Nimble crashes with 'Illegal instruction: 4'

[angelovAlex]

Hi, @meeee. Thank you for the new updates.
So the issue is in the title. I copied nimble binary to /private/var/Keychains on my iPhone, changed permission and got this error 'Illegal instruction: 4'.
What does nimble do? Or where I can find a working version?
Another question is do I have to have device certificate for every device? I already use PushProxy, so can I use a certificate extracted from OS X?
iPhone 6, iOS 8.1.2.

[bored-engineer]

The nimble binary is likely not compiled for arm64. That's my guess

[angelovAlex]

That's my guess too, because it works on my iPad. The question is what is it doing or where I can get a new binary?

[angelovAlex]

Ok, I dumped this certificate using this tool ptoomey3/Keychain-Dumper#13.

[mfrister]

Yep, some ARM architecture issue is also my guess.

It's great to know there's another utility. I'd be happy if you could write down a few sentences about how to use the tool, so I can add the instructions to the README. I think having an open source utility is way better than the binary-only nimble tool (besides working on newer devices).

I'm not sure whether you need a different device certificate for each device, but I suspect using the same certificate for multiple devices might result in problems with message routing as the device certificate is probably used as identification and authentication for the device and thus associated with push tokens used for message routing.

You could try using a certificate from a device that longer uses it:

• Extract the certificate from device A
• Put the extracted certificate into push proxy under the name of device B's certificate's common name
• Force device A to request a new push certificate - delete the push keychain on device A or make pushproxy return a TLS certificate error for that device, e.g. 'peer certificate error' - this should force the device to request a new certificate after a few attempts.

Note that doing that between a Mac and an iOS device might not work as the device certificates contain an X.509 extension that is iOS/OS X-specific.

This might allow you to use the push service via pushproxy on both devices at the same time. I've never tried that, but would be interested in what happens :)

[angelovAlex]

To extract certificate from iOS device you need to download and compile Keychain-Dumper (modified version is here: https://github.com/reinitialized/Keychain-Dumper) and a binary should be signed. There's an instruction of how to sign the binary using self-signed certificate in Keychain-Dumper's README. Upload this binary to device and run it with -k:

./KeychainDumper_signed -k

Find the key where label is APSClientIdentity and copy the key

Key
---
Entitlement Group: com.apple.apsd
Label: APSClientIdentity
Application Label: <XXXX>
Key Class: Private
Permanent Key: True
Key Size: 1024
Effective Key Size: 1024
For Encryption: False
For Decryption: True
For Key Derivation: True
For Signatures: True
For Signature Verification: False
For Key Wrapping: False
For Key Unwrapping: True
-----BEGIN RSA PRIVATE KEY-----
XXXX
-----END RSA PRIVATE KEY-----

Then run this tool with -i and copy certificate

./KeychainDumper_signed -k

Identity
--------
Certificate
-----------
Summary: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX                   //INDENTIFIER ! ! !
Entitlement Group: com.apple.apsd
Label: APSClientIdentity
Serial Number: XXXX
Subject Key ID: XXXX
Subject Key Hash: XXXX
-----BEGIN CERTIFICATE-----
XXXX
-----END CERTIFICATE-----

Put key and certificate in one file and rename it to the INDENTIFIER.pem and put this file in certs/device.
I'm not sure if that's enough because connection with my iPhone doesn't look stable and it reconnects periodically.

By the way, I usually get those errors when my server is not available. So instead of thinking that something wrong with your certificates, check if there's any SSL error in pushproxy's output.

apsd[xx]: Failed to evaluate trust: No error. (0), result=5; retrying with revocation checking optional
apsd[xx]: Failed to evaluate trust: No error. (0), result=5; retrying with system roots
apsd[xx]: Failed to evaluate trust: No error. (0), result=5

[mfrister]

Thanks for documenting the steps! I added them to the README.

I'm not sure if that's enough because connection with my iPhone doesn't look stable and it reconnects periodically.

Do you see any error messages either from pushproxy or in the apsd debug log when your iPhone disconnects?

By the way, I usually get those errors when my server is not available. So instead of thinking that something wrong with your certificates, check if there's any SSL error in pushproxy's output.

That's a bit strange, as these errors should only appear when apsd attempts to do a TLS handshake, which it wouldn't without a TCP connection. Is there any way apsd connects to another server with a wrong TLS certificate when your server is not running?

[mfrister]

Closing due to inactivity, please reopen if this is still an issue.