Home Frida Gadget/Objection on iOS 18
Post
Cancel

Frida Gadget/Objection on iOS 18

By MachXNU
Posted 2025-03-30 1 min read

Introduction

Running Frida gadget on (jailed) iOS 18 can be suprisingly more difficult that expected.

In this article, I am providing a full method to get Frida Gadget running on such a device.

Prerequisites

  • a device running iOS 18
  • a Mac
  • Xcode (can be Xcode 15+)
  • Sideloadly
  • Objection

Steps

1) Get a decrypted IPA

You can get a decrypted IPA for your app at armconverter.com/decryptedappstore.

2) Get a signing identity and an embedded.mobileprovision

In Xcode, create a sample app for iOS and run it on your device.

  • You can view your signing identity with:
    1
2
3

    % security find-identity -p codesigning -v                          
1) 85719B2FB2XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX "Apple Development: xxxxxxx@xyz.com (YYYXXXXXXX)"
   1 valid identities found
  • You can extract the embedded.mobileprovision from the build result from Xcode (for example /Users/xxx/Library/Developer/Xcode/DerivedData/SampleApp-xxxxxxxxxxxxxxxx/Build/Products/Debug-iphoneos/SampleApp.app/embedded.mobileprovision)

You can get more details on the Objection GitHub page.

3) Patch the app

Follow the instructions on Objection wiki for iOS to prepare a patched .ipa.

This should give you a fresh .ipa like this:

4) Install the app

Unfortunately, as of iOS 17+, we can no longer use ios-deploy to launch apps. So we’ll not use this tool at all.

Instead, we can just use Sideloadly !
You can take note of the bundle identifier here, and change it if needed.

5) Launch the app

If you just try to launch the app by tapping its icon on the home screen, it will just crash.

Run this command to start the app paused:

1

xcrun devicectl device process launch --device 00008120-<identifier> --start-stopped com.bundle.identifier

You can get your device identifier from Xcode > Window > Devices and Simulators.

The app should launch and freeze.

Next go to Xcode > Debug > Attach to process and find your app.

You should see Frida: Listening on 127.0.0.1 TCP port 27042 on the console.

6) Connect to Frida

We need to use the networked mode.
On a terminal window, run:

1

pymobiledevice3 usbmux forward 27042 27042

and in another:

1

objection -N -h 127.0.0.1 -p 27042 explore

Congrats ! 🥳 You are connected !

This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents