#development

?

true!

i could crack it better

use my crossover crack for windows apps btw

the one i used broke

i have the best one

bruh i already have crossover

i see a familiar name on a crossover 22 crack 💀

huh?

@faint stag ?

impl<T> ApiErrorExt for T where T: Error + Send + Sync + 'static {}

rust 🚀

uhh

I tried running this: /device add device: iPhone10,1 version: 19B74

wtf, gh release download doesn't give any real progress, just a loading spinner thing

Idk why gir is like that, but historically, OS source code is stored in /usr/src

That's how it was on UNIX, and how it is on BSD

Just the OS source code, not other programs

docker /usr/src/app

usually i see /app

so its weird to me too

how it work

objective c

lazy dev moment

@gentle crescent stop being lazy

is there anyone tried to install Frida through TrollStore

wonder if it's possible

@naive kraken I think it’s possible to extend TrollStore support to newer iOS versions if:

• The fat binary injection bug (Fugu's pwnify) still works, here you can sign TrollHelper with an expired/free certificate, then it should work, because the patched CoreTrust is just check if CA=Apple
• Free dev cert entitlement check is not performed for app registered as system, then you can make it sign apps like AltStore does but installed as system

nah you need the CT bug for anything to actually work and that's patched

and the slice thing is patched too in 15.6ish

The slice think basically accept other slices blindly if they had the same team id

I thought of it some more and can tell you why it doesn't work, you don't get app store fast path using free / dev certs so it goes to amfid and amfid says no

Oh alright

Congrats to our newest discord mod, @gleaming niche!

@gleaming niche congrats bro

How about enterprise

I have quite a few of those

trolley

yeah github servers dont send content length header

does sf symbols have these icons?

or does anyone know another source to get them from

would love it in an svg format

red - multiply.circle.fill
yellow - minus.circle.fill

idk if theyre the actual ones, but they're close enough

https://tenor.com/view/among-us-sus-yhk-among-twerk-among-us-twerk-gif-23335803

thanks but I already got those two, just looking for the green one

Probably easier to make it yourself tbh

Not like it’s very complex

true but I literally don't have any graphic skills lol

https://icons8.com/icon/120592/macos-full-screen
https://icons8.com/icon/ax1bgiDcaPxK/macos-full-screen
i found these two but they are the wrong way and have filling :/

rotate 90 degrees

@muted whale

do you speak swedish?

@pliant sorrel

@muted whale

YOOOHOOOO

REMEMNER ME

@muted whale

death bro

who are you people

friends

dw about anything

you’re in the wrong channel

yh known eachother since 2020

sorry. i love ur cover photo tho

yeah your mother

LMAO what

lmao what?

i say i like ur cover photo

u say my mum?

bruh

that makes no sense

bo

yeah i said that

Hack

bro what

okay @restive ether as u wish

hm

I LOVE IKEA

i love meatballs

schizo posting is only allowed after 5pm

their gravy is smt else

its 11 pm here

so like

5-7

its 5:20 in toronto

so im good

oh then go ahead

sorry

k

omg ur slim

i loved ur cat pfp

this one

YES

looks like my cat

cats are cool

cats can kill snakes

my cat went missing 4 weeks ago 💀

💀

sorry ill give it back

bro just dashed for some reason

<- the reason

LOL

@muted whale

@steep garden who is this?

is that zack?

u know zack too?

yall still friends?

same

why

freaky guy

@waxen halo who are you

he said he was jerking off in class hoping his crush catches him

whar

we dont know each other

:(

lets keep this in dms

k

yall does anyone know if they got SHSH saving working for iphone 14 pro yet

@weary heath dm

CUZ

THIS IS DEVELOPMENT

NOT THE SHIT ON TQ CHANNEL

@muted whale

rust users when

macro_rules! event {
    (target: $target:expr, parent: $parent:expr, $lvl:expr, { $($fields:tt)* } ) => { ... };
    (target: $target:expr, parent: $parent:expr, $lvl:expr, { $($fields:tt)* }, $($arg:tt)+ ) => { ... };
    (target: $target:expr, parent: $parent:expr, $lvl:expr, $($k:ident).+ = $($fields:tt)* ) => { ... };
    (target: $target:expr, parent: $parent:expr, $lvl:expr, $($arg:tt)+) => { ... };
    (target: $target:expr, $lvl:expr, { $($fields:tt)* } ) => { ... };
    (target: $target:expr, $lvl:expr, { $($fields:tt)* }, $($arg:tt)+ ) => { ... };
    (target: $target:expr, $lvl:expr, $($k:ident).+ = $($fields:tt)* ) => { ... };
    (target: $target:expr, $lvl:expr, $($arg:tt)+ ) => { ... };
    (parent: $parent:expr, $lvl:expr, { $($fields:tt)* }, $($arg:tt)+ ) => { ... };
    (parent: $parent:expr, $lvl:expr, $($k:ident).+ = $($field:tt)*) => { ... };
    (parent: $parent:expr, $lvl:expr, ?$($k:ident).+ = $($field:tt)*) => { ... };
    (parent: $parent:expr, $lvl:expr, %$($k:ident).+ = $($field:tt)*) => { ... };
    (parent: $parent:expr, $lvl:expr, $($k:ident).+, $($field:tt)*) => { ... };
    (parent: $parent:expr, $lvl:expr, %$($k:ident).+, $($field:tt)*) => { ... };
    (parent: $parent:expr, $lvl:expr, ?$($k:ident).+, $($field:tt)*) => { ... };
    (parent: $parent:expr, $lvl:expr, $($arg:tt)+ ) => { ... };
    ( $lvl:expr, { $($fields:tt)* }, $($arg:tt)+ ) => { ... };
    ( $lvl:expr, { $($fields:tt)* }, $($arg:tt)+ ) => { ... };
    ($lvl:expr, $($k:ident).+ = $($field:tt)*) => { ... };
    ($lvl:expr, $($k:ident).+, $($field:tt)*) => { ... };
    ($lvl:expr, ?$($k:ident).+, $($field:tt)*) => { ... };
    ($lvl:expr, %$($k:ident).+, $($field:tt)*) => { ... };
    ($lvl:expr, ?$($k:ident).+) => { ... };
    ($lvl:expr, %$($k:ident).+) => { ... };
    ($lvl:expr, $($k:ident).+) => { ... };
    ( $lvl:expr, $($arg:tt)+ ) => { ... };
}

