Messages in frida
[2017-07-20 16:45:32]
hostile :
@hostile has joined the channel
[2017-07-20 16:45:55]
hostile :
<https://www.frida.re/docs/installation/>
[2017-07-20 16:46:06]
hostile :
```
import frida
session = frida.attach("Assistant")
print([x.name for x in session.enumerate_modules()])
```
[2017-07-20 17:53:33]
hostile :
Just doing some basic tests...
[2017-07-20 17:53:36]
hostile :
$ frida-trace -i "recv*" -i "send*" Assistant
Instrumenting functions...
recvfrom$NOCANCEL: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_kernel.dylib/recvfrom_NOCANCEL.js"
recvfrom: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_kernel.dylib/recvfrom.js"
recvmsg_x: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_kernel.dylib/recvmsg_x.js"
recvmsg: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_kernel.dylib/recvmsg.js"
recv: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_c.dylib/recv.js"
recv$NOCANCEL: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_c.dylib/recv_NOCANCEL.js"
recvmsg$NOCANCEL: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_kernel.dylib/recvmsg_NOCANCEL.js"
sendDaemonXPCMessageWithCFObject: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/IOBluetooth/sendDaemonXPCMessageWithCFObject.js"
sendDaemonXPCMessageWithNSArray: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/IOBluetooth/sendDaemonXPCMessageWithNSArray.js"
sendDaemonXPCMessageWithReply: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/IOBluetooth/sendDaemonXPCMessageWithReply.js"
sendDaemonXPCMessageWithCFArrayAndReply: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/IOBluetooth/sendDaemonXPCMessageWithCFArrayAndReply.js"
sendDaemonXPCMessageWithReplySync: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/IOBluetooth/sendDaemonXPCMessageWithReplySync.js"
sendRawHCIRequest: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/IOBluetooth/sendRawHCIRequest.js"
send: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_c.dylib/send.js"
sendmsg$NOCANCEL: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_kernel.dylib/sendmsg_NOCANCEL.js"
sendfile: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_kernel.dylib/sendfile.js"
sendmsg: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_kernel.dylib/sendmsg.js"
sendmsg_x: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_kernel.dylib/sendmsg_x.js"
sendto: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_kernel.dylib/sendto.js"
sendto$NOCANCEL: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_kernel.dylib/sendto_NOCANCEL.js"
send$NOCANCEL: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libsystem_c.dylib/send_NOCANCEL.js"
sendAsyncReleaseMsg: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/IOKit/sendAsyncReleaseMsg.js"
sendAsyncAssertionMsg: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/IOKit/sendAsyncAssertionMsg.js"
sendUserActivityMsg: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/IOKit/sendUserActivityMsg.js"
Started tracing 24 functions. Press Ctrl+C to stop.
[2017-07-20 17:53:55]
hostile :
/* TID 0x730f */
60605 ms recv()
60605 ms | recvfrom()
/* TID 0x307 */
60617 ms send()
60617 ms | sendto()
/* TID 0x730f */
60617 ms recv()
60617 ms | recvfrom()
[2017-07-20 18:05:31]
aciid :
@aciid has joined the channel
[2017-07-20 18:06:49]
aciid :
hey @hostile have you found out does the electron app unpack the application JS files on boot or are they stored under "application support" perhaps
[2017-07-20 18:08:19]
hostile :
I had seen some folks on the github tampering with electron... but not done much myself. <https://github.com/mefistotelis/phantom-firmware-tools/issues/25#issuecomment-308564662>
[2017-07-20 18:08:48]
aciid :
I'm interested in particular about the way they ship the application. could look into that in this context myself
[2017-07-20 18:22:53]
hostile :
yeah I have extracted, and read around inside... per the above github link.
[2017-07-20 18:23:01]
hostile :
I am loosely familiar, just not dug in quite yet.
[2017-07-20 18:23:29]
aciid :
oh yeah, didn't see that one too many things to follow
[2017-07-20 18:23:49]
hostile :
tell me about it!
[2017-07-20 18:23:49]
hostile :
lol
[2017-07-20 18:28:32]
bin4ry :
@bin4ry has joined the channel
[2017-07-20 19:00:01]
hostile :
22121 ms | SCNetworkServiceGetServiceID()
22121 ms SCNetworkServiceGetServiceID()
/* TID 0x9507 */
26560 ms IOCreatePlugInInterfaceForService()
26560 ms | IOServiceOpen()
/* TID 0x307 */
26746 ms _ZN27QextSerialEnumeratorPrivate20getServiceDetailsOSXEjP12QextPortInfo()
29269 ms _ZN23DJIAppreciationServicerC1E13COMM_DEV_TYPES0_P18DJIDeviceCommandIo11COMM_DEV_IDS3_()
29269 ms | _ZN23DJIAppreciationServicerC2E13COMM_DEV_TYPES0_P18DJIDeviceCommandIo11COMM_DEV_IDS3_()
29269 ms | | _ZNK23DJIAppreciationServicer10metaObjectEv()
29269 ms | | _ZNK23DJIAppreciationServicer10metaObjectEv()
/* TID 0x8267 */
29483 ms DNSServiceQueryRecord()
29484 ms DNSServiceQueryRecord()
29484 ms DNSServiceRefSockFD()
29484 ms DNSServiceProcessResult()
30316 ms DNSServiceProcessResult()
30316 ms DNSServiceRefDeallocate()
30316 ms DNSServiceRefDeallocate()
30450 ms DNSServiceQueryRecord()
30450 ms DNSServiceQueryRecord()
30451 ms DNSServiceRefSockFD()
30451 ms DNSServiceProcessResult()
30451 ms DNSServiceRefDeallocate()
30451 ms DNSServiceRefDeallocate()
/* TID 0x607b */
31986 ms xpc_connection_create_mach_service()
31987 ms IOServiceMatching()
31987 ms IOServiceAddMatchingNotification()
31987 ms SCDynamicStoreKeyCreateNetworkServiceEntity()
31988 ms copyPrimaryWLANNetworkService()
31988 ms | copyWLANNetworkServices()
31988 ms | | SCNetworkSetCopyServices()
31989 ms | | SCNetworkSetGetServiceOrder()
31989 ms | | SCNetworkServiceGetServiceID()
31989 ms | | SCNetworkServiceGetServiceID()
31989 ms | | SCNetworkServiceGetServiceID()
31989 ms | | SCNetworkServiceGetServiceID()
31989 ms | | SCNetworkServiceGetInterface()
31989 ms | | | IOServiceGetMatchingServices()
31990 ms | | SCNetworkServiceGetServiceID()
31990 ms | | SCNetworkServiceGetServiceID()
31990 ms | | SCNetworkServiceGetServiceID()
[2017-07-20 19:00:12]
hostile :
$ frida-trace -i "*ervice*" Assistant
[2017-07-20 19:00:22]
hostile :
@bin4ry frida works on iOS btw...
