@snakeninny wrote:

Table of Contents (free)

The whole book (open source and free)

iOS App Reverse Engineering is the world's 1st book of very detailed iOS App reverse engineering skills, targeting 4 kinds of readers:
1. iOS enthusiasts;
2. Senior iOS developers, who have good command of App development and have the desire to understand iOS better;
3. Architects. During the process of reverse engineering, they can learn architectures of those excellent Apps so that they can improve their ability of architecture design;
4. Reverse engineers in other systems who’re also interested in iOS.
The book consists of 4 parts, i.e. concepts, tools, theories and practices. The book follows an "abstraction, concrete, abstraction, concrete" structure, starting from basic concepts like iOS filesystem hierarchy and iOS file types that Apple didn't expose to App developers but iOS (jailbreak) researchers should know, then goes through the most commonly used tools like class-dump, Theos, Cycript, Reveal, IDA and LLDB to introduce what to do in iOS reverse engineering. After that, iOS reverse engineering theories based on Objective-C and ARM assembly are explained in a methodological way, pointing out the core of this book. Last but not least, 4 originally elaborated practices are there to cover all previous contents of the book and give you the most intuitive perception of iOS reverse engineering. Happy hacking!

For more info, please follow @iOSAppRE. Thank you!

Posts: 1

Participants: 1

Read full topic

@snakeninny wrote:

Create a Theos project "iOSRECallRecorder"

snakeninnys-iMac:Code snakeninny$ /opt/theos/bin/nic.pl
NIC 2.0 - New Instance Creator
------------------------------
  [1.] iphone/application
  [2.] iphone/cydget
  [3.] iphone/framework
  [4.] iphone/library
  [5.] iphone/notification_center_widget
  [6.] iphone/preference_bundle
  [7.] iphone/sbsettingstoggle
  [8.] iphone/tool
  [9.] iphone/tweak
  [10.] iphone/xpc_service
Choose a Template (required): 9
Project Name (required): iOSRECallRecorder
Package Name [com.yourcompany.iosrecallrecorder]: com.naken.iosrecallrecorder
Author/Maintainer Name [snakeninny]: snakeninny
[iphone/tweak] MobileSubstrate Bundle filter [com.apple.springboard]: com.apple.mediaserverd
[iphone/tweak] List of applications to terminate upon installation (space-separated, '-' for none) [SpringBoard]: mediaserverd
Instantiating iphone/tweak in iosrecallrecorder/...
Done.

Edit Tweak.xm

#import <AudioToolbox/AudioToolbox.h>
#import <libkern/OSAtomic.h>
#include <substrate.h>

//CoreTelephony.framework
extern "C" CFStringRef const kCTCallStatusChangeNotification;
extern "C" CFStringRef const kCTCallStatus;
extern "C" id CTTelephonyCenterGetDefault();
extern "C" void CTTelephonyCenterAddObserver(id ct, void* observer, CFNotificationCallback callBack, CFStringRef name, void *object, CFNotificationSuspensionBehavior sb);
extern "C" int CTGetCurrentCallCount();
enum
{
	kCTCallStatusActive = 1,
	kCTCallStatusHeld = 2,
	kCTCallStatusOutgoing = 3,
	kCTCallStatusIncoming = 4,
	kCTCallStatusHanged = 5
};

NSString* kMicFilePath = @"/var/mobile/Media/DCIM/mic.caf";
NSString* kSpeakerFilePath = @"/var/mobile/Media/DCIM/speaker.caf";
NSString* kResultFilePath = @"/var/mobile/Media/DCIM/result.m4a";

OSSpinLock phoneCallIsActiveLock = 0;
OSSpinLock speakerLock = 0;
OSSpinLock micLock = 0;

ExtAudioFileRef micFile = NULL;
ExtAudioFileRef speakerFile = NULL;

BOOL phoneCallIsActive = NO;

void Convert()
{
	//File URLs
	CFURLRef micUrl = CFURLCreateWithFileSystemPath(NULL, (CFStringRef)kMicFilePath, kCFURLPOSIXPathStyle, false);
	CFURLRef speakerUrl = CFURLCreateWithFileSystemPath(NULL, (CFStringRef)kSpeakerFilePath, kCFURLPOSIXPathStyle, false);
	CFURLRef mixUrl = CFURLCreateWithFileSystemPath(NULL, (CFStringRef)kResultFilePath, kCFURLPOSIXPathStyle, false);

	ExtAudioFileRef micFile = NULL;
	ExtAudioFileRef speakerFile = NULL;
	ExtAudioFileRef mixFile = NULL;

	//Opening input files (speaker and mic)
	ExtAudioFileOpenURL(micUrl, &micFile);
	ExtAudioFileOpenURL(speakerUrl, &speakerFile);

	//Reading input file audio format (mono LPCM)
	AudioStreamBasicDescription inputFormat, outputFormat;
	UInt32 descSize = sizeof(inputFormat);
	ExtAudioFileGetProperty(micFile, kExtAudioFileProperty_FileDataFormat, &descSize, &inputFormat);
	int sampleSize = inputFormat.mBytesPerFrame;

	//Filling input stream format for output file (stereo LPCM)
	FillOutASBDForLPCM(inputFormat, inputFormat.mSampleRate, 2, inputFormat.mBitsPerChannel, inputFormat.mBitsPerChannel, true, false, false);

	//Filling output file audio format (AAC)
	memset(&outputFormat, 0, sizeof(outputFormat));
	outputFormat.mFormatID = kAudioFormatMPEG4AAC;
	outputFormat.mSampleRate = 8000;
	outputFormat.mFormatFlags = kMPEG4Object_AAC_Main;
	outputFormat.mChannelsPerFrame = 2;

	//Opening output file
	ExtAudioFileCreateWithURL(mixUrl, kAudioFileM4AType, &outputFormat, NULL, kAudioFileFlags_EraseFile, &mixFile);
	ExtAudioFileSetProperty(mixFile, kExtAudioFileProperty_ClientDataFormat, sizeof(inputFormat), &inputFormat);

	//Freeing URLs
	CFRelease(micUrl);
	CFRelease(speakerUrl);
	CFRelease(mixUrl);

	//Setting up audio buffers
	int bufferSizeInSamples = 64 * 1024;

