Allow xcode
to start a custom debugserver
with root
privileges to debug iOS apps.
Currently only tested on the following jailbroken devices:
- iPhone 6s 14.2
- iPhone 7 13.6.1
- iPhone 7 15.6.1
- iPhone X 16.6.1
- iPhone 11 Pro 14.2
Theoretically supports iOS10 and above devices, including A12.
Repo:https://repo.byteage.com
- Add the source
https://repo.byteage.com
and install it directly - Download the source code, compile and install
- Open the settings of your phone, find the XcodeRootDebug plug-in settings, enable the plug-in and ROOT permission switches, set the Debug Server to /usr/bin/debugserver, and save the settings
- According to the device system version, find the corresponding dmg file in
Xcode
, such as/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/14.3/DeveloperDiskImage.dmg
- Double-click the dmg to mount and copy
/Volumes/DeveloperDiskImage/usr/bin/debugserver
to~/Desktop/debugserver
- Copy the following content and save it to
~/Desktop/debugserver.entitlements
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.springboard.debugapplications</key>
<true/>
<key>com.apple.backboardd.launchapplications</key>
<true/>
<key>com.apple.backboardd.debugapplications</key>
<true/>
<key>com.apple.frontboard.launchapplications</key>
<true/>
<key>com.apple.frontboard.debugapplications</key>
<true/>
<key>com.apple.private.logging.diagnostic</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.private.memorystatus</key>
<true/>
<key>com.apple.private.cs.debugger</key>
<true/>
<key>com.apple.private.thread-set-state</key>
<true/>
<key>com.apple.private.security.no-container</key>
<true/>
<key>com.apple.private.skip-library-validation</key>
<true/>
<key>com.apple.system-task-ports</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>platform-application</key>
<true/>
<key>run-unsigned-code</key>
<true/>
<key>task_for_pid-allow</key>
<true/>
</dict>
</plist>
- Use
ldid
to sign new permissions ondebugserver
cd ~/Desktop
ldid -Sdebugserver.entitlements debugserver
- Copy the signed
debugserver
to the/usr/bin/debugserver
path of the jailbroken device, and use the root user to give it executable permissions
chmod +x /usr/bin/debugserver
- Execute
debugserver
to ensure normal operation
iPhone-X:~ root# debugserver
debugserver-@(#)PROGRAM:LLDB PROJECT:lldb-1403.2.3.13
for arm64.
Usage:
debugserver host:port [program-name program-arg1 program-arg2 ...]
debugserver /path/file [program-name program-arg1 program-arg2 ...]
debugserver host:port --attach=<pid>
debugserver /path/file --attach=<pid>
debugserver host:port --attach=<process_name>
debugserver /path/file --attach=<process_name>
- Restart
lockdownd
on jailbroken device
killall lockdownd
- Connect the jailbroken device to the computer, open
Xcode
, and use the menuDebug->Attach to Process by PID or Name...
orDebug->Attach to Process
to attach to any process you want to debug.
- If you use Palera1n jailbroken device, you must install the
ldid
from the official sourcepalera1n strap
, and then copydebugserver.entitlements
anddebugserver
to the jailbroken device , and execute theldid -Sdebugserver.entitlements debugserver
command on the jailbroken device, otherwisedebugserver
cannot be started. Theldid
of the official source has been modified. Only by using it to sign the executable program can the command line tool be executed normally, otherwise an error will be reported. - If you have any other questions, please submit an issue
Usually, when we use xcode
for real machine debugging, there are the following limitations:
- The debugger can only be started with
mobile
permissions - The debugger that can be started can only be
/Developer/usr/bin/debugserver
Based on the above limitations, the following problems arise:
- Unable to debug system processes, such as:
Cydia
、Safiri
- Unable to debug the app downloaded from
AppStore
, the app needs to be re-signed after smashing the shell
To solve the above problems, you need to use debugserver
with high permissions. For the specific configuration process, you can refer to the article Tips and Problem Handling for Configuring DebugServer + lldb Debugging Environment under iOS12.
To solve the above limitations, you need to install this tweak.
After installing this tweak, it will allow developers to use xcode
to start a custom debugserver
with root
privileges for debugging.
You can set the tweak in settings。
You can read this post to get some information.