This project enables good faith security researchers to investigate the iOS sandbox from different app perspectives. As sandbox profiles are huge in LOC, undocumented, and hard to debug with a compiler(which Apple does not ship for iOS), we build a tool set to investigate system services, aka daemons and XPC Services. Works on iOS 15.6 and tested with iOS 18.4 on an iPad.
Now also supports current frida version which introduced a new api.
launchd_get_out_of_my_way.js- Like AMFI get out of my way, we can use this script to halt sandbox checks for mach lookups. Use with parameter
{"pid":1234}to target a specific pid for incoming requests.{"verbose":true}to have verbose connection output.
- We target the
mach-lookupoperation forsandbox_check_by_audit_tokento bypass the internal sandbox checks.
- Like AMFI get out of my way, we can use this script to halt sandbox checks for mach lookups. Use with parameter
entitlement_get_out_of_my_way.js- Like AMFI get out of my way, we can use this script to modify entitlement checks in programs. Use with parameter
{"pid":1234}to target a specific pid for incoming requests.{"verbose":true}to have verbose output.
- As entitlement values are context specific, use the commented out
this.shouldBypassto replace with custom values.
- Like AMFI get out of my way, we can use this script to modify entitlement checks in programs. Use with parameter
To get a default view on reachable services, we developed a convenient option to sidestep sandbox checks in launchd. If no pid is supplied, all mach-lookup sandbox requests are allowed. To target a specific process, adjust the pid.
frida -U -p 1 -l launchd_get_out_of_my_way.js -P '{"pid":-1,"verbose":true}'Observe entitlement checks and replace return values if needed. All XPC-functions reference __xpc_copy_entitlements_data, which I can't hook via frida, so I only focus the high level API of XPC + SecTaskCopy. Both functions end up using the same system call int csops_audittoken(pid_t pid, uint32_t ops, user_addr_t useraddr, user_size_t usersize, user_addr_t uaudittoken), which is documented here.
To target a specific process, adjust the pid. We left the callback onLeave blank, which can modify the return value if needed.
frida -U -n nehelper -l entitlement_get_out_of_my_way.js -P '{"pid":-1,"verbose":true}'The xpctest can also be injected into other services. However, we don't need step 2) and 3) as exploring the service reachability once sufficient.
While playing with the contats app, I observed the lookup/register number 3 and 4825
Contacts(4825): mach-register(Unknown(3)) -> com.apple.assistant.contextprovider.com.apple.MobileAddressBook => ACCEPT
Contacts(4825): mach-lookup(Unknown(3)) -> com.apple.assistant.contextprovider.com.apple.MobileAddressBook => ACCEPT
Contacts(4825): mach-register(Unknown(3)) -> com.apple.assistant.contextprovider.com.apple.MobileAddressBook => ACCEPT
Contacts(4825): mach-lookup(UnkContacts(4825): mach-register(Unknown(3)) -> com.apple.assistant.contextprovider.com.apple.MobileAddressBook => ACCEPT
nown(3)) -> com.apple.assistant.contextprovider.com.apple.MobileAddressBook => ACCEPT
MIT