Merge pull request #108 from zqxwce/feature/entitlements-debugserver

dev_mode: Patch entitlements for debugserver
2026-04-05 13:09:06 +08:00 · 2026-03-05 18:24:01 +08:00
parent 7d161d25fc 95a457ce30
commit 84cc863b5d
2 changed files with 25 additions and 4 deletions
--- a/research/patch_comparison_all_variants.md
+++ b/research/patch_comparison_all_variants.md
@@ -137,6 +137,9 @@ Base-patch verification note (2026-03-05):
 | 5   | `b` (skip jetsam guard) | launchd              | Prevent jetsam panic on boot              |    —    |  Y  |  Y  |
 | 6   | LC_LOAD_DYLIB injection | launchd              | Load `/cores/launchdhook.dylib` at launch |    —    |  —  |  Y  |

+Signing note (Dev install path):
+- `scripts/cfw_install_dev.sh` now uses `ldid_sign_ent <file> <entitlements.plist> [bundle_id]` for binaries requiring explicit entitlements (for example `vphoned`), which signs with `-K.../signcert.p12`.
+
 ### Installed components

 | #   | Component                | Description                                                       | Regular | Dev | JB  |
--- a/scripts/cfw_install_dev.sh
+++ b/scripts/cfw_install_dev.sh
@@ -97,6 +97,13 @@ ldid_sign() {
    ldid "${args[@]}" "$file"
 }

+ldid_sign_ent() {
+    local file="$1" entitlements_plist="$2" bundle_id="${3:-}"
+    local args=("-S$entitlements_plist" "-K$VM_DIR/$CFW_INPUT/signcert.p12")
+    [[ -n "$bundle_id" ]] && args+=("-I$bundle_id")
+    ldid "${args[@]}" "$file"
+}
+
 # Detach a DMG mountpoint if currently mounted, ignore errors
 safe_detach() {
    local mnt="$1"
@@ -256,6 +263,20 @@ ssh_cmd "/bin/chmod 0755 /mnt1/sbin/launchd"

 echo "  [+] launchd patched"

+# remove seatbelt profile and add task_for_pid-allow for debugserver
+echo ""
+echo "  Patch debugserver entitlements..."
+
+scp_from "/mnt1/usr/libexec/debugserver" "$TEMP_DIR/debugserver"
+ldid -e "$TEMP_DIR/debugserver" > "$TEMP_DIR/debugserver-entitlements.plist"
+plutil -remove seatbelt-profiles "$TEMP_DIR/debugserver-entitlements.plist"
+plutil -insert task_for_pid-allow -bool YES "$TEMP_DIR/debugserver-entitlements.plist"
+ldid_sign_ent "$TEMP_DIR/debugserver" "$TEMP_DIR/debugserver-entitlements.plist"
+scp_to "$TEMP_DIR/debugserver" "/mnt1/usr/libexec/debugserver"
+ssh_cmd "/bin/chmod 0755 /mnt1/usr/libexec/debugserver"
+
+echo "  [+] debugserver entitlements patched"
+
 # Rename APFS update snapshot to orig-fs (idempotent)
 echo "  Checking APFS snapshots..."
 SNAP_LIST=$(ssh_cmd "snaputil -l /mnt1 2>/dev/null" || true)
@@ -428,10 +449,7 @@ if [[ "$needs_vphoned_build" == "1" ]]; then
        -framework Foundation
 fi
 cp "$VPHONED_BIN" "$TEMP_DIR/vphoned"
-ldid \
-    -S"$VPHONED_SRC/entitlements.plist" \
-    -M "-K$VM_DIR/$CFW_INPUT/signcert.p12" \
-    "$TEMP_DIR/vphoned"
+ldid_sign_ent "$TEMP_DIR/vphoned" "$VPHONED_SRC/entitlements.plist"
 scp_to "$TEMP_DIR/vphoned" "/mnt1/usr/bin/vphoned"
 ssh_cmd "/bin/chmod 0755 /mnt1/usr/bin/vphoned"
 # Keep a copy of the signed binary for host-side auto-update