	AudioBufferList micBuffer;
	micBuffer.mNumberBuffers = 1;
	micBuffer.mBuffers[0].mNumberChannels = 1;
	micBuffer.mBuffers[0].mDataByteSize = sampleSize * bufferSizeInSamples;
	micBuffer.mBuffers[0].mData = malloc(micBuffer.mBuffers[0].mDataByteSize);

	AudioBufferList speakerBuffer;
	speakerBuffer.mNumberBuffers = 1;
	speakerBuffer.mBuffers[0].mNumberChannels = 1;
	speakerBuffer.mBuffers[0].mDataByteSize = sampleSize * bufferSizeInSamples;
	speakerBuffer.mBuffers[0].mData = malloc(speakerBuffer.mBuffers[0].mDataByteSize);

	AudioBufferList mixBuffer;
	mixBuffer.mNumberBuffers = 1;
	mixBuffer.mBuffers[0].mNumberChannels = 2;
	mixBuffer.mBuffers[0].mDataByteSize = sampleSize * bufferSizeInSamples * 2;
	mixBuffer.mBuffers[0].mData = malloc(mixBuffer.mBuffers[0].mDataByteSize);

	//Converting
	while (true)
	{
		//Reading data from input files
		UInt32 framesToRead = bufferSizeInSamples;
		ExtAudioFileRead(micFile, &framesToRead, &micBuffer);
		ExtAudioFileRead(speakerFile, &framesToRead, &speakerBuffer);
		if (framesToRead == 0)
		{
			break;
		}

		//Building interleaved stereo buffer - left channel is mic, right - speaker
		for (int i = 0; i < framesToRead; i++)
		{
			memcpy((char*)mixBuffer.mBuffers[0].mData + i * sampleSize * 2, (char*)micBuffer.mBuffers[0].mData + i * sampleSize, sampleSize);
			memcpy((char*)mixBuffer.mBuffers[0].mData + i * sampleSize * 2 + sampleSize, (char*)speakerBuffer.mBuffers[0].mData + i * sampleSize, sampleSize);
		}

		//Writing to output file - LPCM will be converted to AAC
		ExtAudioFileWrite(mixFile, framesToRead, &mixBuffer);
	}

	//Closing files
	ExtAudioFileDispose(micFile);
	ExtAudioFileDispose(speakerFile);
	ExtAudioFileDispose(mixFile);

	//Freeing audio buffers
	free(micBuffer.mBuffers[0].mData);
	free(speakerBuffer.mBuffers[0].mData);
	free(mixBuffer.mBuffers[0].mData);
}

void Cleanup()
{
	[[NSFileManager defaultManager] removeItemAtPath:kMicFilePath error:NULL];
	[[NSFileManager defaultManager] removeItemAtPath:kSpeakerFilePath error:NULL];
}

void CoreTelephonyNotificationCallback(CFNotificationCenterRef center, void *observer, CFStringRef name, const void *object, CFDictionaryRef userInfo)
{
	NSDictionary* data = (NSDictionary*)userInfo;

	if ([(NSString*)name isEqualToString:(NSString*)kCTCallStatusChangeNotification])
	{
		int currentCallStatus = [data[(NSString*)kCTCallStatus] integerValue];

		if (currentCallStatus == kCTCallStatusOutgoing || currentCallStatus == kCTCallStatusActive)
		{
			OSSpinLockLock(&phoneCallIsActiveLock);
			phoneCallIsActive = YES;
			OSSpinLockUnlock(&phoneCallIsActiveLock);
		}
		else if (currentCallStatus == kCTCallStatusHanged)
		{
			if (CTGetCurrentCallCount() > 0)
			{
				return;
			}

			OSSpinLockLock(&phoneCallIsActiveLock);
			phoneCallIsActive = NO;
			OSSpinLockUnlock(&phoneCallIsActiveLock);

			//Closing mic file
			OSSpinLockLock(&micLock);
			if (micFile != NULL)
			{
				ExtAudioFileDispose(micFile);
			}
			micFile = NULL;
			OSSpinLockUnlock(&micLock);

			//Closing speaker file
			OSSpinLockLock(&speakerLock);
			if (speakerFile != NULL)
			{
				ExtAudioFileDispose(speakerFile);
			}
			speakerFile = NULL;
			OSSpinLockUnlock(&speakerLock);

			Convert();
			Cleanup();
		}
	}
}

OSStatus(*AudioUnitProcess_orig)(AudioUnit unit, AudioUnitRenderActionFlags *ioActionFlags, const AudioTimeStamp *inTimeStamp, UInt32 inNumberFrames, AudioBufferList *ioData);
OSStatus AudioUnitProcess_hook(AudioUnit unit, AudioUnitRenderActionFlags *ioActionFlags, const AudioTimeStamp *inTimeStamp, UInt32 inNumberFrames, AudioBufferList *ioData)
{
	OSSpinLockLock(&phoneCallIsActiveLock);
	if (phoneCallIsActive == NO)
	{
		OSSpinLockUnlock(&phoneCallIsActiveLock);
		return AudioUnitProcess_orig(unit, ioActionFlags, inTimeStamp, inNumberFrames, ioData);
	}
	OSSpinLockUnlock(&phoneCallIsActiveLock);

	ExtAudioFileRef* currentFile = NULL;
	OSSpinLock* currentLock = NULL;

	AudioComponentDescription unitDescription = {0};
	AudioComponentGetDescription(AudioComponentInstanceGetComponent(unit), &unitDescription);
	//'agcc', 'mbdp' - iPhone 4S, iPhone 5
	//'agc2', 'vrq2' - iPhone 5C, iPhone 5S
	if (unitDescription.componentSubType == 'agcc' || unitDescription.componentSubType == 'agc2')
	{
		currentFile = &micFile;
		currentLock = &micLock;
	}
	else if (unitDescription.componentSubType == 'mbdp' || unitDescription.componentSubType == 'vrq2')
	{
		currentFile = &speakerFile;
		currentLock = &speakerLock;
	}

	if (currentFile != NULL)
	{
		OSSpinLockLock(currentLock);

		//Opening file
		if (*currentFile == NULL)
		{
			//Obtaining input audio format
			AudioStreamBasicDescription desc;
			UInt32 descSize = sizeof(desc);
			AudioUnitGetProperty(unit, kAudioUnitProperty_StreamFormat, kAudioUnitScope_Input, 0, &desc, &descSize);

