iOS 12/13 support with new unc0ver 4.3.1

Question

iOS 12/13 support with new unc0ver 4.3.1

bigrck64 opened this issue 5 years ago · 14 comments

Hello Sharat,

We all know that screendump could not see the screen buffer now backboardd is sandboxed in iOS12.
But now iOS12 is better know by iOS coders, don't you think about some alternative ? maybe like manually unsanbox the backboardd process on screendump start ?
Or as workaround, maybe we could call some official API to get a screencapture ? (like vnc servers are performing on android with local adb)

Answer 1 · 2020-02-17T16:49:00.000Z

Now that libsubstrate have been updated for iOS12 and iOS13, maybe we can rebuild screendump with those new version and see if it helps ?

0.9.6301 (current screendump code, support iOS 9.3) - http://apt.saurik.com/debs/
0.9.7020 (support of iOS 11+12) - http://apt.saurik.com/beta/substrate11/
0.9.7101 (support of iOS 13) - https://apt.bingner.com/debs/1443.00/

Answer 2 · 2020-03-18T14:23:34.000Z

Okay, I think we have one option with the new release of unc0ver :)
With the 4.3.1 release, pwn20wnd add the ability to "looking up or registering services from the sandbox with the cy: prefix for developers". I think this could help us to hook backboardd correctly !
(I suspect you may have to rebuild the tweak with "substitute" instead of "substrate" to use this)

Answer 3 · 2020-03-20T12:21:20.000Z

closed by mistake...so substrate hooking is working fine...its the socket opening which is not working. Some policy change related to backboardd made it to not allow opening socket in that process. I am looking at solution wherein i can some how pass the captured frames to another daemon. Will update as soon as i have a POC ready

Answer 4 · 2020-03-20T21:09:35.000Z

Hello Sharat, interesting news !
So it's backboardd who is no more allowed to open a socket, hooking into it let you capture the frames, but not making the port listening.
Is it difficult to create your own process ?
How is working openssh for example ?

Answer 5 · 2020-03-23T17:03:44.000Z

Hey Sharat, are you accepting paypal donation ?
If yes please share it :)

Answer 6 · 2020-03-30T20:01:51.000Z

There's a $460 bounty on this BTW, @cosmosgenius
https://www.reddit.com/r/TweakBounty/comments/95f4iz/4001131_update_veency_to_work_with_electra/?utm_source=share&utm_medium=ios_app&utm_name=iossmf
If it didn't expire at least.

Answer 7 · 2020-04-16T02:05:49.000Z

I think that one is dead, maybe start a new bounty for all his hard work?

Answer 8 · 2020-04-16T04:42:18.000Z

Why do you think it is dead @icanotc

Answer 9 · 2020-04-16T07:49:21.000Z

It's dead because "This thread is archived" at reddit, and nobody can reply, send or receive money with this status.

Answer 10 · 2020-04-16T10:33:05.000Z

@cosmosgenius: have you taken a look at how screen recordings work? Screen recordings work even when backboardd is dead. I kid you not, I can run killall backboardd and after backboardd and SpringBoard comes back it's still recording and has recorded the spinning circle and all. Also they are saved to the filysystem, so there may be a way to escape the sandbox and not use backboardd at all?

Ah, I see. I'd donate $5 if it worked on iOS 13.3.

Answer 11 · 2020-05-07T15:48:05.000Z

the thing is screen recording is just recording, you cant physically control the device anyways, so he still gotta implement a way to do it

Answer 12 · 2020-05-07T16:34:08.000Z

He talked specifically about getting the captured frames though ("I am looking at solution wherein i can some how pass the captured frames to another daemon"), I suggested he might use the screen recording function and make it send them over the network instead of saving them to a file. We don't know whether controlling the device works or not, but I think it's working just fine. Check out julioverne's simulate touch utility, it works fine on iOS 13.

Answer 13 · 2020-06-24T12:24:18.000Z

Use juiliovernes new fork, it works with ios 12 and 13

Answer 14 · 2020-06-26T10:45:33.000Z

I paid Julio for that fork :)