Launch app with JIT on same device
ViRb3 opened this issue · 12 comments
Hello. Looking at the code, it seems to me that it should be possible to launch an app with JIT on the same device instead of having a secondary device. libmobiledevice supports detached debug mode which doesn't need a daemon to be tethered to the JIT app. Is there a technical limitation that I'm missing? Thanks
iOS rejects debug packets coming from loopback network devices. If you find a way to fake the source network device with an app running locally on the device, this would work.
I think using a fake vpn that just redirects outgoing traffic back to the device with a spoofed sender might work.
At the very least people have successfully remote debugged when using an openvpn server (but only when on wifi, not mobile data?).
https://stackoverflow.com/questions/49267354/iphone-remote-debugging-over-vpn-connection
That also seems like a solution apple can't really ever fully "fix" unless remote debugging working over a vpn is unintended behavior.
I am really excited to share that this showed really promising results! Creating a simple WireGuard VPN and "reflecting" the traffic back to the phone, I was able to go up to the stage of mounting the developer image. Unfortunately, for some reason that I still don't know, it seems to be very slow, so it eventually times out after a few minutes of trying to mount the image. I will be investigating this in the coming days, but it has huge potential for becoming a revolutionary JIT bypass.
For those interested, here are my iptables
rules used to reflect back the traffic:
iptables -t nat -A PREROUTING -d 10.8.0.69/32 -j DNAT --to-destination 10.8.0.101
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
10.8.0.101 = Phone IP address
10.8.0.69 = Imaginary IP address that will simply reflect back the traffic
Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf
Thank you! I'm really happy to hear that this works!
Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf
Hey, i have this kind of certificate! How can I do that? And does it work on iOS 15 too?
Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf
Hey, i have this kind of certificate! How can I do that? And does it work on iOS 15 too?
Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf
@osy
And should I sign Jitterbug and Jitterbug tunnel? Because I only have one bundle id with that specific feature
You need to sign both, two bundle ids are required.
You need to sign both, two bundle ids are required.
Oh thanks. Hey can you help me I have on my primary device the same bug as in the Delta emulator: When I try to import the support files and press on a file in the files selection window, nothing will happen :(
Thanks @ViRb3 for testing VPN reflection. Since that worked it wasn’t a stretch to assume that a custom VPN created on device would work as well so I took the time to implement it (didn’t want to before as it might have been a waste of time). The downside is you need a $99/year developer account to use it (or one of those UDID registration services that lets you buy a certificate from them for a few bucks). d701acf
Hey, i have this kind of certificate! How can I do that? And does it work on iOS 15 too?
All right that's sad but in iOS 15 the apps are crashing when you launch them
edit: it worked on iOS 15b1 on my iPhone 12 pro max, I love it!!!
But the diskimage was not recognized properly and on macOS I get the error: Couldn't mount disk image.