Skip to main content

Debugging iOS Apps

Woefully Incomplete...

With a bit of setup, we can debug an iOS application using the Low Level Debugger (lldb) on macOS and debugserver running on the device. The debugserver executable does not exist on the device by default. It is recommended that you install the jbutils.deb package on your jailbroken device. This package has a fully signed debugserver included.

Device

On the device, launch debugserver to attach to your application process and have it listen on an ephemeral port - I use 6666 in the examples below but any port works.

debugserver localhost:6666 -a ProcessName

(where ProcessName is the name of the running process on the device)

A full example is below:

iPhone8:~ root## debugserver localhost:6666 -a Investor
debugserver-@(#)PROGRAM:debugserver  PROJECT:debugserver-360.0.26.14
 for arm64.
Attaching to process Investor...
Listening to port 6666 for a connection from localhost...

macOS

We will use the lldb command on the macOS system. For stability, we will setup a port forwarding proxy to connect over the USB cable.

To setup the proxy:

iproxy 6666 6666 &

(substitute your port numbers above)

Launch LLDB:

lldb

Next, we will select that iOS platform and connect to the running process on the device. To do this, enter platform select remote-ios at the (lldb) prompt.

(lldb) platform select remote-ios
 Platform: remote-ios
 Connected: no
 SDK Roots: [ 1] "/Users/steve/Library/Developer/Xcode/iOS DeviceSupport/14.2 (18B92)"
(lldb)

Once you are returned to the prompt, connect to the process by running process connect connect://localhost:6666:

(lldb) process connect connect://localhost:6666
Process 1386 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x00000001b837e644 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
->  0x1b837e644 <+8>: ret    

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x1b837e648 <+0>: mov    x16, #-0x20
    0x1b837e64c <+4>: svc    #0x80
    0x1b837e650 <+8>: ret    
Target 0: (Investor) stopped.
(lldb)

At this point, we are connected to the process and the debugger has stopped process execution of the app on the device. To start it back up, you can type in continue at the prompt. To halt execution again, just run the process interrupt command.

(lldb) c
Process 1386 resuming

(lldb) process interrupt
Process 1386 stopped

LLDB

Tutorial: https://lldb.llvm.org/use/tutorial.html