Debugging third party iOS apps with lldb

Requirements

• macOS
• Xcode
• usbmuxd
• Jailbroken iDevice connected via USB (e.g.: checkra1n)

Installation

Extracting debugserver (via hdiutil)

cd /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/<iOS version>
hdiutil attach DeveloperDiskImage.dmg
cp /Volumes/DeveloperDiskImage/usr/bin/debugserver ~/Desktop

Signing debugserver (via codesign)

touch entitlements.plist # fill the file using content bellow
codesign -s - --entitlements entitlements.plist -f debugserver

entitlements.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>com.apple.springboard.debugapplications</key> <true/>
  <key>run-unsigned-code</key> <true/>
  <key>get-task-allow</key> <true/>
  <key>task_for_pid-allow</key> <true/>
</dict>
</plist>

Connecting to iDevice (via iproxy)

iproxy 6666 6666 & iproxy 2222 44 & sleep 3 && ssh -p 2222 root@localhost

Copying debugserver to iDevice (via scp)

scp -P 2222 debugserver root@localhost:/usr/bin/

Running debugserver on iDevice

debugserver localhost:6666 -a "<app's CFBundleDisplayName>"

App’s CFBundleDisplayName can be obtained in many ways, e.g.:

• Info.plist
• ideviceinstaller
• frida-ps

Running lldb on macOS

lldb
process connect connect://localhost:6666

Here we go

Now debug process is ready to go and possibly you would like to figure out more about each lldb command — to do so just jump to official lldb command map or their tutorial. Anyway I will share couple of lldb commands I think are most helpful and frequently used:

Common

Breakpoints

Remote сontrol

Variables

Thread state