[2017-07-20 19:02:15]
hotelzululima :
@hotelzululima has joined the channel
[2017-07-20 19:03:26]
hostile :
$ frida-trace -i "*download*" Assistant
Instrumenting functions...
_ZN13QNetworkReply16downloadProgressExx: Loaded handler at "/Users/kfinisterre/Desktop/frida/__handlers__/QtNetwork/_ZN13QNetworkReply16downloadProgressExx.js"
_ZN15FlightFileView223download_wm220_rc_filesERK11QJsonObject: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libDJI1860Service.dylib/_ZN15FlightFileView223download_w_-59c640f1.js"
_ZN6RCFile12downloadFileERK7QStringS2_S2_: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libDJI1860Service.dylib/_ZN6RCFile12downloadFileERK7QStringS2_S2_.js"
_ZN15FlightFileView220download_wm220_filesERK11QJsonObject: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libDJI1860Service.dylib/_ZN15FlightFileView220download_w_-1561dc47.js"
_ZN15FlightFileView235process_compress_download_data_fileERK11QJsonObject: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libDJI1860Service.dylib/_ZN15FlightFileView235process_co_-51043af9.js"
_ZN14FlightFileView26process_download_data_fileERK11QJsonObject: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libDJI1860Service.dylib/_ZN14FlightFileView26process_dow_05a0e0a8.js"
_ZN13WM100Exporter12downloadFileERK7QStringS2_b: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libDJI1860Service.dylib/_ZN13WM100Exporter12downloadFile_4163fd74.js"
_ZN15FlightFileView216download_fc_fileERK11QJsonObject: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libDJI1860Service.dylib/_ZN15FlightFileView216download_f_-3bf0f5b4.js"
_ZN11qFCFilePage12downloadFileERK7QStringS2_: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libDJI1860Service.dylib/_ZN11qFCFilePage12downloadFileER_-3a80a3ca.js"
_ZN14FlightFileView35process_compress_download_data_fileERK11QJsonObject: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libDJI1860Service.dylib/_ZN14FlightFileView35process_com_-3fa974ca.js"
_ZN15qVisionFilePage12downloadFileERK7QStringS2_b: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libDJI1860Service.dylib/_ZN15qVisionFilePage12downloadFi_50886bd0.js"
_ZN14FlightFileView31process_stop_download_data_fileERK11QJsonObject: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libDJI1860Service.dylib/_ZN14FlightFileView31process_sto_387b1ac7.js"
_ZN15FlightFileView220download_vision_fileERK11QJsonObject: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libDJI1860Service.dylib/_ZN15FlightFileView220download_v_4b0b3ba6.js"
_ZN15FlightFileView226process_download_data_fileERK11QJsonObject: Auto-generated handler at "/Users/kfinisterre/Desktop/frida/__handlers__/libDJI1860Service.dylib/_ZN15FlightFileView226process_do_-6af43eb5.js"
Started tracing 14 functions. Press Ctrl+C to stop.
[2017-07-20 19:06:33]
hostile :
Damn... this one is gold right here...
[2017-07-20 19:06:34]
hostile :
$ frida-trace -i "*dji*" -i "*DJI*" Assistant
[2017-07-20 19:06:45]
hostile :
@the_lord you should be in here...
[2017-07-20 19:06:47]
the_lord :
@the_lord has joined the channel
[2017-07-20 19:07:30]
hostile :
fucking beautiful output...
[2017-07-20 19:10:07]
hostile :
set the channel topic: <https://www.frida.re/docs/installation/>
[2017-07-20 19:31:14]
hotelzululima :
hmm installed.. its works ok under sierra+??
[2017-07-20 19:31:50]
hotelzululima :
or does it need a csrutil disable in single user?