			//Opening audio file
			CFURLRef url = CFURLCreateWithFileSystemPath(NULL, (CFStringRef)((currentFile == &micFile) ? kMicFilePath : kSpeakerFilePath), kCFURLPOSIXPathStyle, false);
			ExtAudioFileRef audioFile = NULL;
			OSStatus result = ExtAudioFileCreateWithURL(url, kAudioFileCAFType, &desc, NULL, kAudioFileFlags_EraseFile, &audioFile);
			if (result != 0)
			{
				*currentFile = NULL;
			}
			else
			{
				*currentFile = audioFile;

				//Writing audio format
				ExtAudioFileSetProperty(*currentFile, kExtAudioFileProperty_ClientDataFormat, sizeof(desc), &desc);
			}
			CFRelease(url);
		}
		else
		{
			//Writing audio buffer
			ExtAudioFileWrite(*currentFile, inNumberFrames, ioData);
		}

		OSSpinLockUnlock(currentLock);
	}

	return AudioUnitProcess_orig(unit, ioActionFlags, inTimeStamp, inNumberFrames, ioData);
}

__attribute__((constructor))
static void initialize()
{
	CTTelephonyCenterAddObserver(CTTelephonyCenterGetDefault(), NULL, CoreTelephonyNotificationCallback, NULL, NULL, CFNotificationSuspensionBehaviorHold);
	MSHookFunction(AudioUnitProcess, AudioUnitProcess_hook, &AudioUnitProcess_orig);
}

Edit makefile

THEOS_DEVICE_IP = iOSIP
ARCHS = armv7 arm64
TARGET = iphone:latest:8.0

include theos/makefiles/common.mk

TWEAK_NAME = iOSRECallRecorder
iOSRECallRecorder_FILES = Tweak.xm
iOSRECallRecorder_FRAMEWORKS = CoreTelephony AudioToolbox

include $(THEOS_MAKE_PATH)/tweak.mk

after-install::
	install.exec "killall -9 mediaserverd"

Edit control

Package: com.naken.iosrecallrecorder
Name: iOSRECallRecorder
Depends: mobilesubstrate, firmware (>= 8.0)
Version: 1.0
Architecture: iphoneos-arm
Description: A phone call recorder sample
Maintainer: snakeninny
Author: snakeninny
Section: Tweaks
Homepage: http://bbs.iosre.com

Add postinst & postrm

• Run make package to compile and package the project. After that, we have an _ folder, as shown below:
  
• Then rename it to layout, as shown below:
  
• Open layout folder, and delete Library folder, as shown below:
  
• Open DEBIAN folder, and rename control to postinst, as shown below:

snakeninnys-iMac:iosrecallrecorder snakeninny$ cd /Users/snakeninny/Code/iosrecallrecorder/layout/DEBIAN/
snakeninnys-iMac:DEBIAN snakeninny$ mv control postinst

• Edit postinst

#!/bin/sh
killall -9 mediaserverd &> /dev/null
exit 0;

• Grant execute permission to postinst, as shown below:

snakeninnys-iMac:iosrecallrecorder snakeninny$ chmod +x /Users/snakeninny/Code/iosrecallrecorder/layout/DEBIAN/postinst

• Copy postinst and rename the new file postrm, as shown below:

snakeninnys-iMac:DEBIAN snakeninny$ cp postinst postrm

• Run make clean and rm *.deb to clean the project, as shown below:

snakeninnys-iMac:iosrecallrecorder snakeninny$ make clean
rm -rf ./obj
rm -rf "/Users/snakeninny/Code/iosrecallrecorder/_"
snakeninnys-iMac:iosrecallrecorder snakeninny$ rm *.deb

• The project should look like this now:
  

Package and install iOSRECallRecorder

snakeninnys-iMac:iosrecallrecorder snakeninny$ make package install
Making all for tweak iOSRECallRecorder...
 Preprocessing Tweak.xm...
Name "Data::Dumper::Purity" used only once: possible typo at /Users/snakeninny/Code/iosrecallrecorder/theos/bin/logos.pl line 615.
 Compiling Tweak.xm...
 Linking tweak iOSRECallRecorder...
 Stripping iOSRECallRecorder...
 Signing iOSRECallRecorder...
Making stage for tweak iOSRECallRecorder...
dpkg-deb: building package `com.naken.iosrecallrecorder' in `./com.naken.iosrecallrecorder_1.0-4_iphoneos-arm.deb'.
install.exec "cat > /tmp/_theos_install.deb; dpkg -i /tmp/_theos_install.deb && rm /tmp/_theos_install.deb" < "./com.naken.iosrecallrecorder_1.0-4_iphoneos-arm.deb"
Selecting previously deselected package com.naken.iosrecallrecorder.
(Reading database ... 2984 files and directories currently installed.)
Unpacking com.naken.iosrecallrecorder (from /tmp/_theos_install.deb) ...
Setting up com.naken.iosrecallrecorder (1.0-4) ...
install.exec "killall -9 mediaserverd"

Test

Make a phone call and speak something. After a few seconds, hang up and check if there's f file at /var/mobile/Media/DCIM/result.m4a, as shown below:

FunMaker-5:~ root# ls -al /var/mobile/Media/DCIM/result.m4a
-rw-r--r-- 1 mobile mobile 114526 May  8 13:44 /var/mobile/Media/DCIM/result.m4a

Open it with any audio player, you'll find it's the audio of your phone call

Download

iOSRECallRecorder.deb (8.8 KB)
Works on my iPhone 5, iOS 8.1.1. You can download this deb without compiling the above project. The deb is not limited to iOS 8, so feel free to test it on older iOS versions and let me know if it still works, thank you

References:
1. http://stackoverflow.com/questions/1809347/how-can-i-record-conversation-phone-call-on-ios for hows and whys on this specific function
2. iOS App Reverse Engineering for a thorough and serialized tutorial of general iOS reverse engineering

Posts: 44

Participants: 9

Read full topic

@0xBBC wrote:

This post is mainly to demonstrate some possible protections against Cycript/Runtime. There are 5 parts.

