in Swift, but if you are dealing with a Hybrid app like the ones done with cordova, phonegap, etc., then you can see all of its javascript source because it is persisted as a resource inside the "ipa" file. In addition you can alter that javascript code directly if you have a jailbroken device and find where the app is installed on file system (usually /var/containers/Bundle/Application/uuid_for_your_app/). However, I think there is no way to get that patched version and redistribute it (correct me if I'm wrong).
I am trying to build an iOS application which has a PDF file emdebbed in it, and I don’t want the user to access or find it by unpacking the IPA file. I found that if I UNCHECK the “Add to Target” check box (when I drag and drop the PDF file into my project), the PDF file will be hidden and no one can see it after showing the IPA contents.
My question is, should I be worry from this case, in another word, if I unchecked this option, will I face any issue in publishing my application or in deploying/supporting any of my targeted devices, or should I be worry from any issue may face the users in reading this PDF through my application?
I did some research regarding this point, but I couldn’t find any good or clear answer, I appreciate any help in this.
If you uncheck the "Add to target" button it means that the .pdf file will not be packed to the .ipa file and it will not be accessible at all when someone downloads your app. So this is definitely not an option for what you want to achieve. It is better to encrypt the pdf file and decrypt it on runtime if you dont want it to be accessed when someone unpacks the .ipa file.
How important is your security? You could just zip it, then name the file something other than "*.zip".
However that would not stop someone who was determined. You would be advised then to use real encryption.
But even that would not stop a truly-determined attacker, who might use a jailbroken device to capture your PDF while it was loaded in your program's memory.
You can make it difficult to get at your PDF, but if you can get at it from your App, then I myself could get at it if I downloaded your app to my device.
I was trying to get the header files from the ToneKit framework on iOS7.1, but I found that I cannot use class-dump because there are no executable files inside the framework. From what I have found after some research, it seems as if the actual executable file is inside the dyld_shared_cache on the device. After reading this article, it seems as if there are some tools to decrypt the cache, but since iOS 3, Apple has implemented ASLR which has made the decryption tools not work. How can I extract the Frameworks from inside the dyld_shared_cache on iOS7.1?
I am very new to jailbroken ios development so please bear with me.
If you're interested in how they got those headers then the answer is very simple - iOS SDK. SDK contains ARM binaries of public and private frameworks because they are required to compile iOS applications. Class-dump them and you will get headers you need. ToneKit.framework binary is also in there.
Usually you don't need dyld_shared_cache, almost everything you need is either in iOS SDK or on a device itself like SpringBoard, other system applications etc.
Of course there are rare cases when dyld_shared_cache is the only place you can find certain binaries as they are missing from both iOS SDK and device. In that case I use IDA. It has free demo version that can open dyld_shared_cache files - you can even open individual binaries inside it rather than dump everything. You just need to copy dyld_shared_cache on your PC.
I think Elias Limneos's classdump-dyld can help you. If not, check out RuntimeBrowser. Failing that, even, weak-classdump has proven to be a very useful runtime tool for me.
We are developing an iOS app with Enterprise distribution.
It ran well in hundreds of devices, but we found some iOS 6.1.3 devices failed to launch it hours later the first run, because the App's Documents directory became a file !
Our App did nothing special except it was downloading about 80MB MP4 files from a remote HTTP server.
I assumed that something wrong when it operated the Documents directory, but so far have little clue to identify what's 'dangerous' usage in our codes.
Did you have encountered similar problems? How did you fix it?
Thanks a lot to anybody kindly helping to figure it out.
What I suggest doing is for your app to test for this when it launches, and if there is a file there, move it to some other place (like the temp folder), then create the Documents directory, then move the file back into that directory with the same name (or change the name). That will at least prevent your app from stalling.
If you have any means of remote logging, you could bin hex the first 64 bytes of the file and send it to your service for analysis (if you know what's in the file it should help you figure out who created it.)