[2017-07-20 19:32:32]
hotelzululima :
really cool find though
[2017-07-20 19:32:50]
hotelzululima :
seems should work ok
[2017-07-20 19:33:04]
hotelzululima :
as you obviouly doing the above in osx
[2017-07-20 19:33:32]
hotelzululima :
thought osx disabled certain debug features in production kernels
[2017-07-20 19:33:37]
hotelzululima :
is why I ask
[2017-07-20 19:34:07]
hotelzululima :
definitely a worthy tool
[2017-07-20 19:34:12]
hotelzululima :
playing with it
[2017-07-20 19:34:28]
hotelzululima :
afk have to get back to car work
[2017-07-20 19:47:11]
fredz :
@fredz has joined the channel
[2017-07-20 19:47:15]
hostile :
this is not traditional debugging... it injects a javacript library
[2017-07-20 19:47:30]
hotelzululima :
k
[2017-07-20 20:35:45]
hostile :
$ frida-trace -i "*NFZ*" -i "*nfz*" Assistant
[2017-07-20 20:41:20]
solution :
@solution has joined the channel
[2017-07-20 20:45:37]
aciid :
ilarilind at Acer 2400 in /Applications/Assistant.app/AppFiles/app.asar_extract
$ grep -r "nfz" build/*.js | wc -l
25
[2017-07-20 22:10:28]
uavop :
@uavop has joined the channel
[2017-07-21 05:28:53]
asoka :
@asoka has joined the channel
[2017-07-21 07:08:27]
jan2642 :
@jan2642 has joined the channel
[2017-07-21 12:19:41]
kilrah :
@kilrah has joined the channel
[2017-07-21 16:06:32]
andreasnofear :
@andreasnofear has joined the channel
[2017-07-21 17:23:35]
plankton :
@plankton has joined the channel
[2017-07-22 20:47:33]
jayemdee :
@jayemdee has joined the channel
[2017-07-22 20:50:03]
jayemdee :
Im very familiar with how electron works and have written several apps in the framework myself if anyone has any questions feel free
[2017-07-22 21:07:25]
hostile :
frida tinkering an Electron tinkering are very similar for sure
[2017-07-22 21:07:34]
hostile :
feel free to share anything you know about the app here
[2017-07-22 21:07:39]
hostile :
even if slightly parallel topic
[2017-07-22 21:15:34]
jayemdee :
yuh i saw some questions earlier up about how electron handles the app.asar or something...
[2017-07-22 21:16:08]
jayemdee :
frida looks cool havent seen it before nice find :slightly_smiling_face:
[2017-07-23 07:47:10]
rulppa :
@rulppa has joined the channel
[2017-07-24 08:29:28]
f3l1x :
@f3l1x has joined the channel
[2017-07-24 12:54:17]
vimagreg :
@vimagreg has joined the channel
[2017-07-25 01:55:59]
d51 :
@d51 has joined the channel
[2017-07-25 19:51:57]
hostile :
THIS is real nice! <https://twitter.com/x0rz/status/889851234181623808>
[2017-07-25 20:00:58]
andyca57 :
@andyca57 has joined the channel
[2017-07-25 20:06:42]
nocommie :
@nocommie has joined the channel
[2017-07-30 13:20:34]
hostile :
<https://codeshare.frida.re/browse>
[2017-10-19 04:27:07]
hostile :
anyone in @channel needs to migrate to ~ios_ipa_reversing
[2017-10-30 23:12:54]
haloweenhamster :
Do you have to have python working to use frida?
[2017-10-30 23:13:15]
czokie :
Frida is a python app
[2017-10-30 23:13:32]
czokie :
what platform are you building on? Win / Linux / osx?
[2017-10-30 23:14:20]
haloweenhamster :
Win but had problems with python so ditched it
[2017-10-30 23:15:54]
czokie :
I am not familiar with python on windows… but yes, it is needed.
[2017-10-30 23:17:21]
haloweenhamster :
I'll have to acquire another hard drive and load Linux my laptop
[2017-10-30 23:17:40]
czokie :
or use vmware or equivalent :slightly_smiling_face:
[2017-10-30 23:18:22]
haloweenhamster :
Hard drives full got belly space to run Windows let alone run VMware
[2017-10-30 23:18:51]
haloweenhamster :
I love voice to text always gets everything so right
[2017-10-31 00:04:53]
hostile :
@haloweenhamster you can use VirtualBox also
[2017-10-31 00:05:25]
czokie :
ya - I did say “or equivalent”
[2017-10-31 00:05:26]
czokie :
:slightly_smiling_face:
[2017-10-31 00:19:41]
haloweenhamster :
thanks I'll have a look through my pile of hdd's when I finish work. What os would you recommend? Kali?
I have osx10 snowlepard on a hdd somewhere might wipe that as it requires USB KB & mouse on my laptop
[2017-10-31 01:07:57]
czokie :
What are you building for? Android or IOS?
[2017-10-31 01:28:27]
haloweenhamster :
Android not a fan of apple
[2017-10-31 02:23:42]
hostile :
it would be interesting for sure to see OSX, or Android FRIDA usage to say the least
[2018-07-22 15:38:32]
aciid :
Any pointers how to handle non-labeled methods with Frida. These that I can find in IDA / Hopper graphs and ASM pretty well and be like "This shit have to be traced"
well of course this function is looking like
.TEXT loc_00032fhf
[2018-07-22 16:53:52]
digdat0 :
man i need to try and get frida setup agagain
[2018-07-22 17:03:27]
aciid :
Ive been playing with it for the weekend, its very agile
[2018-07-22 17:03:58]
aciid :
I've been looking into unlocking controls on Parrot Anafi drone they cast EmptyUIButtons instead of UIButtons so it's not just "userinteractable=yes" change
[2018-07-22 17:04:12]
aciid :
they know the availability of FLEX and other tools for IOS that allow memory editing for values like that
[2018-09-12 01:50:50]
aciid :
@rickysuper
[2018-09-12 01:50:53]
rickysuper :
@rickysuper has joined the channel
[2018-09-12 01:51:29]
aciid :
ah sorry, this is old irrelevant channel I ment ~ios_ipa_reversing
[2018-09-12 01:55:23]
rickysuper :
:thumbsup_all:
[2019-11-22 19:26:51]
massimo.ardizzone :
any hope to have djy fly with frida?
[2019-11-22 19:27:41]
massimo.ardizzone :
is very similar to dji go 4
[2019-11-22 19:28:23]
massimo.ardizzone :
[2019-11-23 11:41:50]
massimo.ardizzone :
there is a simply way (script and similar) for add fridalib without xcode?
[2019-11-24 14:33:38]
massimo.ardizzone :
Hi, anyone can help me on frida?