• Stop cycript's choose(ClassName)
• Memcpy
• Move to our own memory blocks
• Useless setter/getter
• Encrypt memory data

English Version Post

---

这一篇文章着重于保护重要数据不被攻击者使用Cycript或者Runtime修改，概要内容如下：

• 防止choose(类名)
• 禁忌，二重存在
• 自己的内存块
• 虚伪的setter/getter
• 加密内存数据

中文版

---

题外话，不太熟悉Markdown怎么排版，主要是不能插入HTML代码，只好发链接了><
先写的中文，再翻的英文，英语翻得也不怎么样，不过理解应该没啥大问题。

P.S
最近是果然日语歌听太多了，翻英语的时候，“首先”，第一个蹦出来的词居然是“まず”而不是"first"...

Posts: 1

Participants: 1

Read full topic

@snakeninny wrote:

The place for non-Chinese speakers

Posts: 2

Participants: 1

Read full topic

@leipo wrote:

This is my code:
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions
{
// Override point for customization after application launch.
Class BluetoothManager = objc_getClass( "BluetoothManager" ) ;
id btCont = [BluetoothManager sharedInstance ] ;
[self performSelector:@selector(toggle:) withObject:btCont afterDelay:1.0f] ;
return YES;
}

• (void)toggle:(id)btCont
  {
  BOOL currentState = [btCont enabled] ;
  NSLog(@"currentState:%d", currentState);
  }

I used privateframework BluetoothManager and import the headers it needs .And It worked well with the set of Standard architecture.
The log is :
BTM: attaching to BTServer
currentState:1

But when with the set architecture of armv7 , It just didn't work .
The log:
BTM: attaching to BTServer
currentState:0
Can anyone give me some tips? I will be forever grateful.

Posts: 7

Participants: 2

Read full topic

@siam wrote:

It seems that, there is no untethered for iOS8.3, so i want to demotion from iOS8.3 to iOS8.1,but failed.What should I do?

Posts: 3

Participants: 2

Read full topic

@snakeninny wrote:

Before:

前.PNG800x600 199 KB

After:

后.PNG800x600 190 KB

Code:

%hook CalculatorViewController
- (void)addAdvertisement
{
}
%end

This is the App, if you're unsure:

App.PNG800x600 131 KB

Posts: 1

Participants: 1

Read full topic

@selvapsk wrote:

I was using a iPhone 3G (jailbroken) and recently it got struck with showing iTunes + Cable Icon to do the restore.
I had used iRecovery under Ubuntu 14.04 and enter into interactive shell using -s option and use the below sequence to get out the recovery mode.
$ sudo irecovery -s

setenv auto-boot true
saveenv
reboot

(Ref: http://linuxsleuthing.blogspot.in/2013/09/iphone-recovering-from-recovery.html)

But now the device got struck in apple logo forever.

How to restore the auto-boot flag in boot loader so that it can move to the restore mode from which I can use iTunes or similar Tools to restore the firmware.

Any reference to tools/suggestions appreciated.

PS: I was going thro' your Open Source iOS Reverse Engineering Book and it was very easy to understand. (I will update my feedback/comments once I had finished reading it).

Posts: 6

Participants: 2

Read full topic

@darkly wrote:

Hi.

I want to decrypt https traffic, taken by tcpdump from my jailbroken iphone (ios 8.3). As i understand, i have to use private RSA key to decrypt incoming https traffic. I explored my filesystem and find only Keychains database, but it looks like to be quite useless.

Does anybody know, how can i get RSA private key used by Safari?

Posts: 6

Participants: 2

Read full topic

@sferrini wrote:

I've a doubt about C functions "symbol table" in iOS: basically from what I understood from (firmware) embedded programming, when I write something like func(); (a call to a function in my source code), the compiler compiles this to a jump to a placeholder address that will be resolved later by the linker in the linking process. Once the linking is ended we have the binary ready and each addresses resolved. So, here I guess that the symbol table is not even present in the binary, and calls are just plain jumps to the actual implementations.

Now, talking about iOS, I understand that Objective-C methods uses messages to talk each other, and the runtime resolves the selector name looking up the symbol table. And swizzling is as simple as change the address mapped to the selector name.

But what about C functions calls in iOS: I guess for C calls to my own C code, is the same as firmware is (resolved by the linker at compile time, statically). But what about shared library? Why they needs symbol table? Aren't they just jumps to addresses? How does actually works the address resolution? I mean the all process from when the func(); function is going to be called to when the function is been called..? Is there a runtime linker even for c functions? How does it work?

Any clarification is appreciated

Posts: 1

Participants: 1

Read full topic

@Papillon wrote:

OS X El Captain, Xcode 7.01.

When I tried to class-dump a PreferencesBundle or Framework under ~/Library/Developer/Xcode/iOS DeviceSupport/7.1.1 (11D201)/Symbols/System/Library/, I got such an error:

pwd
/Users/papillon/Library/Developer/Xcode/iOS DeviceSupport/7.1.1 (11D201)/Symbols/System/Library/PreferenceBundles/MobilePhoneSettings.bundle
$: class-dump MobilePhoneSettings
2015-10-06 16:10:59.492 class-dump[98015:2289687] Error: Cannot find offset for address 0x3a546a04 in dataOffsetForAddress:

pwd
/Users/papillon/Library/Developer/Xcode/iOS DeviceSupport/7.1.1 (11D201)/Symbols/System/Library/Frameworks/AVFoundation.framework
$: class-dump AVFoundation
2015-10-06 16:14:37.696 class-dump[98020:2295299] Error: Cannot find offset for address 0x39c7d0bc in dataOffsetForAddress:

Similar issue here http://stackoverflow.com/questions/3715919/class-dump-gives-error-error-cannot-find-offset-for-address-in-dataoffset-for but it does not work for me.

Any ideas?

