越狱后iPhone(iPad或iPod)
获取debugserver
- xcode新建一个singleview的简单项目,在iPhone设备上跑一遍。这样在设备的/Developer/usr/bin 下就会有debugserver
- 第二种方法,在 /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/ 里找到对应版本的DeveloperDiskImage.dmg, 从里面提取
添加权限
分离fat binary lipo -thin armv7s ~/debugserver -output ~/debugserver_7s lipo -thin arm64 ~/debugserver -output ~/debugserver_64 (iPhone 6之后是 64位的) 强制添加权限 codesign -s - --entitlements entitlements.xml -f debugserver_7s 查看权限 codesign -d --entitlements :- debugserver_7s codesign -d --entitlements - debugserver_7s
权限文件
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.backboardd.debugapplications</key>
<true/>
<key>com.apple.backboardd.launchapplications</key>
<true/>
<key>com.apple.springboard.debugapplications</key>
<true/>
<key>run-unsigned-code</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>task_for_pid-allow</key>
<true/>
</dict>
</plist>
0000000
开启端口转发
./tcprelay.py -i 192.168.0.119 -b 8192 -t 22:2222 8341:8341
ssh -v root@192.168.0.119 -p 2222
附加到被调试进程
debugserver *:8341 --attach Preferences
开启lldb
(lldb) platform select remote-ios
(lldb) process connect connect://192.168.0.119:1234
(lldb) po [[UIApp keyWindow] recursiveDescription]