Problems with spawning and debugging a binary on jailbroken ios 13.3 device

Question

I created an helloworld app with Xcode and run it. The binary is installed in /var/containers/Bundle/Application/123455-D134F-1234-3414-123123451/helloworld.app/helloworld

With debugserver, installed with Cydia, I can attach to processes and debug them, but only after having started them manually from the main screen.

When I try to spawn the program and debug it with lldb, the following happens: lldb attaches successfully, I then issue a "continue", the program crashes with SIGABRT.

Similarly, I get an error by trying to spawn it with frida-trace: Process crashed: SIGABRT. ... Error Formulating Crash Report: Symbolication has been requested by preference. On the contrary, Frida-trace works normally if I attach to the PID.

Here below the outputs:

root# debugserver localhost:1111 /var/containers/Bundle/Application/123455-D134F-1234-3414-123123451/helloworld.app/helloworld
debugserver-@(#)PROGRAM:LLDB  PROJECT:lldb-10.0.0
 for arm64.
Listening to port 1111 for a connection from localhost...
Got a connection, launched process /var/containers/Bundle/Application/123455-D134F-1234-3414-123123451/helloworld.app/helloworld (pid = 742).

$ lldb
(lldb) process connect connect://localhost:1111
Process 742 stopped
* thread #1, stop reason = signal SIGSTOP
...
Target 0: (helloworld) stopped.
(lldb) continue
Process 742 resuming
Process 742 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGABRT
    frame #0: 0x00000001a81c1ec4 libsystem_kernel.dylib`__pthread_kill + 8
libsystem_kernel.dylib`__pthread_kill:
->  0x1a81c1ec4 <+8>:  b.lo   0x1a81c1ee0               ; <+36>
    0x1a81c1ec8 <+12>: stp    x29, x30, [sp, #-0x10]!
    0x1a81c1ecc <+16>: mov    x29, sp
    0x1a81c1ed0 <+20>: bl     0x1a81a0f64               ; cerror_nocancel
Target 0: (helloworld) stopped.
(lldb)

$ a=/var/containers/Bundle/Application/123455-D134F-1234-3414-123123451/helloworld.app/helloworld
$ frida-trace  -U -f $a  | tee /tmp/aa
Spawning `/var/containers/Bundle/Application/123455-D134F-1234-3414-123123451/helloworld.app/helloworld`...
Instrumenting...
Started tracing 0 functions. Press Ctrl+C to stop.
Process crashed: SIGABRT
...
Thread 0 Crashed:
0   libsystem_kernel.dylib          0x00000001a81c1ec4 __pthread_kill + 8
...
Thread 11 name:  com.apple.uikit.eventfetch-thread
Thread 11:
0   libsystem_kernel.dylib          0x00000001a81a0634 mach_msg_trap + 8
1   CoreFoundation                  0x00000001a8348288 __CFRunLoopServiceMachPort + 216
2   CoreFoundation                  0x00000001a83433a8 __CFRunLoopRun + 1444
3   CoreFoundation                  0x00000001a8342adc CFRunLoopRunSpecific + 464
4   Foundation                      0x00000001a8682784 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 228
5   Foundation                      0x00000001a8682664 -[NSRunLoop(NSRunLoop) runUntilDate:] + 88
6   UIKitCore                       0x00000001ac4e8e80 -[UIEventFetcher threadMain] + 152
7   Foundation                      0x00000001a87b309c __NSThread__start__ + 848
8   libsystem_pthread.dylib         0x00000001a80e5d8c _pthread_start + 156
9   libsystem_pthread.dylib         0x00000001a80e976c thread_start + 8

Answer 1

Using a tweak with Theos, add a sleep (say 15 seconds) in %ctor { }. In this way, when the app starts, you have some seconds to connect with debugserver, attach with lldb and interrupt the process. Then you can debug normally.

I found that a maximum of 19 seconds can be waited in ctor, otherwise the app is killed.

Regarding the cause about not being able to spawn from debugserver, maybe it is because UI apps cannot be run from background on IOS. See, in fact, this question: launch gui through command line

Answer 2

Debugging on a jailbroken device still needs you to open the app first. You can install various tweaks to launch apps from the command line, but the standard procedure is to start the app normally, then use ps -ax to list the PIDs, find the PID of the app and then attach to it.