Posts: 4

Participants: 2

Read full topic

@Papillon wrote:

OS X El Captain, Xcode 7.01, Jailbroken iOS 7.1.1

$: lldb
(lldb) platform select remote-ios
Platform: remote-ios
Connected: no
SDK Path: "/Users/papillon/Library/Developer/Xcode/iOS DeviceSupport/8.1 (12B410)"
SDK Roots: [ 0] "/Users/papillon/Library/Developer/Xcode/iOS DeviceSupport/7.1.1 (11D201)"
SDK Roots: [ 1] "/Users/papillon/Library/Developer/Xcode/iOS DeviceSupport/8.1 (12B410)"
SDK Roots: [ 2] "/Users/papillon/Library/Developer/Xcode/iOS DeviceSupport/8.1.2 (12B440)"
(lldb) process connect connect://192.168.1.107:1234
Process 32872 stopped
* thread #1: tid = 0x45a74c, 0x2be7c028 dyld_dyld_start, stop reason = signal SIGSTOP
frame #0: 0x2be7c028 dylddyldstart
dyld`dyldstart:
-> 0x2be7c028 <+0>: mov r8, sp
0x2be7c02c <+4>: sub sp, sp, #16
0x2be7c030 <+8>: bic sp, sp, #7
0x2be7c034 <+12>: ldr r3, [pc, #0x70] ; <+132>
(lldb) image list -h -o -f
[ 0] 0x00012000 0x00011000 /Applications/Preferences.app/Preferences(0x0000000000012000)
[ 1] 0x2beb3000 0x000b3000 /Users/papillon/Library/Developer/Xcode/iOS DeviceSupport/7.1.1 (11D201)/Symbols/usr/lib/dyld
[ 2] 0x000be000 0x000be000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x00000000000be000)
[ 3] 0x32937000 0x018b1000 /Users/papillon/Library/Developer/Xcode/iOS DeviceSupport/7.1.1 (11D201)/Symbols/System/Library/PrivateFrameworks/BulletinBoard.framework/BulletinBoard

The module path here is from OS X, not iOS. The reason may be SDK Roots shown above not including native path?

Posts: 5

Participants: 2

Read full topic

@snakeninny wrote:

As you may have already known, dyld_decache by kennyTM fails on arm64 caches. Since arm64 devices are more popular these days, what's the alternative of dyld_decache on dyld_shared_cache_arm64? Luckily, there is an answer: dsc_extractor, an open-sourced tool from Apple.
Now follow me on patching and compiling dsc_extractor so that it can decache dyld_shared_cache_arm64 as dyld_decache used to do.
P.S. You may need to manually install wget with homebrew.

Download and extract dsc_extractor

192:~ snakeninny$ cd ~
192:~ snakeninny$ mkdir dsc_extractor
192:~ snakeninny$ cd dsc_extractor
192:dsc_extractor snakeninny$ wget http://opensource.apple.com/tarballs/dyld/dyld-210.2.3.tar.gz
--2015-10-17 12:14:44--  http://opensource.apple.com/tarballs/dyld/dyld-210.2.3.tar.gz
Resolving opensource.apple.com... 17.251.224.146
Connecting to opensource.apple.com|17.251.224.146|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 470411 (459K) [application/x-gzip]
Saving to: 'dyld-210.2.3.tar.gz'

dyld-210.2.3.tar.gz                 100%[==================================================================>] 459.39K   230KB/s   in 2.0s   

2015-10-17 12:14:46 (230 KB/s) - 'dyld-210.2.3.tar.gz' saved [470411/470411]

192:dsc_extractor snakeninny$ tar xvf dyld-210.2.3.tar.gz
x dyld-210.2.3/
x dyld-210.2.3/bin/
...

Patch

192:dsc_extractor snakeninny$ cd dyld-210.2.3/launch-cache/
192:launch-cache snakeninny$ touch dsc_extractor.patch

The above command creates an empty file named dsc_extractor.patch under ~/dsc_extractor/dyld-210.2.3/launch-cache. Next copy the contents from here into dsc_extractor.patch and save the file (Note that if you wget or curl the patch file, there'd be an extra newline character at the end of the file, you'd have to remove it manually). Let's continue:

192:launch-cache snakeninny$ patch < dsc_extractor.patch
patching file dsc_extractor.cpp
Hunk #4 succeeded at 485 with fuzz 2.

P.S. MD5 of dsc_extractor.patch should be b54a2e2c9556003a91b04009e9986dba. If you don't get it correct, download this copy dsc_extractor.patch (1.1 KB)

Compile

192:launch-cache snakeninny$ clang++ -o dsc_extractor dsc_extractor.cpp dsc_iterator.cpp
In file included from dsc_extractor.cpp:51:
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../include/c++/v1/ext/hash_map:212:5: warning: Use of
      the header <ext/hash_map> is deprecated. Migrate to <unordered_map> [-W#warnings]
#   warning Use of the header <ext/hash_map> is deprecated.  Migrate to <unordered_map>
    ^
1 warning generated.

Decache

Now there's a binary dsc_extractor under ~/dsc_extractor/dyld-210.2.3/launch-cache. Let's test if it works.
1. Copy /System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 from iOS to OSX using iFunBox.
2. Run /path/to/dsc_extractor /path/to/dyld_shared_cache_arm64 /path/to/decached/binaries/ on OSX, the output is shown below:

0/969
1/969
2/969
3/969
4/969
5/969
6/969
...

Done. Happy hacking iOS 9

---

References:
1. http://lightbulbone.tumblr.com/post/56546834100/ios-shared-cache-extraction
2. http://ant4g0nist.blogspot.com/2015/04/ios-shared-cache-extraction-to-solve.html
3. http://www.iphonedevwiki.net/index.php?title=Dyld_shared_cache

Posts: 8

Participants: 4

Read full topic

@radj wrote:

I used Google Translate on the page above and I'm getting the idea that it isn't supported yet? Is the translation correct? Just mirroring this here for English folks

Posts: 5

Participants: 3

Read full topic

@snakeninny wrote:

Code in my tweak:

NSLog(@"CNSDebug: %@, %@, %@", [self _valueOfNotificationType:0x10 forSectionInfo:[self.specifier propertyForKey:@"BBSECTION_INFO_KEY"]] , self, [self.specifier propertyForKey:@"BBSECTION_INFO_KEY"]);

What the log prints:

Oct 24 19:45:51 FunMaker-5 Preferences[2424]: CNSDebug: 0, <BulletinBoardAppDetailController 0x182b6200: navItem <UINavigationItem: 0x18884270>, view <UITableView: 0x182b7c00; frame = (0 0; 320 568); autoresize = W+H; gestureRecognizers = <NSArray: 0x1887a610>; layer = <CALayer: 0x188796d0>; contentOffset: {0, -64}; contentSize: {320, 659.5}>>, <BBSectionInfo: 0x175e9d60> Section com.alipay.iphoneclient 'Alipay': shows in NC = NO, Alert style = Banner, Lockscreen = YES, External = YES, Push settings = [s:BSA] [e:BSA], allows notifications = YES