I have followed the steps in this guide:
<https://dji.retroroms.info/howto/iosfrida>
At the step 5 (Application Deploying) all is ok and the application is installed in the phone e signed.
But when I start app on iPhone, I don't see any Tweak.js popup.
Can you help me?
[2019-12-02 22:44:45]
avunduk :
I tried to Search for frida 4.3.29 here in files section but couldn't find it, how can this Guy sell it?
<http://www.hackgoapp.com/downloads/>
[2020-05-03 20:27:59]
hazardc :
!frida
[2020-05-03 20:28:32]
hazardc :
lol, Anyone got a link to the go4 ios app? link is broken
[2020-05-03 20:29:13]
hazardc :
<http://polybotes.feralhosting.com/dji/Go4_Frida/> no work
[2021-10-29 19:19:07]
critterrzz :
@critterrzz left the channel.
[2021-10-30 12:19:34]
jj :
madmaqx joined the channel.
[2021-10-31 00:21:49]
will :
will joined the channel.
[2021-11-05 15:24:52]
dave0x6d :
dave0x6d joined the channel.
[2021-11-09 07:40:31]
cannon :
cannonf0815 joined the channel.
[2021-11-12 10:40:24]
cs2000 :
cs2000 joined the channel.
[2021-11-12 10:40:37]
cs2000 :
dji-rev-bot added to the channel by cs2000.
[2021-11-12 10:40:39]
cs2000 :
@cs2000 left the channel.
[2021-11-12 22:50:40]
yoawedojboompeaill :
yoawedojboompeaill joined the channel.
[2021-11-17 15:26:37]
newlc :
newlc joined the channel.
[2021-12-02 22:04:49]
markus83 :
markus83 joined the channel.
[2021-12-29 19:05:30]
mavic2reverser :
mavic2reverser joined the channel.
[2022-01-14 13:14:07]
leo :
pilipala008 joined the channel.
[2022-01-18 00:49:08]
il1oo0 :
il1oo0 joined the channel.
[2022-02-27 19:25:46]
dimitrios :
dimitrios joined the channel.
[2022-03-21 09:27:33]
ggonzalez :
ggonzalez joined the channel.
[2022-03-24 14:50:51]
hostile :
hostile joined the channel.
[2022-03-24 14:51:01]
hostile :
anyone here successfully using Friday with an Apple M1 mac?
[2022-03-24 16:14:26]
mavic2reverser :
@hostile yup!
[2022-03-24 16:18:31]
hostile :
any tips?
[2022-03-24 16:18:37]
hostile :
hurdles? gotchas?
[2022-03-24 16:18:42]
hostile :
easy todo laying around somewhere?
[2022-03-24 16:46:32]
hostile :
can you spoof a connected drone?
[2022-03-24 16:46:47]
hostile :
[2022-03-24 20:16:21]
mavic2reverser :
@hostile it was pretty plug and play for my use cases. Just downloaded the server from github, pip install frida frida-tools, and off to the races!
[2022-03-24 20:17:26]
mavic2reverser :
I haven’t attempted to spoof a connected drone though. HOWEVER I won say reversing and instrumenting assistant on mac is much easier than windows since there isn’t any anti RE mechanisms in place
[2022-03-24 20:17:32]
mavic2reverser :
Will *
[2022-03-24 20:18:04]
mavic2reverser :
Can’t speak to reversing dji fly but I imagine it’s the same
[2022-03-24 20:19:35]
hostile :
so you don't have to resign the app? I saw some conflicting reports on that
[2022-03-24 20:20:22]
hostile :
yeah I've spent quite a bit of time on Assistant. All that original assistant work came from me. =] I'm rusty AF now tho. The Aeroscope Assistant was somethign I need to eyeball at some point
[2022-03-24 20:20:22]
hostile :
yeah I've spent quite a bit of time on Assistant. All that original assistant work came from me. =] I'm rusty AF now tho. The Aeroscope Assistant was somethign I need to eyeball at some poit
[2022-03-25 23:35:16]
joonas :
joonas joined the channel.
[2022-03-26 00:49:53]
hostile :
this looks nice. https://github.com/sensepost/objection
[2022-03-26 01:55:48]
hostile :
@mavic2reverser you having to do all this bullshit? https://twitter.com/janseredynski/status/1334887496832978954?s=20&t=3Om6GlBOOF4ifd8fgRnZmQ
[2022-03-26 02:02:32]
mavic2reverser :
Not a fan of objection, I prefer driving frida myself like a Swiss Army knife
[2022-03-26 02:03:36]
mavic2reverser :
Nope! I did need to do some weird shit to get horndis kernel extension working for my m1 to talk to dji drones but that’s separate
[2022-03-26 02:03:50]
mavic2reverser :
Had to compile it from scratch
[2022-03-26 02:04:07]
mavic2reverser :
I’m also not RE’ing IPA’s, just mac os binaries
[2022-03-26 02:04:07]
hostile :
you didn't have to resign the iOS app? or disable SIP?
[2022-03-26 02:05:21]
mavic2reverser :
Can’t speak on the ios app part as I haven’t explored that. I do have an old iPhone 8 I could play around with… as far as SIP, I’m trying to recall
[2022-03-26 02:06:30]
mavic2reverser :
I think I actually may have disabled SIP in the process of installing my own compile kernel extension for an open source rndis driver which would have just made frida “work” for me and not have ran into process injection issues
[2022-03-26 02:06:38]
hostile :
ahh i thought above you said you had an M1 mac also... and were able to just attach out the box.
[2022-03-26 02:06:57]
hostile :
on the m1 you can run iOs apps natively
[2022-03-26 02:07:24]
hostile :
this is a native and iOs app sitting side by side.