fk that

do you guys think it makes more sense to make a WARN log message when returning a client error from api or just INFO

if its info then it could be hard to separate visually from ok responses, but also its not the server's fault so it might not be warn

whatever im gonna put warn

@grave sparrow listen fucker

@rain falcon happy birthday big man

guys can someone help me i just want to make it so pressing a key runs an SKAction for a macOS app/game

i think im nearly there so its okay

use swiftui

@muted whale

@pliant sorrel

Good morning

Someone can help me to jailbreak my iPhone 11pro please

15.6.1 iOS:( can’t jailbreak

What should I do?

you should first start by reading the server rules and channel descriptions. The next step would be to use this information to re-evaluate your life decisions which led you to this current point.

use my jailbreak

wow

wow

wow

Don't use any evelyn software

It's all spyware

projection

There is no projector here.

You're just jealous I own Lego set #75192 and you don't

@pearl sail shut up

@pearl sail shut up

Rude devs ngl

L

🤓

I'm selling your source code

oh

i will trade hyperixa src

no I'm getting good money

?

Can you not read

what does that even mean

nerd

Do you not know what Lego are?

i think canadians just have logs man

Like Lincoln logs, or just straight up trees

Who knows we're aren't Canadians

W

Depends on the canadian

Mostly just tree logs.

sometimes both

any macos devs? I have a few design questions

both

@zenith hatch https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/UserDefaults/StoringPreferenceDatainiCloud/StoringPreferenceDatainiCloud.html

@zenith hatch @turbid fjord why error: cannot infer contextual base in reference to member 'menu' .pickerStyle(.menu)

3 more hours

https://twitter.com/CommonFateTech/status/1580449400580472832?s=19

do you guys think its more normal for bobashare to bundle the static frontend files inside the binary, or to require the user/deployer to have all the static files in static/ in the working directory when running ot

I think it should stop giving me root access to the server

Your gonna need to send a picture of the code

It does not give you root access to the server

Sure

@indigo peak hi just woke up

I bet he hasn’t used the modifier in the correct place or something

real

Or not using a Picker at all but I don’t think fiore is that dumb

@faint timber happy birbday

Did you find a way to bypass promon? Cause my most important app don’t work anymore

does ubiquitous key value store work on sideloaded apps?

@turbid fjord i think it no workie on sideloaded apps

L

(gm)

gm

Probably not due to entitlements would work with troll store tho

we have entitlements though

💀

Hey @zenith hatch, have a look at this!

Yeah sideloaded app don’t have entitlements

bro

what

oh wait

did i mention its xcode installed

👍

That’s different

from the demo I can tell you it's no easy feat but definitely doable, my demo for their current release (at the time of writing) works partially

No intention of releasing it though, just as disclaimer

@indigo peak did you end up making that trollstore location spoofer?

I hope so

The one that just released it literally just stolen and looks to be using the exact same methods as locsim

I wish I had time to work on these things but I have like no time anymore

@faint timber happy birthday

I tried remaking relocateme

like I took the code from GitHub, made it a theos project and am trying to make it work

but I can’t compile

for some reason

.

my main issue with my app was trying to get the MKMapView to load with the proper entitlements

since the map doesn’t actually render if you use the unsandbox entitlements for some weird reason

this new app just makes you open the maps app

then share the location via share sheet

that works ig

with entitlement^

without^

but without, the spoof doesn’t work

but with, the spoof works, but the map doesn’t load

I was contemplating just making my own custom class

is it a blatant rip off

lol that’s hilarious

people are so fucking clout hungry

it’s embarrassing

damn rip because my most important app uses this

@turbid fjord @zenith hatch

HStack {
                    TextField("Speed", text: $input.value)
                        .padding()
                        .keyboardType(.decimalPad)
                    Picker(selectedUnit, selection: $selectedUnit) {
                        ForEach(measures, id: \.self) {
                            Text($0)
                        }
                    }
                    .pickerStyle(.menu)
                }

cannot infer contextual base in reference to member 'menu'

i need to get my mac out gimme a sec

nvm i have proton

you’re using an old version of swiftui

im using what was there when i downloaded theos

replace .menu

with

MenuPickerStyle()

hope that helps 👍

theres another one too

whats the other one

cannot infer contextual base in reference to member 'circular'
ProgressView().scaleEffect(1.0, anchor: .center).progressViewStyle(.circular)

cannot infer contextual base in reference to member 'body'
.font(.body.bold())

value of type 'FileHandle' has no member 'readToEnd'
let data = try? pipe.fileHandleForReading.readToEnd()