Note that the process is Preferences; the return value is 0; the BulletinBoardAppDetailController object and BBSectionInfo object are at memory address 0x182b6200 and 0x175e9d60 respectively.
Now let me call the same method with the same caller and arguments in Cycript:

FunMaker-5:~ root# cycript -p Preferences
cy# controller = #0x182b6200
#"<BulletinBoardAppDetailController 0x182b6200: navItem <UINavigationItem: 0x18884270>, view <UITableView: 0x182b7c00; frame = (0 0; 320 568); autoresize = W+H; gestureRecognizers = <NSArray: 0x1887a610>; layer = <CALayer: 0x188796d0>; contentOffset: {0, 0}; contentSize: {320, 659.5}>>"
cy# sectionInfo = #0x175e9d60
#"<BBSectionInfo: 0x175e9d60> Section com.alipay.iphoneclient 'Alipay': shows in NC = NO, Alert style = Banner, Lockscreen = YES, External = YES, Push settings = [s:BSA] [e:BSA], allows notifications = YES"
cy# [controller _valueOfNotificationType:0x10 forSectionInfo:sectionInfo]
@true

Everything is all the same except that the return value is 1. Why?

Posts: 1

Participants: 1

Read full topic

@snakeninny wrote:

I was upgrading my tweak CustomNotificationSound for iOS 9 the other day, and class-dumped the headers of /System/Library/PreferenceBundles/NotificationsSettings.bundle/NotificationsSettings from my iPad Air. One private method I used in my tweak on iOS 8 was:

@interface BulletinBoardAppDetailController : PSListController 
- (NSNumber *)_valueOfNotificationType:(unsigned long long)arg1;
@end

And it was:

- (NSNumber *)_valueOfNotificationType:(unsigned long long)arg1 forSectionInfo:(BBSectionInfo *)arg2;

on iOS 9. The extra arg on iOS 9 was quite easy to get via:

BBSectionInfo *sectionInfo = [BulletinBoardAppDetailController.specifier propertyForKey:@"BBSECTION_INFO_KEY"]

and it worked like a charm on my iPad Air. When I was testing this tweak on my iPhone 5, something strange has happened:
Whatever value I set with _setValue:notificationType:forSectionInfo:, the above code always returned a "constant" value in my tweak, but the same thing was not happening on my iPad Air; what was even stranger was that the same code snippet was returning the correct value when I debugged with Cycript. The description could be explained with a few lines of code:

// Code in my tweak

@interface PSSpecifier : NSObject
@property (retain, nonatomic) NSString *identifier;
- (id)propertyForKey:(NSString *)key;
@end

@interface PSViewController : UIViewController
- (PSSpecifier *)specifier;
@end

@interface PSListController : PSViewController
- (UITableView *)table;
@end

@interface BulletinBoardAppDetailController : PSListController 
- (NSNumber *)_valueOfNotificationType:(unsigned long long)arg1 forSectionInfo:(id)arg2;
@end

%group NotificationSettingsHook

%hook BulletinBoardAppDetailController
%new
- (void)CNSLogger
{
	NSLog(@"CNSLog: %@, %@, %@", [self _valueOfNotificationType:0x10 forSectionInfo:[[self specifier] propertyForKey:@"BBSECTION_INFO_KEY"]], self, [[self specifier] propertyForKey:@"BBSECTION_INFO_KEY"]);
	[self performSelector:@selector(CNSLogger) withObject:nil afterDelay:1.0];
}

- (void)tableView:(UITableView *)arg1 didSelectRowAtIndexPath:(NSIndexPath *)arg2
{
	[self performSelector:@selector(CNSLogger) withObject:nil afterDelay:1.0];
	return %orig;
}
%end

%end

%hook PSListController
- (void)lazyLoadBundle:(id)arg1
{
	%orig;
	if ([[arg1 identifier] isEqualToString:@"NOTIFICATIONS_ID"]) %init(NotificationSettingsHook);
}
%end

%ctor
{
	%init;
}

When the hooked method was called, there'd be continuous CNSLogs every 1 second, as shown below:

Oct 25 20:25:20 FunMaker-5 Preferences[14721]: CNSLog: 0, <BulletinBoardAppDetailController 0x16a16000: navItem <UINavigationItem: 0x17878700>, view <UITableView: 0x17278e00; frame = (0 0; 320 568); autoresize = W+H; gestureRecognizers = <NSArray: 0x1785f190>; layer = <CALayer: 0x16699120>; contentOffset: {0, -64}; contentSize: {320, 659.5}>>, <BBSectionInfo: 0x165c5570> Section com.alipay.iphoneclient 'Alipay': shows in NC = NO, Alert style = Banner, Lockscreen = YES, External = YES, Push settings = [s:BSA] [e:B-A], allows notifications = YES
Oct 25 20:25:21 FunMaker-5 Preferences[14721]: CNSLog: 0, <BulletinBoardAppDetailController 0x16a16000: navItem <UINavigationItem: 0x17878700>, view <UITableView: 0x17278e00; frame = (0 0; 320 568); autoresize = W+H; gestureRecognizers = <NSArray: 0x1785f190>; layer = <CALayer: 0x16699120>; contentOffset: {0, -64}; contentSize: {320, 659.5}>>, <BBSectionInfo: 0x165c5570> Section com.alipay.iphoneclient 'Alipay': shows in NC = NO, Alert style = Banner, Lockscreen = YES, External = YES, Push settings = [s:BSA] [e:B-A], allows notifications = YES
...