[2022-03-26 02:07:55]
hostile :
Kevins-MacBook-Air:WrappedBundle kfinisterre$ cd /Applications/DJI\ Fly.app/WrappedBundle
Kevins-MacBook-Air:WrappedBundle kfinisterre$ file DJI\ Fly
DJI Fly: Mach-O 64-bit executable arm64
[2022-03-26 02:09:02]
hostile :
I guess I didn't specify using it with the DJI app. lol I only said "used frida on an m1" =]
[2022-03-26 02:09:47]
mavic2reverser :
Ah! I’m following you now! Yeah, definitely haven’t played around running iOS apps on my m1 yet
[2022-03-26 02:09:57]
mavic2reverser :
Let me know what kind of luck you have with it!
[2022-03-26 02:18:54]
hostile :
Time to look around a bit! It's been so long
[2022-03-26 02:24:22]
hostile :
lol findUAV stores a little clip on your phone.
[2022-03-26 02:24:24]
hostile :
./findUAV
./findUAV/fd.uav.2022.03.26.02.15.49.873.mp4
./findUAV/fd.uav.2022.03.26.02.15.59.874.mp4
[2022-03-26 02:27:42]
hostile :
<string>App_FactoryMode</string> in ./DJIAppConfigOfUserConfig.txt wonder what that does.
[2022-03-26 02:30:34]
hostile :
lol all kinda goofy shit in here
[2022-03-26 02:30:45]
hostile :
{..."sdr_lost_block_motor_before_takeoff_country_code":["CN"], "sdr_lost_block_motor_land_over_3min_country_code":["CN"] }
[2022-03-26 03:13:48]
hostile :
HoRNDIS is not happy on the m1 for sure. This may help someone later.
[2022-03-26 03:13:49]
hostile :
https://github.com/jwise/HoRNDIS/issues/135
[2022-03-26 03:38:24]
mavic2reverser :
Yeah it was a huge pain getting horndis working on my m1
[2022-03-26 03:39:15]
mavic2reverser :
I had to compile it myself (no problems) but getting my m1 to accept it unsigned was annoying as hell. I had to bypass so many security mechanisms and I cringed every time I had to disable something
[2022-03-26 06:22:35]
hostile :
and you can't disable most of them if you wanna use the iOS compatibility mode. All security must be on.
[2022-03-26 07:43:38]
joonas :
by the way, i ripped out all the java and system_server stuff from the android build of frida-server to make it behave better on the dji fpv gear. YMMV, haven't tested everything thoroughly yet. some of you may find it useful for other purposes: https://github.com/fpv-wtf/frida-core/releases/tag/15.1.17-2
[2022-03-26 07:43:38]
joonas :
by the way, i ripped out all the java and system_server stuff from the android build of frida-server to make it behave better on the dji diy fpv gear. YMMV, haven't tested everything thoroughly yet. some of you may find it useful for other purposes: https://github.com/fpv-wtf/frida-core/releases/tag/15.1.17-2
[2022-03-26 07:43:38]
joonas :
by the way, i ripped out all the java and system_server stuff from frida-server to make it behave better on the dji fpv gear. YMMV, haven't tested everything thoroughly yet. some of you may find it useful for other purposes: https://github.com/fpv-wtf/frida-core/releases/tag/15.1.17-2
[2022-03-26 14:56:21]
mavic2reverser :
Dude that’s awesome, thanks!
[2022-03-30 11:16:34]
windoze :
windoze joined the channel.
[2022-04-01 10:59:48]
kon :
kon joined the channel.
[2022-04-05 18:10:38]
hostile :
someone mentioned this may be able to do the code signing needed for m1 mac apps to work. I've not tested tho.
[2022-04-05 18:10:38]
hostile :
https://github.com/kabiroberai/theos-jailed
[2022-04-05 18:11:16]
hostile :
I've heard you can double click .ipa to reinstall on m1
[2022-04-06 17:41:28]
uskve :
uskve joined the channel.
[2022-04-06 23:44:48]
joonas :
anyone know of anything like frida-gadget but for other .so-s rather than .js? the goal being to globally preload something that would then load additional .so-s based on the current process name and some config file / dir structure somewhere? my google-fu is failing me. thought i'd ask here real quick before i roll my own.
[2022-04-08 12:06:12]
uskve :
Has anyone had any success with the dji mimo app?
[2022-04-21 20:55:23]
hostile :
anyone have the DJi Fly ipa file decrypted so I can use it in Corellium? https://www.corellium.com/guides/testing-third-party-ios-apps
[2022-04-21 20:55:39]
hostile :
https://dji-rev.com/dji-rev/pl/3tozkio6sffjzqbdzkbwf6k15h
[2022-04-21 21:15:27]
hostile :
FWIW looks like you can use iMazing to get the .ipa
[2022-04-21 21:21:21]
hostile :
[2022-04-21 21:21:37]
hostile :
may have to remove fairplay I assume? we shall see
[2022-04-21 21:51:56]
hostile :
[2022-04-21 21:52:01]
hostile :
yup.
[2022-04-21 23:04:05]
czokie :
czokie joined the channel.
[2022-04-22 13:34:30]
mavic2reverser :
@hostile you might be able to use this tool to download the ipa from the App Store before encryption occurs
[2022-04-22 13:34:33]
mavic2reverser :
https://github.com/majd/ipatool
[2022-04-22 13:35:31]
mavic2reverser :
Alternatively, my favorite route is to install it on an iphone that’s jailbroken and use fridump
[2022-04-22 13:35:35]
mavic2reverser :
https://github.com/Nightbringer21/fridump
[2022-04-22 13:35:56]
mavic2reverser :
https://github.com/Nightbringer21/fridump
[2022-04-22 13:36:23]
mavic2reverser :
Then you should be able to install the decrypted dji fly
[2022-04-22 13:37:06]
mavic2reverser :
With:
[2022-04-22 13:37:10]
mavic2reverser :
https://github.com/libimobiledevice/ideviceinstaller
[2022-04-22 13:37:31]
mavic2reverser :
That’s my usual route at least to using frida on iphones :)
[2022-04-22 13:39:22]
hostile :
Yeah I was trying to avoid getting a jailbroken iPhone. But I may have to.
[2022-04-22 13:39:27]
hostile :
Lemme try that first technique.
[2022-04-22 13:47:46]
mavic2reverser :
I haven’t used that tool before but I saved it in case I was ever in a situation without an iPhone. Let me know!
[2022-04-22 13:55:17]
hostile :
tool seems to work fine.
[2022-04-22 13:55:26]
hostile :
[2022-04-22 13:55:34]
hostile :
still need to work around the encryption issue.
[2022-04-22 13:55:35]
hostile :
https://github.com/majd/ipatool/issues/10#issuecomment-853763680
[2022-04-22 13:55:35]
hostile :
https://github.com/majd/ipatool/issues/10#issuecomment-853763680
[2022-04-22 13:55:59]
hostile :
[2022-04-22 13:58:18]
hostile :
```
$ ls -alh com.dji.golite_1479649251_v1.5.10_555.ipa
-rw------- 1 kfinisterre staff 458M Apr 22 09:54 com.dji.golite_1479649251_v1.5.10_555.ipa
```
[2022-04-22 14:15:22]
hostile :
https://github.com/meme/apple-tools/tree/master/foulplay
[2022-04-22 14:15:22]
hostile :
https://github.com/meme/apple-tools/tree/master/foulplay
[2022-04-22 14:15:28]
hostile :
hopefully this works.
[2022-04-22 14:15:39]
hostile :
```
foulplay
Decrypt FairPlay encrypted binaries on macOS when SIP-enabled.
By mapping an executable as r-x and then using mremap_encrypted on the encrypted page(s) and then writing them back out to disk, you can fully decrypt FairPlay binaries.
```
[2022-04-22 14:23:49]
hostile :
https://twitter.com/freemanrepo/status/1374385577743708164
[2022-04-22 14:34:03]
hostile :
I can't get foulplay to work, so gonna try this one now. https://github.com/paradiseduo/appdecrypt
[2022-04-22 14:34:03]
hostile :
I can't get foulplay to work, so gonna try this one now. https://github.com/paradiseduo/appdecrypt
[2022-04-22 19:41:42]
sambuko :
alximiktik joined the channel.
[2022-05-11 20:21:58]
hostile :
weeks later I finally got an iPhone 8 with 14.6 installed on it. So I used checkra1n on it to install cydia, and ssh, and now Clutch-2.0.4. I'm moving the DJI Fly app over now.
[2022-05-11 20:23:15]
hostile :
```Kevin-Finisterres-iPhone:~ root# /Clutch-2.0.4 -i
Installed apps:
1: DJI Fly <com.dji.golite>
```
[2022-05-11 20:23:45]
hostile :
```
-iPhone:~ root# /Clutch-2.0.4 -i
Installed apps:
1: DJI Fly <com.dji.golite>
```
[2022-05-11 20:25:17]
hostile :
And for Clutch
[2022-05-11 20:25:20]
hostile :
```
# /Clutch-2.0.4 -d 1
Zipping DJI Fly.app
Child exited with status 9
Child exited with status 9
Error: Failed to dump <DJIAnalyticsKit> with arch arm64
2022-05-11 16:23:57.811 Clutch-2.0.4[1644:9696] failed operation :(
2022-05-11 16:23:57.811 Clutch-2.0.4[1644:9696] application <NSOperationQueue: 0x152a0b1c0>{name = 'NSOperationQueue 0x152a0b1c0'}
Error: Failed to dump <DJIStatisticsKit> with arch arm64
2022-05-11 16:23:57.811 Clutch-2.0.4[1644:9700] failed operation :(
2022-05-11 16:23:57.811 Clutch-2.0.4[1644:9700] application <NSOperationQueue: 0x152a0ccb0>{name = 'NSOperationQueue 0x152a0ccb0'}
Error: Failed to dump <DJIAnalyticsKit>
2022-05-11 16:23:57.811 Clutch-2.0.4[1644:9696] failed operation :(
Error: Failed to dump <DJIStatisticsKit>
2022-05-11 16:23:57.811 Clutch-2.0.4[1644:9696] application <NSOperationQueue: 0x152a0b1c0>{name = 'NSOperationQueue 0x152a0b1c0'}
2022-05-11 16:23:57.811 Clutch-2.0.4[1644:9700] failed operation :(
2022-05-11 16:23:57.812 Clutch-2.0.4[1644:9700] application <NSOperationQueue: 0x152a0ccb0>{name = 'NSOperationQueue 0x152a0ccb0'}
Child exited with status 9
Error: Failed to dump <mrtc_core> with arch arm64
2022-05-11 16:23:57.813 Clutch-2.0.4[1644:9698] failed operation :(
2022-05-11 16:23:57.813 Clutch-2.0.4[1644:9698] application <NSOperationQueue: 0x152a0d500>{name = 'NSOperationQueue 0x152a0d500'}
Error: Failed to dump <mrtc_core>
2022-05-11 16:23:57.814 Clutch-2.0.4[1644:9698] failed operation :(
2022-05-11 16:23:57.814 Clutch-2.0.4[1644:9698] application <NSOperationQueue: 0x152a0d500>{name = 'NSOperationQueue 0x152a0d500'}
Child exited with status 9
Error: Failed to dump <ilink_live> with arch arm64
2022-05-11 16:23:57.818 Clutch-2.0.4[1644:9699] failed operation :(
2022-05-11 16:23:57.818 Clutch-2.0.4[1644:9699] application <NSOperationQueue: 0x152a0bf30>{name = 'NSOperationQueue 0x152a0bf30'}
Error: Failed to dump <ilink_live>
