LLDB: Examining a Program: Part II

In the previous installment, we wrote a simple makefile and an even simpler C program. We set up our phone by installing ldid to pseudo-sign our code as well. We've also configured debugserver for our phone. So let's get started!

Debugserver

So, what is debugserver? well, it's a program that allows you to do remote debugging on your phone. Apple uses it when running apps in development mode on your phone. That's right, whenever you're debugging an app on your phone via XCode, you're using debugserver. Debugserver essentially uses the same protocol for debugging information that GDB does, and LLDB will interface with it too. There are other applications like this out there too, like lldb-server and gdbserver, but debugserver is the one Apple provides, and it's the easiest to get onto your phone. If you've gone through the instructions I pointed you to in the last piece, you understand why you needed to sign the executable, and you've signed it. You should also have copied it to your phone.

I maintain another bin directory on /private/var on my phone, personally. I do this because one of my jailbroken phones is a 16 GB iPhone 5s, and it has a really tiny system partition. I can't store stuff in the usual locations like /usr/bin or /usr/local/bin as a result, I need to save that space for things I install from Cydia. So I just have an alternative binary store in /private/var/bin. I suggest you do the same, and adjust your PATH in your .bashrc, .profile, or similar configuration file.

Compilation, Moving, and Signing

Alright, so at this point, you should have a makefile and a file function.c. You should have make installed if you have XCode and the XCode command line tools (install XCode from the app store on your mac and then use the command xcode-select --install and install commandline tools when prompted - easy peasy). Now, in the directory with the files you just created, type:

make

Yep, I know, that's really a bit much.

Anyway, you now have the files function and function.o in your directory - the function executable is what we really care about. SCP that over to your phone, and then SSH in:

$ scp -P 2002 function root@localhost:~/
$ ssh -p 2002 root@localhost
root@localhost's password:

Now, on my system, I'm running gandalf configured to multiplex my 2002 port to the SSH port on the phone; your system may be configured differently. Also note that, with SCP, you use a capital P (-P) to indicate the port while ssh uses a lowercase p (-p).

Okay, so you've logged in. Try to run the program - you'll see this:

# ./function
Killed: 9

Uhh, what?

Don't panic! This is normal for iOS. Remember, the function executable isn't signed yet. The XNU kernel at the core of iOS will not allow unsigned programs to run, and if they attempt to do so, the kernel will kill them off with a SIGKILL. I know, rude.

Use ldid to sign the function file, and you're good to go:

# ldid -S ./function
# ./function
#

Sweet! No murder here, just how we like it.

Okay, at this point you have your iPhone set up with debugserver and a signed executable. In Part III, we'll start debugging.