From 9c13120d67edbc817af749309b2c0fcbac63d253 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ole=20Andr=C3=A9=20Vadla=20Ravn=C3=A5s?= Date: Mon, 27 Jan 2025 19:20:06 +0100 Subject: [PATCH] fruity: Fix lockdown over CoreDevice regression MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduced by the recent change in d1df792, where our RSDCheckin includes an EscrowBag in order to support networked lockdown with services such as “com.apple.crashreportmover”. Turns out this broke support for quite a few other services, as the presence of an EscrowBag requires that the particular service is able to talk to AppleKeyStoreUserClient. Not yet sure how to handle this. For now we'll maintain a list of services that lack such privileges, so we can omit the EscrowBag for those. Kudos to @as0ler for reporting and helping troubleshoot. --- src/fruity/device-monitor.vala | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/src/fruity/device-monitor.vala b/src/fruity/device-monitor.vala index 798620609..75a455e2d 100644 --- a/src/fruity/device-monitor.vala +++ b/src/fruity/device-monitor.vala @@ -188,6 +188,18 @@ namespace Frida.Fruity { new Gee.ArrayQueue (); private LockdownClient? cached_usbmux_lockdown_client; + private const string[] LOCKDOWN_SERVICES_WITHOUT_ESCROW_BAG_SUPPORT = { + "com.apple.accessibility.axAuditDaemon.remoteserver", + "com.apple.afc", + "com.apple.companion_proxy", + "com.apple.crashreportcopymobile", + "com.apple.GPUTools.MobileService", + "com.apple.idamd", + "com.apple.PurpleReverseProxy.Conn", + "com.apple.streaming_zip_conduit", + "com.apple.webinspector", + }; + internal void close () { transports.clear (); } @@ -248,7 +260,7 @@ namespace Frida.Fruity { checkin.set_string ("Label", "Xcode"); checkin.set_string ("ProtocolVersion", "2"); unowned Bytes? key = tunnel.remote_unlock_host_key; - if (key != null) + if (key != null && lockdown_service_supports_escrow_bag (service_name)) checkin.set_bytes ("EscrowBag", key); try { @@ -286,6 +298,15 @@ namespace Frida.Fruity { return yield request.promise.future.wait_async (cancellable); } + // FIXME: Replace with `element in array`-check once Vala compiler bug has been fixed so generated C code is warning-free. + private static bool lockdown_service_supports_escrow_bag (string name) { + foreach (unowned string s in LOCKDOWN_SERVICES_WITHOUT_ESCROW_BAG_SUPPORT) { + if (s == name) + return false; + } + return true; + } + private async void process_usbmux_lockdown_service_requests () { UsbmuxLockdownServiceRequest? req; bool already_invalidated = false;