System Log came back from the dead

[Ram4096]

A long time ago some developers complained about an issue for the System Log feature implemented in FLEX. #140

This feature was able to capture all NSLogs. In the referenced issue, we can discover that it was caused by ASL on iOS 10 and newer, replaced by OS Log, so FLEX couldn't capture logs.

Today I have more details about this issue, and a possible solution:

• Using FLEX with the old ASL behavior, FLEX is able to capture NSLogs if the app / tweak where the NSLog is called from is compiled using the iOS 9 SDK. This is because ASL is on the iOS 9 SDK, so FLEX is able to use it also on newer iOS versions.
• Using Fishhook, a powerful code that's able to hook C functions, is possible to capture all NSLogs from any iOS version that fishhook supports (probably it targets the same version of FLEX).

You can test what I said using the following code. For example, I'm using an app compiled using the iOS 13 SDK, but my tweak (so I'm in a jailbroken environment) is compiled using the iOS 9.3 SDK. I restored the old behavior of FLEX (so FLEX will consider ASL again), and I'm able to see the NSLog coded in my tweak.

This is how I've restored the old ASL behavior (but it works only if the tweak/app where NSLog is called is compiled using the iOS 9 SDK, so it's not something related to the system):

%hook FLEXOSLogController
+ (instancetype)withUpdateHandler:(void(^)(NSArray<FLEXSystemLogMessage *> *newMessages))newMessagesHandler {
    return [%c(FLEXASLLogController) performSelector:@selector(withUpdateHandler:) withObject:newMessagesHandler];
}
%end
%hook FLEXOSLogController
- (id)init {
    self = %orig;
    if (self) {
        [self setValue:@(NSProcessInfo.processInfo.processIdentifier) forKey:@"_filterPid"];
        [self setValue:@NO forKey:@"_levelInfo"];
        [self setValue:@NO forKey:@"_subsystemInfo"];
    }
    return self;
}
%end

Note: this code should be used if you use a tweak compiled using the iOS 9 SDK and you would like to see NSLogs directly in FLEX.
Using the ASL behavior, FLEX is able to capture NSLog on iOS 12, if the tweak is compiled using a SDK where ASL worked.

But, seen that we are looking for a general solution that works on any SDK and on a no-jailbroken environment too, we can opt for fishhook (yes, it works on no-jailbroken iOS versions):

#import "fishhook.h"
#import <Foundation/Foundation.h>

static void (*orig_nslog)(NSString *format, ...);
static void replaced_nslog(NSString *format, ...) {
    va_list vl;
    va_start(vl, format);
    NSString* str = [[NSString alloc] initWithFormat:format arguments:vl];
    va_end(vl);
    orig_nslog(str);
    // Here do your operations to save str and [NSDate date] (for example you can create a new string that has [NSDate date] as prefix and "str" as suffix, saving it in a NSMutableArray that you will use as source where the new System Log section reads NSLogs.
}

rebind_symbols((struct rebinding[1]){"NSLog",(void*)replaced_nslog,(void**)&orig_nslog},1);

The rebind_symbols function should be called once. I'm not sure if it works system-wide (for example in the SpringBoard on jailbroken devices), but it works in apps.

Fishhook is amazing, it's maintained from Facebook and updated to support new iOS versions (when it's necessary). The only bad thing is that it might not work when Apple decides to enable Dyld 3.0, but we cannot know until they do that.

At the moment this is the best solution to capture NSLogs using FLEX. Give it a test!

[NSExceptional]

I like this solution! It will be annoying to update fishhook for each new OS each year, but I think I can manage. I will get to this after I finish 4.0.

Thanks again for the detailed issue!

Also, dyld 3 is already in use and if you check that issue it seems it did not affect fishhook

[Ram4096]

Great! Anyway it's not really annoying, because you just need to replace the fishhook.c file when necessary, the code to hook the C function will be always the same.

[NSExceptional]

It's not that simple; I will probably need to namespace all of the symbols with flex_ to avoid collisions in apps that use fishook. I think I can write a script to make the process easier though.

[Ram4096]

A suggestion: when fishhook support will be implemented, it would be amazing to see more details of NSLog.
For example, my idea is: FLEXSystemLogTableViewCell's accessoryType is UITableViewCellAccessoryDisclosureIndicator and, when FLEXSystemLogTableViewCell is tapped, it opens a new controller that gives additional info, for example where NSLog was called from (a framework? the main binary?), who is the caller (when possible) etc..
This and this might be useful to understand my idea. These should be implemented into static void replaced_nslog(NSString *format, ...) and information should be saved to be viewed later in that section.

[NSExceptional]

Not a bad idea! This would have to be something you enable manually though because that could take up a lot of memory.

[NSExceptional]

I've added your fix in the 4.0 branch! Closing this. Thanks again for your help! You are credited in the commit message and in code for telling me it was an SDK feature. I took a different approach — I did some digging and hooked os_log_shim_enabled instead of NSLog itself.