Reveal is a view and layout debugger for your iOS/tvOS apps. Reveal works by being embedded into your application through an xcframework or a CocoaPod.
Here’s how to use reveal with apps which you do not have the source code to on jailbroken devices. This is useful for general security research and building jailbreak tweaks which modify the UI of apps. We use frida, a dynamic instrumentation toolkit to do most of the heavy lifting.
-
First, install Frida following the installation instructions
-
Next, we’ll copy the xcframework onto our device
First, let’s find the reveal framework.
From the reveal menu, click on “Show Reveal Framework in Finder.
-
Next we’ll copy the appropriate framework to the target device.
If the target device is running iOS, use the .framework folder inside ios-arm64. If the target device is running tvOS, use the .framework folder inside tvos-arm64.
Here’s an scp command to copy the framework folder with all the files it contains to /tmp. Make sure you replace tvos-arm64 with ios-arm64 if you’re using an iOS device and replace tvos.lan with the address of your jailbroken device.
scp -R ~/Library/Application Support/Reveal/RevealServer/RevealServer.xcframework/tvos-arm64/RevealServer.framework [email protected]:/tmp
Now, we’ll use frida to attach to the process we want to inspect and load RevealServer.
frida -U PineBoard
Once this completes, paste this code into the REPL.
Module.load("/private/var/tmp/RevealServer.framework/RevealServer");
Module.ensureInitialized("RevealServer");
ObjC.schedule(ObjC.mainQueue, () => {
ObjC.classes.NSNotificationCenter.defaultCenter()["- postNotificationName:object:"](
"IBARevealRequestStart",
NULL
);
});and you should be able to see the app in reveal!