.menu is literally how your meant to do it

https://www.hackingwithswift.com/quick-start/swiftui/how-to-let-users-pick-options-from-a-menu

old swiftui is different

Define “old” SwiftUI

use CircularProgressViewStyle() instead

idk i’m not a nerd who remembers versions of swiftui

There only 4 versions

does it look like i remember which ones did what

Man

You help fiore then

ok

@indigo peak did it work

@zenith hatch just this now
value of type 'FileHandle' has no member 'readToEnd'
let data = try? pipe.fileHandleForReading.readToEnd()

idk whats up w it tho

idk how this piping shit works

what are you trying to do

@zenith hatch
cannot infer contextual base in reference to member 'body'
.font(.body.bold())

you really gotta update your shit

on god

this is now the limit of my old swiftui knowledge idk how to fix this

cannot infer contextual base in reference to member 'title2'
.font(.title2.bold())

im targeting ios 14

oh

try prepending Font

aka Font.title2.bold()

swiftui is annoying they make it hard to access the uikit objects behind a swiftui view

that worked

im just doing that readToEnd shit now

which makes no sense

gl

since it was introduced in 13.4

13.4+ on the api site

so like

what exactly are you doing

it should be fine for 14.0

reading a file?

yes

just use data initialiser

let data = Data(contentsOf: “filepath”) or something

it might be throwing

idk i forgor

@zenith hatch we good

==> Compiling AppDelegate.swift (arm64)…
==> Compiling Utils/Extensions.swift (arm64e)…
==> Compiling AppDelegate.swift (arm64e)…
==> Compiling Utils/Extensions.swift (arm64)…
==> Compiling Utils/OnlyNumbers.swift (arm64)…
==> Compiling RootViewController.swift (arm64)…
==> Compiling Utils/CleanUp.swift (arm64)…
==> Compiling Utils/CleanUp.swift (arm64e)…
==> Compiling RootViewController.swift (arm64e)…
==> Compiling ContentView.swift (arm64e)…
==> Compiling ContentView.swift (arm64)…
==> Compiling Utils/LocationManagement.swift (arm64)…
==> Compiling Utils/OnlyNumbers.swift (arm64e)…
==> Compiling Utils/ImageLoader.swift (arm64)…
==> Compiling Utils/RoutePlotting.swift (arm64)…
==> Compiling Utils/SearchService.swift (arm64)…
==> Compiling Utils/Environment.swift (arm64)…
==> Compiling Utils/LocationManagement.swift (arm64e)…
==> Compiling Utils/ImageLoader.swift (arm64e)…
==> Compiling Utils/Environment.swift (arm64e)…
==> Compiling Utils/SearchService.swift (arm64e)…
==> Compiling Utils/Spoof.swift (arm64)…
==> Compiling Utils/RoutePlotting.swift (arm64e)…
==> Compiling Utils/Helpers.swift (arm64)…
==> Compiling Utils/Helpers.swift (arm64e)…
==> Compiling Utils/Constants.swift (arm64)…
==> Compiling Utils/Spoof.swift (arm64e)…
==> Compiling Utils/Constants.swift (arm64e)…
==> Compiling Views/License.swift (arm64)…
==> Compiling Views/License.swift (arm64e)…
==> Compiling Views/Buttons.swift (arm64e)…
==> Compiling Views/MapView.swift (arm64e)…
==> Compiling Views/CardView.swift (arm64e)…
==> Compiling Views/EmulateRouteSheet.swift (arm64e)…
==> Compiling Views/Buttons.swift (arm64)…
==> Compiling Views/AddressLookup.swift (arm64e)…
==> Compiling Views/EmulateRouteSheet.swift (arm64)…
==> Compiling Views/TrackView.swift (arm64e)…
==> Compiling Views/CardView.swift (arm64)…
==> Compiling Views/AddressLookup.swift (arm64)…
==> Compiling Views/About.swift (arm64e)…
==> Compiling Views/ActionsView.swift (arm64e)…
==> Compiling Views/MapView.swift (arm64)…
==> Compiling UIKit/MapViewController.swift (arm64e)…
==> Compiling Views/ActionsView.swift (arm64)…
==> Compiling UIKit/MapViewController.swift (arm64)…
==> Compiling Views/TrackView.swift (arm64)…
==> Compiling Views/About.swift (arm64)…

no more errors

W

was i helpful

very

thank you

No

👎

nw

worries*

i read that as no welcome

oh

Lol

@snow python

rip locsim entitlements dont work

sadge

wtf is this

relocateme

i converted from xcode to theos proj

is this what i just helped you with

yes

can i join

trying to get it to work on iOS 15 w trollstore

nvm

i dont have test device

rip

true

15.1.1 iPhone 13

wtf

how

L

If I find time this week I’ll see if I can get my 7 back to life

my 6s is fucked

@snow python i think i fixed it

yep it works

i got the mapview + spoofing to work

if you want to know how i can dm it to you

so its not public, since i know you want to keep the entitlements private off github

@elder scaffold do you have the asm for rd=disk0s1s8 still

it is easy
ldr x5, =bootargs_str_base
ldr x6, =0x4141414141414141
str x6, [x5]
ldr x6, =0x4242424242424242
str x6, [x5, #8]
ldr x6, =0x4343434343434343
str x6, [x5, #16]
...

write 8 bytes each

ok so the start of it would be this

643d6472

which is d=dr

rd=d

reversed

right

weird assembly

.set boot1, 0x643d6472
.set boot2, 0x306b7369
.set boot3, 0x38733173

actually its this

.set boot1, 0x643d6472
.set boot2, 0x306b7369
.set boot3, 0x38733173

most likely

@elder scaffold i got rid of -v and did this, hows this look

/* t8015_shellcode_arm64.S
 *
 * original author: axi0mX
 *
 * This program is free software: you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, either version 3 of
 * the License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program. If not, see <https://www.gnu.org/licenses/>.
 */

