osy/Jitterbug

Launch app with JIT on same device

ViRb3 opened this issue · 12 comments

ViRb3 commented

Hello. Looking at the code, it seems to me that it should be possible to launch an app with JIT on the same device instead of having a secondary device. libmobiledevice supports detached debug mode which doesn't need a daemon to be tethered to the JIT app. Is there a technical limitation that I'm missing? Thanks

iOS rejects debug packets coming from loopback network devices. If you find a way to fake the source network device with an app running locally on the device, this would work.

I think using a fake vpn that just redirects outgoing traffic back to the device with a spoofed sender might work.

At the very least people have successfully remote debugged when using an openvpn server (but only when on wifi, not mobile data?).

https://stackoverflow.com/questions/49267354/iphone-remote-debugging-over-vpn-connection

That also seems like a solution apple can't really ever fully "fix" unless remote debugging working over a vpn is unintended behavior.

ViRb3 commented

Very interesting share @jakibaki! I will test this tonight and report back.

ViRb3 commented

I am really excited to share that this showed really promising results! Creating a simple WireGuard VPN and "reflecting" the traffic back to the phone, I was able to go up to the stage of mounting the developer image. Unfortunately, for some reason that I still don't know, it seems to be very slow, so it eventually times out after a few minutes of trying to mount the image. I will be investigating this in the coming days, but it has huge potential for becoming a revolutionary JIT bypass.

For those interested, here are my iptables rules used to reflect back the traffic:

iptables -t nat -A PREROUTING -d 10.8.0.69/32 -j DNAT --to-destination 10.8.0.101
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

10.8.0.101 = Phone IP address
10.8.0.69 = Imaginary IP address that will simply reflect back the traffic

osy commented

Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf

ViRb3 commented

@osy you are absolutely on fire, thank you!

Thank you! I'm really happy to hear that this works!

iMonZ commented

Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf

Hey, i have this kind of certificate! How can I do that? And does it work on iOS 15 too?

iMonZ commented

Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf

Hey, i have this kind of certificate! How can I do that? And does it work on iOS 15 too?

Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf
@osy

And should I sign Jitterbug and Jitterbug tunnel? Because I only have one bundle id with that specific feature

ViRb3 commented

You need to sign both, two bundle ids are required.

iMonZ commented

You need to sign both, two bundle ids are required.

Oh thanks. Hey can you help me I have on my primary device the same bug as in the Delta emulator: When I try to import the support files and press on a file in the files selection window, nothing will happen :(

iMonZ commented

Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf

Hey, i have this kind of certificate! How can I do that? And does it work on iOS 15 too?

All right that's sad but in iOS 15 the apps are crashing when you launch them

edit: it worked on iOS 15b1 on my iPhone 12 pro max, I love it!!!
But the diskimage was not recognized properly and on macOS I get the error: Couldn't mount disk image.