While CNSLogger was called recursively, I changed the value and checked it with Cycript:

FunMaker-5:~ root# cycript -p Preferences
cy# controller = #0x16a16000
#"<BulletinBoardAppDetailController 0x16a16000: navItem <UINavigationItem: 0x17878700>, view <UITableView: 0x17278e00; frame = (0 0; 320 568); autoresize = W+H; gestureRecognizers = <NSArray: 0x1785f190>; layer = <CALayer: 0x16699120>; contentOffset: {0, -64}; contentSize: {320, 659.5}>>"
cy# sectionInfo = #0x165c5570
#"<BBSectionInfo: 0x165c5570> Section com.alipay.iphoneclient 'Alipay': shows in NC = NO, Alert style = Banner, Lockscreen = YES, External = YES, Push settings = [s:BSA] [e:B-A], allows notifications = YES"
cy# [controller _setValue:@1 notificationType:0x10 forSectionInfo:sectionInfo]
cy# [controller _valueOfNotificationType:0x10 forSectionInfo:sectionInfo]
@true

As you may have already noticed, controller and sectionInfo were taken from the exact same addresses to the ones in CNSLogs, to make sure the caller and args were all the same. Now let's take a look at CNSLog after I've changed the value with Cycript:

FunMaker-5:~ root# grep CNSLog /var/log/syslog | grep 1,

The return values were different! How could that happen?
As a 5-year noob writing tweaks and reversing iOS, I was totally lost on this bug. But I believed the bug could be fixed, with the help from our code wrangler, a.k.a. rpetrich. And he hit the point in less than 10 seconds:

Let's run the command he mentioned on the fat NotificationsSettings binary and see what was there:

< - (id)_valueOfNotificationType:(unsigned int)arg1 forSectionInfo:(id)arg2;
---
> - (id)_valueOfNotificationType:(unsigned long long)arg1 forSectionInfo:(id)arg2;

As he further explained, this was a typedef issue:

The bug were bubbling to the surface then:
The 1st arg of _valueOfNotificationType:forSectionInfo: was unsigned int on 32-bit devices and unsigned long long on 64-bit devices. The method was dumped from a 64-bit device, i.e. my iPad Air, and was then used on a 32-bit device, i.e. my iPhone 5. unsigned long long was 64-bit long on both 32 and 64-bit devices, and required 2 32-bit registers to hold it. As I said on the book, _valueOfNotificationType:forSectionInfo:'s 2 args were stored in R2 and R3 respectively on 32-bit devices, but if the 1st arg was 64-bit long, R2 (a 32-bit register) would not be large enough to hold such a long arg, it had to be divided into 2 args and "will spill into the next register", i.e. R3. Since the arg was 0x10, the lower 32-bit happened to be 0, it filled R3 with 0 a.k.a. nil. So, even if I called the method like this:

[controller _valueOfNotificationType:0x10 forSectionInfo:anExisitingSectionInfo];

It was actually executing like this:

[controller _valueOfNotificationType:0x10 forSectionInfo:nil];

Ultimately, it was my fault to have told clang the wrong arg type so clang extended a correct 32-bit value into a "wrong" 64-bit value, overwriting the other correct arg and causing the bug. What a stupid mistake!
Now that we know the root cause of the bug, let's check it with LLDB.

Let's set a breakpoint on the 1st instruction of [BulletinBoardAppDetailController _valueOfNotificationType:forSectionInfo:] and print all the args:

(lldb) br s -a 0x02ba0000+0x98D0
Breakpoint 2: where = NotificationsSettings`___lldb_unnamed_function67$$NotificationsSettings, address = 0x02ba98d0
Process 14721 stopped
* thread #1: tid = 0x3b009, 0x02ba98d0 NotificationsSettings`___lldb_unnamed_function67$$NotificationsSettings, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
    frame #0: 0x02ba98d0 NotificationsSettings`___lldb_unnamed_function67$$NotificationsSettings
NotificationsSettings`___lldb_unnamed_function67$$NotificationsSettings:
->  0x2ba98d0 <+0>: push   {r4, r7, lr}
    0x2ba98d2 <+2>: add    r7, sp, #0x4
    0x2ba98d4 <+4>: movw   r0, #0xc876
    0x2ba98d8 <+8>: mov    r4, r2
(lldb) po $r0
<BulletinBoardAppDetailController 0x16a16000: navItem <UINavigationItem: 0x17878700>, view <UITableView: 0x17278e00; frame = (0 0; 320 568); autoresize = W+H; gestureRecognizers = <NSArray: 0x1785f190>; layer = <CALayer: 0x16699120>; contentOffset: {0, -64}; contentSize: {320, 659.5}>>

(lldb) p (char *)$r1
(char *) $1 = 0x00490f98 "_valueOfNotificationType:forSectionInfo:"
(lldb) po $r2
16

(lldb) po $r3
<nil>

R3, storing the 2nd arg, was nil. It wasn't nil in our previous CNSLogs, right?
The fix to the bug is quite straightforward:

@interface BulletinBoardAppDetailController : PSListController 
// - (BBSectionInfo *)effectiveSectionInfo; // iOS 8
// - (BBSectionInfo *)_effectiveSectionInfoForSectionInfo:(id)arg1 pushSetting:(NSUInteger)arg2; // iOS 9
#if __LP64__
- (NSNumber *)_valueOfNotificationType:(unsigned long long)arg1; // iOS 8
- (NSNumber *)_valueOfNotificationType:(unsigned long long)arg1 forSectionInfo:(BBSectionInfo *)arg2; // iOS 9
- (void)_setValue:(NSNumber *)arg1 notificationType:(unsigned long long)arg2; // iOS 8
- (void)_setValue:(NSNumber *)arg1 notificationType:(unsigned long long)arg2 forSectionInfo:(BBSectionInfo *)arg3; // iOS 9
#else
- (NSNumber *)_valueOfNotificationType:(unsigned int)arg1; // iOS 8
- (NSNumber *)_valueOfNotificationType:(unsigned int)arg1 forSectionInfo:(BBSectionInfo *)arg2; // iOS 9
- (void)_setValue:(NSNumber *)arg1 notificationType:(unsigned int)arg2; // iOS 8
- (void)_setValue:(NSNumber *)arg1 notificationType:(unsigned int)arg2 forSectionInfo:(BBSectionInfo *)arg3; // iOS 9
#endif
@end

Or, more elegant as it should be:

@interface BulletinBoardAppDetailController : PSListController 
// - (BBSectionInfo *)effectiveSectionInfo; // iOS 8
// - (BBSectionInfo *)_effectiveSectionInfoForSectionInfo:(id)arg1 pushSetting:(NSUInteger)arg2; // iOS 9
- (NSNumber *)_valueOfNotificationType:(NSUInteger)arg1; // iOS 8
- (NSNumber *)_valueOfNotificationType:(NSUInteger)arg1 forSectionInfo:(BBSectionInfo *)arg2; // iOS 9
- (void)_setValue:(NSNumber *)arg1 notificationType:(NSUInteger)arg2; // iOS 8
- (void)_setValue:(NSNumber *)arg1 notificationType:(NSUInteger)arg2 forSectionInfo:(BBSectionInfo *)arg3; // iOS 9
@end

Note that NSUInteger equals to unsigned long/unsigned int on 64/32-bit devices, and unsigned long equals to unsigned long long, according to this link, this link and this link
Learning from our own mistakes is always the best way to get better. Happy hacking!