.text

.pool
.set JUMP_BACK,     0x180018004

.set WRITE_ADDR_1,  0x180030ad0 // rsa check
.set WRITE_ADDR_2,  0x180030b18 // rsa check
.set WRITE_ADDR_3,  0x180033e14 // bootargs
.set WRITE_ADDR_4,  0x18004d520 // bootargs str
.set WRITE_ADDR_5,  0x1800949f4 // kernelcache str
.set WRITE_ADDR_6,  0x18003289c // debug

.set WRITE_VALUE_3, 0x100cb878  // insn
.set WRITE_VALUE_4, 0x643d6472  // "rd=d"
.set boot2, 0x306b7369 // "isk0"
.set boot3, 0x38733173 // "s1s8"
.set WRITE_VALUE_5, 0x64686361  // kernelc[achd]

.set MOV_X0_0,      0xd2800000
.set MOV_X0_1,      0xd2800020

.globl _main
_main:
  MSR DAIFSET, #0xF

  LDR W6, =MOV_X0_0
  LDR X5, =WRITE_ADDR_1
  STR W6, [X5]
  LDR X5, =WRITE_ADDR_2
  STR W6, [X5]

  LDR X5, =WRITE_ADDR_3
  LDR W6, =WRITE_VALUE_3
  STR W6, [X5]

  LDR X5, =WRITE_ADDR_4
  LDR W6, =WRITE_VALUE_4
  STR W6, [X5]
  LDR W6, =boot2
  str W6, [X5, #8]
  LDR W6, =boot3
  str W6, [X5, #16]

  LDR X5, =WRITE_ADDR_5
  LDR W6, =WRITE_VALUE_5
  STR W6, [X5]

  LDR X5, =WRITE_ADDR_6
  LDR W6, =MOV_X0_1
  STR W6, [X5]


  LDR X5, =JUMP_BACK
  BR  X5

y

good?

i just need to figure how to compile

cant find gobjcopy

xcrun -sdk iphoneos clang src.s -target arm64-apple-darwin -Wall -o out.o
gobjcopy -O binary -j out.o out.bin

the top ran fine

bottom idk where to get gobjcopy

I forgot it

@steady nest do u know

only thing i couldn't get to work is the forcestop function

i had to comment that section out

DM me, I think I have a fix for forcestop

__TEXT missing after -j iirc

since you don't want macports or brew, for whatever reason, try finding a tool that'll extract you only the __TEXT segment from the mach-o

that's what you're looking for

i dont want to use it because this:

I understand, it's slow

that is why

gobjcopy is also a part of binutils

yeah im currently cloning that

@elder scaffold its just hanging on the logo

thats so weird

it eventually reboots

it just refuses

ok i got it to boot

idk if it rooted off of disk0s1s8 until i check tho

didnt root off of disk0s1s8

im trying to get serial but its just not working

a

um

look closely, yours is a 4 byte write, so you need to increase the offset by 4 bytes each

@elder scaffold

nice

When linking in rust takes almost 2 minutes

@snow python you compile relocateme on a mac, right?
thats how you can call proc_pidpath?

Yes

dam

okay

@elder scaffold also quick question
why does 15.4.1 when i try ur bootkit it drops into recovery
i changed the bootargs str offset to the correct one

like white lines then it goes off and then into recovery

the kernelcache offset might not be right but it still should work right

i commented it out
And when it’s commented out it just boots normally

Average Nathan moment

https://tenor.com/view/happy-birthday-friend-gif-25078864

@faint timber HAPPY BIRTHDAY!!!!!!!!

🎉

Happy Birthday @faint timber

Dude

I’m trying here lol

I have the offsets right

No development for me today

too lazy

no bobashare

guys, where's the nsfw

here

https://tenor.com/view/old-man-twerk-funny-twerk-itdoitforlaughs-twerking-itdoitforlaughs-twerk-gif-25850744

https://cdn.discordapp.com/attachments/882340710295142480/1031380644296671332/IMG_0022.mov

skill issue

iboot patches are not the problem

how

how they are not problem

It should work why that happen please help

hi

copy the stock kc and rewrite the string in iboot (kernelcache -> kernelcachd). It should boot so iboot patch is probably fine.

It does the same thing tho when I remove the kernelcache patch

Well it boots like regularly without the patch but why didn't it like verbose or something

Shouldnt it verbose then panic with regular kernel

eta wen jazzy dev

Like but shouldn't it go and boot the regular kcache if i remove the kernel string patch

It just reboots into normal iboot and boots normally if i comment that patch out

Instead, copy the stock kernel to that path and try again

Yeah thats what im anout to try

Still goes to recovery

It doesn't even say the kernelcache image is invalid

Maybe i forgot to sign with apticket.der, idk

@elder scaffold do u mind checking if kernelcache str offset is same for 15.4.1 and 15.7

I don't have one for 15.4.1 so I don't know...

The iBoot

Like partialzip it

Or do u need to actually boot the phone

ah, just check with iboot64patcher. You can do it too!

It doesnt give me kernelcache str offset tho

The rest i checked with iBoot64Patcher

How do you get the kernelcache str offset

hopper

aaaa

ok

But why does it recovery even without the patch

idk

maybe some patch is wrong?