2022-05-11 16:23:57.818 Clutch-2.0.4[1644:9699] failed operation :(
2022-05-11 16:23:57.818 Clutch-2.0.4[1644:9699] application <NSOperationQueue: 0x152a0bf30>{name = 'NSOperationQueue 0x152a0bf30'}
ASLR slide: 0x100a2c000
Dumping <DJI Fly> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
Zipping DJIAnalyticsKit.framework
Zipping mrtc_core.framework
Zipping DJIStatisticsKit.framework
Zipping ilink_live.framework
FAILED: <DJI Fly bundleID: com.dji.golite>
Finished dumping com.dji.golite in 49.6 seconds
```
[2022-05-11 20:29:23]
hostile :
I'll try frida-ios-dump in a bit
[2022-05-11 20:52:53]
hostile :
Installing frida on it first of course. https://frida.re/docs/ios/#with-jailbreak
[2022-05-11 21:00:51]
hostile :
Bagbak seemed happier dumping. https://github.com/ChiChou/bagbak
[2022-05-11 21:01:26]
hostile :
```
$ bagbak "DJI Fly"
app root: /var/containers/Bundle/Application/6AE70D3E-0A36-4E1E-8ACB-CADA00AE1172/DJI Fly.app
dump main app
download ...ners/Bundle/Application/6AE70D3E-0A36-4E1E-8ACB-CADA00AE1172/DJI Fly.app/DJI Fly
████████████████████████████████████████ | 100% | 113.81Mib/113.81Mib
fetching decrypted data
████████████████████████████████████████ | 100% | 91.36Mib/91.36Mib
download ...36-4E1E-8ACB-CADA00AE1172/DJI Fly.app/Frameworks/ilink_live.framework/ilink_live
████████████████████████████████████████ | 100% | 8.66Mib/8.66Mib
fetching decrypted data
████████████████████████████████████████ | 100% | 7.98Mib/7.98Mib
download ...0A36-4E1E-8ACB-CADA00AE1172/DJI Fly.app/Frameworks/mrtc_core.framework/mrtc_core
fetching decrypted data
████████████████████████████████████████ | 100% | 1.42Mib/1.42Mib
download ...CB-CADA00AE1172/DJI Fly.app/Frameworks/DJIAnalyticsKit.framework/DJIAnalyticsKit
fetching decrypted data
████████████████████████████████████████ | 100% | 2.63Mib/2.63Mib
download ...-CADA00AE1172/DJI Fly.app/Frameworks/DJIStatisticsKit.framework/DJIStatisticsKit
fetching decrypted data
████████████████████████████████████████ | 100% | 0.03Mib/0.03Mib
download ...tion/6AE70D3E-0A36-4E1E-8ACB-CADA00AE1172/DJI Fly.app/de.lproj/InfoPlist.strings
download ...on/6AE70D3E-0A36-4E1E-8ACB-CADA00AE1172/DJI Fly.app/de.lproj/Localizable.strings
...
download ...ers/Bundle/Application/6AE70D3E-0A36-4E1E-8ACB-CADA00AE1172/DJI Fly.app/ru_w.txt
download ...ers/Bundle/Application/6AE70D3E-0A36-4E1E-8ACB-CADA00AE1172/DJI Fly.app/cy_w.txt
patch PluginKit validation
dump extensions
Congrats!
open dump/DJI Fly/Payload
```
[2022-05-11 21:02:31]
hostile :
```
$ otool -l dump/DJI\ Fly/Payload/DJI\ Fly.app/DJI\ Fly | grep crypt
cryptoff 16384
cryptsize 95797248
cryptid 0
```
[2022-05-11 21:15:46]
hostile :
Time to resign it now!
[2022-05-11 22:10:10]
oldpilot :
oldpilot joined the channel.
[2022-05-12 15:19:52]
oldpilot :
As I understand so far the application that the IOS devices were using to control the DJI Mavic pro and other old drones are now not allowed to run in IOS because Apple removed them, right?
[2022-05-12 15:21:03]
oldpilot :
btw, i have never used an Iphone, im just thinking to switch to it from android
[2022-05-12 16:12:23]
oldpilot :
One more question is if the device was needed to be jailbroken or not
[2022-05-12 17:25:04]
hostile :
think you have a few things mixed up. https://apps.apple.com/us/app/dji-go/id943780750
[2022-05-12 17:25:04]
hostile :
think you have a few things mixed up. https://apps.apple.com/us/app/dji-go/id943780750
[2022-05-12 17:25:56]
hostile :
https://play.google.com/store/apps/developer?id=DJI+TECHNOLOGY+CO.,+LTD&hl=en_US&gl=US
[2022-05-12 17:25:56]
hostile :
https://play.google.com/store/apps/developer?id=DJI+TECHNOLOGY+CO.,+LTD&hl=en_US&gl=US
[2022-05-12 17:26:17]
hostile :
DJI Fly is not in the google play store
[2022-05-12 17:26:34]
hostile :
https://forum.dji.com/forum.php?mod=viewthread&tid=256590
[2022-05-12 17:26:40]
hostile :
cuz of SecNeo
[2022-05-12 19:04:15]
oldpilot :
ok, i see. i have to learn some things
[2022-05-12 19:07:16]
oldpilot :
Just a question.. when it was working, the IOS patched app was like the Android or it had less features/patches? Asking because I am curious :grin:
[2022-05-12 19:08:50]
hostile :
featuresets for iOS (prettywoman) and Android (deejayeye-modder) differed.