P.S. According to rpetrich, NSUInteger, NSInteger and CGFloat may all subject to this problem, please pay special attention!

References:
1. rpetrich
2. https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/Cocoa64BitGuide/64BitChangesCocoa/64BitChangesCocoa.html
3. https://developer.apple.com/library/ios/documentation/General/Conceptual/CocoaTouch64BitGuide/Major64-BitChanges/Major64-BitChanges.html
4. http://stackoverflow.com/questions/2107544/types-in-objective-c-on-iphone/2107549#2107549

Posts: 3

Participants: 2

Read full topic

@snakeninny wrote:

Hi all,
When we're remote debugging on iOS, someone may get confused that he can't locate the library binaries of the debugged process on iOS. For example, when I'm debugging SpringBoard on iOS 6.1.3, iPhone 4s:

(lldb) im li -o -f
[  0] 0x00027000 /System/Library/CoreServices/SpringBoard.app/SpringBoard(0x0000000000028000)
[  1] 0x002cf000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x00000000002cf000)
[  2] 0x00279000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/6.1.3 (10B329)/Symbols/System/Library/PrivateFrameworks/StoreServices.framework/StoreServices

SpringBoard imports StoreServices.framework but there's no /System/Library/PrivateFrameworks/StoreServices.framework/StoreServices on iOS, as shown below:

FunMaker-4s:~ root# ls /System/Library/PrivateFrameworks/StoreServices.framework/StoreServices
ls: cannot access /System/Library/PrivateFrameworks/StoreServices.framework/StoreServices: No such file or directory

So under such circumstance, how can we successfully locate our target binary? It's quite obvious:
Actually, the above output from LLDB has already stated the full path of the binary, i.e. /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/6.1.3 (10B329)/Symbols/System/Library/PrivateFrameworks/StoreServices.framework/StoreServices, which is on OSX:

snakeninnys-iMac:~ snakeninny$ ls "/Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/6.1.3 (10B329)/Symbols/System/Library/PrivateFrameworks/StoreServices.framework/StoreServices"
/Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/6.1.3 (10B329)/Symbols/System/Library/PrivateFrameworks/StoreServices.framework/StoreServices

Head to the corresponding document and we can see the binary.
P.S. If the binary is fat, remember to choose the right slice in your favorite disassembler according to this image:

And the latest devices are all shipped with arm64 processors.
The same rules apply to libraries on iOS, too.

---

Special note:

In earlier days, all libraries can be found on iOS rather than OSX, they're either located at their own paths like /System/Library/PrivateFrameworks/StoreServices.framework/StoreServices or inside a big cache at /System/Library/Caches/com.apple.dyld/dyld_shared_cache_armXXX. If it's in the cache, you have to decache and extract the separate binaries for analysis.
The situation changed nowadays that some of the binaries are found locally on OSX, and my guess is that the binaries on OSX contain debug symbols that debuggers need. Be noted on this and everything should work as expected
Thanks,
snakeninny

Posts: 1

Participants: 1

Read full topic

@MouthPutCleanDot wrote:

http://navillezhang.me/2015/11/05/dyld_shared_cache-decache/
It's 11AM and I'm tired and wasted.Thanks

Posts: 1

Participants: 1

Read full topic

@keptonpay wrote:

lldb often times prints out gibberish like characters/hex values, how do I convert this to string? Some values when I do "po", they return a string or method name with address, some are not "poable", anyone has any ideas?

Here is an example output:

"\x1c\xfffffff8\xffffffdf\x01 \xfffffff8\xffffffdf\x01$\xfffffff8\xffffffdf\x01(\xfffffff8\xffffffdf\x01t\xfffffff8\xffffffdf\x010\xfffffff8\xffffffdf\x014\xfffffff8\xffffffdf\x01\x101\xffffffcf\x01\x141\xffffffcf\x01$1\xffffffcf\x01@1\xffffffcf\x01T1\xffffffcf\x01P1\xffffffcf\x01D1\xffffffcf\x01h1\xffffffcf\x01\xffffff9c1\xffffffcf\x01\xffffffa01\xffffffcf\x01\xffffffa41\xffffffcf\x01\xffffffa81\xffffffcf\x01\xffffffc41\xffffffcf\x01\xffffffc81\xffffffcf\x01\xffffffcc1\xffffffcf\x01\xffffffd41\xffffffcf\x01\xffffffd81\xffffffcf\x01\xffffffdc1\xffffffcf\x01\xfffffff0\x03\xffffffd5\x01\xffffffec\x03\xffffffd5\x01UKW"

"lyP\x03\xffffff9dXU"

thanks

Posts: 1

Participants: 1

Read full topic

@Nader wrote:

I read your article here : http://bbs.iosre.com/t/run-an-app-as-root-on-ios/239

when i want to make project, got following errors : 

 Copying resource directories into the application wrapper...
In file included from RootViewController.mm:2:
In file included from /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.1.sdk/usr/include/unistd.h:71:
In file included from /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.1.sdk/usr/include/_types.h:27:
In file included from /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.1.sdk/usr/include/sys/_types.h:32:
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.1.sdk/usr/include/sys/cdefs.h:680:2: error: Unsupported architecture
#error Unsupported architecture
 ^
In file included from RootViewController.mm:2:
In file included from /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.1.sdk/usr/include/unistd.h:71:
In file included from /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.1.sdk/usr/include/_types.h:27:
In file included from /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.1.sdk/usr/include/sys/_types.h:33:
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS8.1.sdk/usr/include/machine/_types.h:34:2: error: architecture not
      supported
#error architecture not supported
 ^
2 errors generated.

Posts: 4

Participants: 2

Read full topic