I check all of then

Them

Thr rest is right

Im just not sure about the kcache str offset

@elder scaffold is the kernelcache string just kernelcache

Like nothing else

.text

.pool
.set JUMP_BACK,     0x180018004

.set WRITE_ADDR_1,  0x180030ad0 // rsa check
.set WRITE_ADDR_2,  0x180030b18 // rsa check
.set WRITE_ADDR_6,  0x18003289c // debug

.set MOV_X0_0,      0xd2800000
.set MOV_X0_1,      0xd2800020

.globl _main
_main:
  MSR DAIFSET, #0xF

  LDR W6, =MOV_X0_0
  LDR X5, =WRITE_ADDR_1
  STR W6, [X5]
  LDR X5, =WRITE_ADDR_2
  STR W6, [X5]

  LDR X5, =WRITE_ADDR_6
  LDR W6, =MOV_X0_1
  STR W6, [X5]


  LDR X5, =JUMP_BACK
  BR  X5

does this work?

help maybe

Ill try this when i get home (3PM est)

We love interface builder

How come you do 3 rsa patches

I mean two

Wait I forgot there’s two codepaths in callback

But can’t we just patch the line after where callback is called

I think this is generated by iBoot64Patcher

Ok then I’ll change it

i hate that storyboards are made of xml

I hate that storyboards *

syntax error

👍

not in the mood for this kind of shit right now

nvm it was something remarkably stupid

what was it

trying to import an objc module in a .c file

its just been one of those days honestly

my brain is fried

understandable have a nice day

swiftui moment (not swiftui moment)

I need copious amounts of ice cream I cannot lie

real

@elder scaffold yeah its the kernelcache str

drops into recovery

also how what do i put in to analyze iboot in hopper

@elder scaffold are you able to get kernelcache str addr for 15.4.1 iboot

for the iPhone X

@tepid olive will you shut up

man i want to figure out to do this myself but

it just gives gibberish in hopper

That's called assembly

insn is different too

i cant even find the addr for the one thats in 15.7 iboot

i feel like im doing something wrong when putting iboot into hopper

oh wow i actually did it

i found the offset

why I have to do it already exist 15.7 one.

I know but

I cant find on 15.4.1 iboot

like the exact addr

Just find it from 15.7 and apply it to 15.4.1. For the same major version, it shouldn't be much different.

i know but like

i jump to 0x1800949f4 in hopper

and it jumps to

0x1800949e2

how can i get the exact address

https://cdn.discordapp.com/attachments/900522111376965772/1031675668943097937/unknown.png

does this look right to you

nvm hex editor view works

also i know why it booted into recovey

it was overwriting root_hash.img4

it still recovery, why is thatttt

yeah idk why

i know i have the right offset

0x1800949b4

15.4.1 and it still goes to recovery

this is what i have so far

what is kernelc[achd]

replaces kernelcache string with kernelcachd

basically to boot off of a different kernel

is the kernel valid, compressed, and img4 krnl

does ios reboot into recovery if it isnt

iOS will boot recovery if you are coming from dfu, it will never try to load local kernel from dfu

but this recovery is a reboot>normal recovery

how is normal recovery gonna load an invalid rsa kernel

no like what i meant is with those patches thats what happens

instead of switching kernel's and rd, verify rsa and bootargs patch work to begin with

hm maybe i did fuck up kernelcachd

This is based on the iPhone X verbose boot demo axi0mX did on ipwndfu.
Remote booting somehow caused some weird bugs that were a pain to fix, so I decided to load the modified kernel with local boot.

assuming those bugs were

camera didnt work

screen recording didnt work

@elder scaffold what exactly does insn do

i got kernelcache working but bootargs aren't working

i noticed its diff on 16.1

how do i get it

iboot64patcher

i dont think it gives that

why

just add the -b flag

iboot64patcher in out -b args

100cb878 not in output

this

@faint timber do you know

Why don’t you just use my patcher for every single patch like Dora already told you

i did

its

not

printing

that

out

wait

hm

Start fresh

The only custom patches you need are rd and kernel cache str

The rest you get from patched

i patch iboot with iboot64patcher

it never mentions this

and the bootargs patch is different

a little bit

Yes it needs to be the patcher one

and i changed it

it matches the patcher

look

all of these match 15.4.1 iboot X iboot64patcher

but bootargs dont work

What’s write value 3

insn!!

no

what is it

0x100cb878

i didnt change that

i left as is bc i didnt know what it was

what's iboot base

0x18001c000?

yes

then why is bootargs string wrong?

what

wdym

where did you get bootargs str addr

from iboot64patcher

well

you messed up

did i get the wrong value

that's correct

insn is wrong

get it from patcher

wher does it print it

because i look

not there

even with 15.7

so idk where dora got it

@faint timber i left it as this

https://github.com/dora2-iOS/t8015_bootkit/blob/main/d22/19H12/t8015_shellcode_arm64.S#L31

because i dont know where to get it from iboot64patcher doesnt print it

nvm bootargs are all correct

something else is wrong

can you skim through this then

like I said before

try stock -v and rsa

no rd and kernel

i did

it booted fine but no verbose

i check boot-args with ideviceinfo and its empty

then you deleted a patch or its not patching

ugh

https://cdn.discordapp.com/attachments/882340710295142480/1031739318160605317/shell.S

here anyways

i have big feeling its insn

its different for 16.1 one so its probably different from 15.7 to 15.4.1

15.4.1 is the same as 15.0

how do I write a link to open the settings app?

is it like settings://general

prefs:root=General to go to general
(this is something you'd use in shortcuts or app code, doesn't work in safari lol)

https://medium.com/@contact.jmeyers/complete-list-of-ios-url-schemes-for-apple-settings-always-updated-20871139d72f

Cries in WPF

segmentation error, core dumped

@upbeat wyvern sorry ping,
I ran substitute v2.3.1 on a real device with ios 16 (checkm8 based) and the system crashed after running /etc/rc.d/substitute-launcher. Injection was working fine on ios 15.
Do you know any reason or have an idea...?