[2022-05-12 19:09:16]
hostile :
https://wiki.dji-rev.com/howto/fridahooklibrary?s[]=prettywoman#prettywoman
[2022-05-12 19:09:24]
hostile :
https://github.com/Bin4ry/deejayeye-modder
[2022-05-12 19:09:24]
hostile :
https://github.com/Bin4ry/deejayeye-modder
[2022-05-12 19:09:59]
hostile :
https://wiki.dji-rev.com/howto/deejayeye-modder
[2022-05-15 13:24:17]
asdasdvoid :
asdasdvoid joined the channel.
[2022-05-18 21:20:39]
jjbyrnes29 :
jjbyrnes29 joined the channel.
[2022-05-18 21:24:19]
droneuser :
droneuser joined the channel.
[2022-05-22 09:39:39]
jack117wb :
jack117wb joined the channel.
[2022-05-26 14:22:11]
item1979 :
item1979 joined the channel.
[2022-07-19 00:06:46]
hito_no_yume :
yutasyutas joined the channel.
[2022-09-19 08:54:38]
urca87 :
urca87 joined the channel.
[2022-09-26 01:20:49]
jackmax :
jackmax joined the channel.
[2022-11-10 06:27:13]
areoc :
areoc joined the channel.
[2022-11-12 06:21:57]
pingspike :
pingspike joined the channel.
[2022-11-16 15:27:19]
sharptak :
sharptak joined the channel.
[2022-12-14 17:24:13]
crashing_bird :
crashing_bird joined the channel.
[2023-02-14 18:26:23]
fedosgad :
fedosgad joined the channel.
[2023-02-24 05:26:27]
ibndias :
ibndias joined the channel.
[2023-03-23 16:41:37]
dronez4u :
dronez4u joined the channel.
[2023-03-23 16:48:59]
sappy :
sappy joined the channel.
[2023-04-11 15:44:06]
blowfish448 :
blowfish448 joined the channel.
[2023-04-25 10:26:51]
kits :
kits joined the channel.
[2023-04-30 14:05:23]
argonaut :
argonaut joined the channel.
[2023-05-07 15:37:30]
bin_ly :
c_schiwy joined the channel.
[2023-05-31 22:19:28]
nicksapienza :
nicksapienza joined the channel.
[2023-05-31 22:23:54]
nicksapienza :
@nicksapienza left the channel.
[2023-06-11 01:14:09]
milenovic :
milenovic joined the channel.
[2023-06-19 23:29:21]
martymcfly :
martymcfly joined the channel.
[2023-07-03 19:27:49]
harryemery92 :
harryemery92 joined the channel.
[2023-07-03 21:26:54]
harryemery92 :
@harryemery92 left the channel.
[2023-07-24 02:44:04]
dji-rev.concierge132 :
dji-rev.concierge132 joined the channel.
[2023-08-07 18:41:17]
polarfly :
polarfly joined the channel.
[2023-08-28 16:23:35]
aprentis :
aprentis joined the channel.
[2023-09-13 10:14:36]
molda :
molda joined the channel.
[2023-10-15 20:50:42]
dumldore_newbi :
dumldore_newbi joined the channel.
[2023-10-22 06:32:26]
eseven :
eseven joined the channel.
[2023-10-22 14:41:23]
w3c :
w3c joined the channel.
[2023-10-23 09:15:24]
jdan7387 :
jdan7387 joined the channel.
[2023-10-29 10:57:49]
alex7593 :
alex7593 joined the channel.
[2023-11-02 07:02:43]
enigma2 :
enigma2 joined the channel.
[2023-12-02 15:53:34]
sinsinology :
sinsinology joined the channel.
[2023-12-27 07:07:33]
harryemery92 :
harryemery92 joined the channel.
[2024-01-16 14:36:39]
zjm605186980 :
zjm605186980 joined the channel.
[2024-01-17 09:47:49]
photogrant :
photogrant joined the channel.
[2024-01-18 15:43:39]
basilius :
basilius joined the channel.
[2024-02-01 14:49:50]
harryemery92 :
@harryemery92 left the channel.
[2024-02-06 14:06:05]
xpk :
xpk joined the channel.
[2024-02-06 19:58:52]
ryantkasher :
ryantkasher joined the channel.
[2024-02-06 20:16:25]
ryantkasher :
@ryantkasher left the channel.
[2024-02-10 03:22:47]
accountfrompl :
accountfrompl joined the channel.
[2024-02-12 20:45:20]
lining-preps.0u :
lining-preps.0u joined the channel.
[2024-02-22 17:25:08]
knorz :
knorz joined the channel.
[2024-04-06 04:10:18]
invender :
invender joined the channel.
[2024-05-07 12:46:03]
sarange :
sarange joined the channel.
[2024-05-10 08:20:35]
dreamtree :
dreamtree joined the channel.
[2024-05-14 14:11:57]
symza :
symza joined the channel.
[2024-05-28 09:06:57]
djihacker :
djihacker joined the channel.
[2024-07-01 17:29:33]
mrsmith :
mrsmith joined the channel.
[2024-07-25 13:33:58]
fuckroyal :
fuckroyal joined the channel.
[2024-07-26 15:53:04]
ogini_ayotanom :
ogini_ayotanom joined the channel.
[2024-08-16 13:55:18]
yoyo :
yoyo joined the channel.
[2024-08-16 13:59:15]
yoyo :
@yoyo left the channel.
[2024-08-21 20:18:42]
alt.nq-5711k93 :
alt.nq-5711k93 joined the channel.
[2024-08-22 18:35:33]
clait :
clait joined the channel.
[2024-08-22 21:35:47]
clait :
@clait left the channel.
[2024-10-21 01:53:48]
supermario7331 :
supermario7331 joined the channel.
[2024-11-26 16:58:56]
ox3d :
ox3d joined the channel.
[2024-12-13 01:30:50]
david2212 :
david2212 joined the channel.
[2025-01-06 18:41:37]
trunk2 :
trunk2 joined the channel.
×
User Info
Username:
Last Login:
First Name:
Last Name: