Reading system log with socat does not work (anymore?)

[gl4nce]

As described here: https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06b-Basic-Security-Testing.md

There you find the following command:

iPhone:~ root# socat - UNIX-CONNECT:/var/run/lockdown/syslog.sock

I tried it on my iPhone (iOS 14.2) but I get always the following error message: no such file or directory.

Maybe it does not working anymore on iOS 14.2? Or I am doing something wrong?

[cpholguera]

This might well be, have you verified if the file is in deed there? have you tried to search for the file from the root / with e.g. "find"?

This and further research might help;

https://www.reddit.com/r/jailbreakdevelopers/comments/ene6ua/ios_13_read_syslog/

Please let us know if you find the cause, thanks for reporting!

[gl4nce]

Thanks for your answer.

The file is missing. Looks like the whole directory structure was changed. I already read the post on reddit but doesn't work for me either (oslog does not exist anymore). Looks like on iOS 14 something changed.

$ ls /var/run
fudinit mDNSResponder= syslog= vpncontrol.sock= lockdown.sock printd=

[sushi2k]

Seems we might need to update that section. Thanks for pointing it out!

You can also use ideviceinstaller, which is part of the package libimobiledevice in brew. Then you can access the system logs once you connect the iOS device via USB. Console.app on macOS also works fine.

[gl4nce]

Thanks for the information @sushi2k!

I could get it working. These are my steps (frida and libimobiledevice required; used macOS). All steps are done on the macOS Console.app.

1. Get the PID for the target app with frida-ps -U
2. Run idevicesyslog with the PID you got from the step before: idevicesyslog -p $PID
3. Do dynamic testing on the target app and check the log entries