Hmm 16.0.3 should be able to work but maybe you need some patch you’re missing? It changed mach_msg to need mach_msg2 also, not sure if substitute is using that yet on that build

I need to make an asm version of it really which I have not done

so Is it about what is being referred to here?
https://saaramar.github.io/ios16_restricted_iouserclients/

average hopper user

would probably suggest asking on the hack diff discord as there are far more people there who screw with dyld stuff at runtime

iirc there are a couple of people working on the same thing or something similar rn

good morning "developers"

@grave sparrow it should load the other first unless it has unresolvable dep chain, otherwise you can use dlsym rather than weak linking

Like a circular dep chain

Didn't someone break their M1 recently due to some dyld issue in there?

ah yes apple silicon needing another mac to restore because they're setup like mobile devices 💀

im stuck on x86 for the time being so i gotta deal with that BS

Right - dlopen with RTLD_NOLOAD and dlsym can do the same thing… still think it’s something with odd dep chains - doesn’t have to be you with a messed up dep chain

its apple silicon after all innit

@silver rampart sorry for bothering you but did you have any time to check lockdown beta 15.2+ compatibility

with my testing, it doesnt work on 15.4.1+

but it does on 15.1

no idea about 15.2-15.3.1

is there a 15.4.1+ jailbreak with tweak injection that doesn't require tether booting research kernels

Probably just disable pmap code page signing

also i dont have a device on 15/16

Use qemu or correlium

i would imagine passcode works on corellium

https://github.com/kritanta-ios-tweaks/lockdown it is a very simple tweak and shouldn't require much work to fix

Ping me and nebula if u fix it

i dont intend on it

unless there is a way for me to jailbreak a device that wont soft brick it later

how do i get a list of all installed apps using trollstore

if you have an X you can use t8015-bootkit

it’s meant for 15.7

does your app have root fs access

@indigo peak

that only verbose boots

it has enough patches for tweaks too

me and nathan got it working on 15.4.1

https://github.com/dora2-iOS/t8015_bootkit/blob/main/d22/19H12/t8015_shellcode_arm64.S the shellcode only verbose boots?

boots kernelcachd, you can apply patches to that

assuming this line

.set WRITE_VALUE_5, 0x64686361 // kernelc[achd]

you put it in the folder where kernelcache is

you just sign it with apticket.der and apply your kc.bpatch

we cant just keep applying kc.bpatches like that fr

the fuck is a kc.bpatch

hex diff file generated with kerneldiff for patch file with img4

thats what it is

english now

what

why the fuck do you generate a diff file

it was originally used for amfi

with kernel64patcher

why

just patch it

img4?

idk thats what the dualboot thing did

i think it was probably because of KPP

why are you patching, generating a diff and applying again

who is you

i do NOT do this

so like

don’t ask me any questions

you/they/whoever

i don’t have any idea rither

doesn’t make sense 💀

it’s like wiping your ass before taking a shit

A tool to create amfi patch diff file between two kernelcaches to be used with img4lib.

fr wilding

I’m simply confused

Why not just extract payload with img4tool, patch and make an img4 again with img4tool

idk

how do you expect me to know? i didn’t do this

just dropping some hints in hopes you or someone fixes stuff 😅

@lime pivot why cant i do a @main in a swift file when importing WidgetKit in a theos project

import WidgetKit
import SwiftUI

// ...

@main
struct Fiore: Widget {
    let kind: String = "Fiore"

    var body: some WidgetConfiguration {
        StaticConfiguration(kind: kind, provider: Provider()) { entry in
            FioreEntryView(entry: entry)
        }
        .configurationDisplayName("My Widget")
        .description("This is an example widget.")
    }
}

// ...

@main
^
fiore.swift:1:1: note: top-level code defined in this source file
import WidgetKit```

The lockdown beta seemed a bit broken in 15.7. If set a passcode, authentication will fail even if I enter the correct one.

yep

lol what. it considers the import top level code?

or maybe it just means there’s top level code somewhere in there

is there anything other than the struct and import in there?

are you on the Orion branch?

Yeah I think so

wait did you fakesign /usr/libexec/ksecured

i didn’t

@native dune did that fix it or something

I thought lockdown was only a

tweak

Didnt ship any bins

@native dune try installing it and ldid -s /usr/libexec/ksecured

i can’t try it right now i’m in the car

don’t want to get locked out of my phone lmao

Try it when you get somewhere you can pull ur mac out

Anyone know what to patch out to get the same effect as cs_enforcement_disable=1

No, but in the error log it didn't seem like they reported code signing
Also now I'm on 16.0.3 so I can't check.

Is this source newer or older? Doesnt even seem to set passcode at all and panics

@elder scaffold is it possible to get t8015_bootkit workinf on t8010

Like is is at easy as changing bootrom offsets and the shellcode or

hmm try instance_SWIFTFLAGS = -parse-as-library

A10 should probably work

Does it need heap repair

this level of developer conversation is beyond my knowledge 👍

==> Building Swift support tools…
sh: 1: swift: not found
Failed to build swift-support: command failed: SPM_THEOS_BUILD=1 swift build -c release --package-path /home/fiore/theos/vendor/swift-support --build-path /home/fiore/theos/vendor/swift-support/.theos_build
make[2]: *** [/home/fiore/theos/makefiles/instance/rules.mk:197: internal-WidgetTest-swift-support] Error 2
make[1]: *** [/home/fiore/theos/makefiles/instance/rules.mk:62: before-WidgetTest-all] Error 2
make: *** [/home/fiore/theos/makefiles/master/rules.mk:162: WidgetTest.all.application.variables] Error 2```

@nimble parcel

You got a swift tool chain?

That's my guess

yes i do

i did this without being on the orion branch

and it compiled

you need an Orion-compatible swift toolchain if you’re on that branch — you can get mine from https://github.com/kabiroberai/swift-toolchain-linux/releases

always tbh

fwiw the Orion branch correctly passes -parse-as-library when required: https://github.com/theos/theos/commit/744106f46741489a17088ec4b8eb63aebb3863df

imagine using objective c

@hasty ruin iCraze

ello

i am joe

nice

someone managed to do a offset finder for the framebuffer for a specific version ? i can't find it using hopper :/ not enough informations/skills

20$ bounty

https://tenor.com/view/we-dont-do-that-here-black-panther-tchalla-bruce-gif-16558003

😅

we have the skills but this is for education not business

this is for my personal education too

i've already done some "basic" tweaks but wanted to play with the kernel and in this case the framebuffer

its between 0x0 and 0xffffffffffffffff

can i have my 20$ now

heyho,
there is this tweak legizmo that lets you sync your newer watch os to an older ios. problem is that new features dont get sync‘d because the watch app does not support it.

does anyone think its possible to make a gateway through a watch app that collects the data and sends it to an ios app that writes to health?
could that work?

@faint timber hey, is it possible to get cs_enforcement_disable working on a release kernel? it says this, but still is enabled

is there stuff i need to patch

yes

should i just replace my current toolchain w this?

Yes

@tepid olive hi do you know what kernel slide is

offset or something

oke

idk

something like that

dw its fine

ty tho

😢

use the bootarg idiot

i did

doesn't seem to make a difference

says this but no difference made

yah its telling you its disabled

still cant run any programs with no signature

that's not what its for

always fakesign

how can i get the old code signature format to run on newer ios (15.1+)

what patch do i need for that

1. how tf would I know
2. just resign loser

whole entire bootstrap though aaaa

actually no just procursus repo

you do realize you can match by mach-o

no i said that wrong

i meant stuff on procursus repo, annoying to have to either

resign postinst/etc... or straight up just use a modified deb

this is the exact reason there are cfver sorted dists

is there such thng on procursus though

nio

aig maybe

what

doesn't know how apt works

oh

understandable

wait yeah

I'm saying for procursus 15, you need to use the 15 cfver dist on apt

im fucking dumb

i do

i know now

also you don’t have to

you probably wouldn’t have a fun time though

you are saying you know the DER ent disable kernel patch?

yes

i’m the ceo of DER entitlement disable kernel patch

bryh

everything in 1800 dist is just 1700 fuckin packages

literally everything

What matters is the version of ldid used to sign it

yeah

exactly

but i just want to try and find. apatch for

kernel

bro

there is a DER encoded signed bootstrap somewhere

just use that

and don't use the repo

and you're fine

i compiled mine with latest stuff

but

im just tired of signing shit over and over

yk

It’s automatic genius

I need the 🔥 kernel slide offset 🔥 for 15.4.1 A10X

Same but I forgot what a kernel was

Is it popcorn for iPhone?

https://procurs.us/dists/iphoneos-arm64/1800/main/

there’s no debs

ik

chad debian user

?

@gentle crescent this you

yes

@lime pivot should i make a SwiftUI application template for theos

and then pr it

oh yes please

I'll merge it... uh at some point

:Fr:

itll get merged with the safari extension

was there any reason I didn't merge the safari template

no

I was pretty sure it's working?

you just forgot

it was

i just need to relearn how to make templates

lmfaoo

ok I'll merge it then

@main apex didnt have any issues w it

i dont think so at least

yeah Lillie tested it for me and it seemed all good

should i make the swiftui template do the same thing as the other applications

like the date table view thing

was tricky for me to test cause I couldn't figure out a sideload tool with working appex signing

sideloadly

thats how i tested it

yeah

okay, off i go

im calling it application_swiftui

since theres like, no better name

that's basically the name it should have

@lime pivot

yeah I think so

unless you have a better idea?

nah

since idk swiftui i was just gonna do text in the middle of the screen 😭

based

Yeah the safari extension template worked perfectly.

I can’t test any new templates though cause Orion is broken on Wsl 2 right now and am waiting on a response back from Kabir still

rip

im specifying ARCHS = arm64 arm64e in the makefile since theres no reason to compile for armv7 since swiftui is iOS>13.0

no need, Theos will figure that out from TARGET

o

really?

TARGET = iphone:clang:latest:13.0

yep

in the context of swift UI apps arm64e is unnecessary as well

for now™️

anything that isn't injecting into system processes doesn't need to be arm64e pretty much

not sure why apple isnt deploying them on the app store yet because its free security

i should still edit the Resources/Info.plist file right tho

well, 1-4% overhead per process

all instances of:
armv7 -> arm64
7.0 -> 13.0

who knows what the hell apple is doing with arm64e

"free"

bc im not sure exactly what everything in the makefile is

and if its all required for swiftui

so like

they said it'd be made public "soon" like 4 years ago now

they almost be sounding like intel

apple doesn’t even consider arm64e stable

so there’s that too

"its coming soon guys we promise"

it's semi-stable for kexts on apple silicon Macs

and it seems somewhat forwards compatible, after they made that breaking change that made life fun for us

for now

@lime pivot do i support only iOS 14 and up

bc swiftui technically supports 13

14 might be more reasonable yeah

but the code that i copied over to test doesnt even work on 13

since @main doesnt exist

wow

import SwiftUI

@main
struct RootViewController: App {
    var body: some Scene {
        WindowGroup {
            ContentView()
        }
    }
}

all of that

doesn't work on 13

also, do i even need to link any frameworks in the makefile

ios 13 swiftui more like instant death

even mainline swiftui is rocky

apple rewriting the most essential app in swiftUI for ventura

and bootloops

@lime pivot sorry for all the pings

UILaunchImages is deprecated after ios 13.0, should i remove the array from the plist?

no need to be sorry

how does a clean SwiftUI Xcode project do launch screens?

is it still a storyboard?

im not sure

i dont have a mac

hmm

by default theres nothing

at least for me on xcode 13.4.1

https://kristaps.me/blog/swiftui-launch-screen/

presumably handled by the swiftUI runtime internally

@lime pivot i think this is how the "final" Info.plist will look

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>CFBundleExecutable</key>
    <string>swiftuitest</string>
    <key>CFBundleIcons</key>
    <dict>
        <key>CFBundlePrimaryIcon</key>
        <dict>
            <key>CFBundleIconFiles</key>
            <array>
                <string>AppIcon29x29</string>
                <string>AppIcon40x40</string>
                <string>AppIcon57x57</string>
                <string>AppIcon60x60</string>
            </array>
            <key>UIPrerenderedIcon</key>
            <true/>
        </dict>
    </dict>
    <key>CFBundleIcons~ipad</key>
    <dict>
        <key>CFBundlePrimaryIcon</key>
        <dict>
            <key>CFBundleIconFiles</key>
            <array>
                <string>AppIcon29x29</string>
                <string>AppIcon40x40</string>
                <string>AppIcon57x57</string>
                <string>AppIcon60x60</string>
                <string>AppIcon50x50</string>
                <string>AppIcon72x72</string>
                <string>AppIcon76x76</string>
            </array>
            <key>UIPrerenderedIcon</key>
            <true/>
        </dict>
    </dict>
    <key>CFBundleIdentifier</key>
    <string>PACKAGE_IDENTIFIER</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundlePackageType</key>
    <string>APPL</string>
    <key>CFBundleSignature</key>
    <string>????</string>
    <key>CFBundleSupportedPlatforms</key>
    <array>
        <string>iPhoneOS</string>
    </array>
    <key>CFBundleVersion</key>
    <string>1.0</string>
    <key>LSRequiresIPhoneOS</key>
    <true/>
    <key>UIDeviceFamily</key>
    <array>
        <integer>1</integer>
        <integer>2</integer>
    </array>
    <key>UIRequiredDeviceCapabilities</key>
    <array>
        <string>arm64</string>
    </array>
    <key>UILaunchImageFile</key>
    <string>LaunchImage</string>
    <key>UILaunchScreen</key>
    <dict>
        <key>UIColorName</key>
        <string>LaunchColor</string>
        <key>UIImageRespectsSafeAreaInsets</key>
        <true/>
    </dict>
    <key>UISupportedInterfaceOrientations</key>
    <array>
        <string>UIInterfaceOrientationPortrait</string>
        <string>UIInterfaceOrientationLandscapeLeft</string>
        <string>UIInterfaceOrientationLandscapeRight</string>
    </array>
    <key>UISupportedInterfaceOrientations~ipad</key>
    <array>
        <string>UIInterfaceOrientationPortrait</string>
        <string>UIInterfaceOrientationPortraitUpsideDown</string>
        <string>UIInterfaceOrientationLandscapeLeft</string>
        <string>UIInterfaceOrientationLandscapeRight</string>
    </array>
</dict>
</plist>

i wonder if i would be able to remove certain appicon*.png files

so i removed:
AppIcon50x50*
AppIcon57x57*

bc i was looking at an app like relocateme and there was no app icon for either of those

so im just assuming they arent needed

i also removed all the LaunchImage files since the key for them was deprecated

im also not sure if i should link any frameworks in the makefile

ahhh right you can use an asset color now

bc the default is project_FRAMEWORKS = UIKit CoreGraphics, im not sure if i should still link those, or just link SwiftUI if i need to, or if i need to link just CoreGraphics

idk

probably don't specify any frameworks in makefile

import does that for you

ah

okay

TARGET = iphone:clang:latest:14.0
INSTALL_TARGET_PROCESSES = swiftuitest

include $(THEOS)/makefiles/common.mk

APPLICATION_NAME = swiftuitest

swiftuitest_FILES = AppDelegate.swift ContentView.swift

include $(THEOS_MAKE_PATH)/application.mk

got that now

im gonna finish this tm

too lazy now

gm kirb

and fiore

gm cam

I should finish QuickActions 2...

you should!

except somebody put my competitor onto chariz too

https://chariz.com/buy/quickls

I added phone calls to quickactions

the issue is I have to figure out how to get that incorporated into the settings UI

and then do all the other things I wanted to do

which I can't remember right now...

I also have no jailbroken devices to actually test stuff on...

QuickActions 2 TODO:

[x]. Phone Calls
[ ]. "make the app buttons open with a single tap and not a long tap/force touch"
[ ]. ~~activator support~~
[ ]. CC connectivity module buttons
[ ]. Shazam action
[ ]. Siri Shortcut

there are other things, but those are the ones that I remember

cameron making #development his personal todo list moment