#development

Ye still same issue, no clue what I am doing wrong now tbh

make works but not nic.pl

where is nic.pl located

isDarkMode isnt a function

you dont have code defining it

you should put the required headers on the repo so people can actually compile it

Learn objc

real

so I’ve got a weird issue

if I animate in the Home Screen before unlocking (but after authenticating) the device

widgets don’t show up

i suspect this is an edge case that apple had no reason to consider

and it’s probably related to suspension

but unfortunately after you unlock the device the widgets don’t show up

until you scroll a page over

any uh

pointers?

declaration of 'NSString' must be imported from module 'ObjectiveC.NSObject' before it is required What do I need to fix this?

link Foundation

Thanks

hello sorry if this is a dumb question but i'm trying to install a .ipa file into /var/jb/Applications on xinaA15, are there more steps involved other than extracting the .app from the .ipa file? because the app just crashes on launch when i do that

just tried it on my palera1n device at /Applications and same thing happens. doesnt seem to be a crash report either

anyone tried making a daemon for XinaA15? Do people know if plists at /var/jb/Library/LaunchDaemons are automatically loaded? I'm presuming the jailbreak won't fix up the Program field in the plist to point to /var/jb either so the package will need to fix that up in the postinst or something?

nvm i think it was just the permissions, setting it to 755 fixed it on palera1n but on xina it caused every app to freeze on launch

Does anyone know how I can get started with tweak development?

yep did that

#development message

This aged like milk

it became fine cheese

Would it be possible to backport a specific framework (AVFCore.framework) from iOS 15 to iOS 14?

ah alright, so no easy/automated way

cranehelperd runs fine for what it's worth

although I had to insert some jbd calling code to get platformization

(I'm unsure about /var/jb, I added that but I think it worked without it before)

oh interesting

I think I'll need to test things out for myself tbh

where did you find information about the jbd platformization code?

from xinas dms

void open_xpc_client()
{
    if (connection==NULL)
    {
        dispatch_queue_t  private_queue = dispatch_queue_create("org.xina.jailbreakd.client", DISPATCH_QUEUE_CONCURRENT);
        
        connection = xpc_connection_create_mach_service("jailbreakd", private_queue, 0);
        if (!connection) {
           // //NSLog(@"Failed to create XPC connection.");
            return;
        }
        else
        {
            xpc_connection_set_context(connection, &private_queue);
        }
        xpc_connection_set_finalizer_f(connection,xpcrelease);
        
        xpc_connection_set_event_handler(connection, ^(xpc_object_t event) {
            xpc_type_t type = xpc_get_type(event);
            if (type == XPC_TYPE_ERROR) {
                
                connection=NULL;
                //NSLog(@"正在断开退出.");
            } else {
                //NSLog(@"Unexpected XPC connection event.");
            }
        });
        
        xpc_connection_resume(connection);
        
    }
    
}

void xpc_fixProc(void)
{
    open_xpc_client();
    if (connection)
    {
        xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
        
        xpc_dictionary_set_uint64(message, "pid", getpid());
        
        //NSLog(@"send fixOurProc %d",getpid());
        xpc_dictionary_set_bool(message, "fixproc", true);
        xpc_object_t event=  xpc_connection_send_message_with_reply_sync(connection, message);
        
        if (xpc_dictionary_get_uint64(event, "ok")==1314)
        {
            //NSLog(@"收到回复fixproc完成");
        }
        else
        {
            //NSLog(@"收到回复错误");
        }
    }
}

this is the code I was sent

but keep in mind you also need jailbreakd in com.apple.security.exception.mach-lookup.global-name entitlement for this to work

gotcha, and I don't need to change anything in my launchdaemon plist or where it's stored?

whatcha tryna do?

frcoal tweak development guide

still the best to date

true

no development = best development

i find it causes the least issues too

shut up

on your

god

jew man

no

(I mean where it's stored not, but as I said idk if you need to put /var/jb in front of the binary path or not, maybe test it out)

for better or worse, xina does a lot to maintain compatibility with non rootless stuff, heck the bootstrap it uses wasn't even compiled for rootless

What do you do in crane, dynamically swap out the binary path at install-time?

No I just changed it to /var/jb now for testing

but I never actually checked if it works without it

Fair enough, I'm tempted to release a "Cr4shed (Rootless)" tbh

actually I can check if crashedd starts in the current version

Well atm I don't platformize the binary so I doubt it, but you can try

platformization is only needed for some specific stuff

like I do stuff with task ports in cranehelperd so I needed it

seems to start as you can see

Oh that's awesome!

Ok I'll try and get something working for XinaA15 soon then

john xina

https://tenor.com/view/social-credit-social-credit-score-meme-john-xina-gif-23649557

might be useful: https://pastebin.com/35HiESYk

xina installs everything into /var/jb as root path but also does a bunch of stuff already to support old packages

but I would still recommend putting all stuff you access in / into rootifyPath or rootifyCPath

Thx opa, how would you like to be credited in a comment with that code?

you don't really need to credit me

I'll just put //thx opa334 lol

this code is free to use tbh, I just want people to use it because it works around an issue where on some old u0 builds /var/jb points to /jb

So if you try to implement this yourself you'd break support for people that still have this symlink

(like I did before I found out about this because luckily my friend had such a device)

If I was implementing this myself I'd do "if (full path in /var/jb exists) choose that else choose the path in /" probably

Finding the root path for the whole jailbreak is nicer tho

yeah that could work too

I think you could just check if what you're looking for exists in / and otherwise append /var/jb

but in the end it doesn't really matter how you do it

Was asked to look at an AirPods Pro issue on iOS 14, microphone doesn’t seem to be working, but works on other devices. So my thought was to replace the glitchy framework with the fixed/updated framework. But since it isn’t easy I’m not gonna continue researching it.

Good luck replacing a framework

yeah it’s not easy. possibly not even possible any more except on check/palerain

i mean, isn't that done already?
i'd assume xinaa15 just has both architectures by default

and if a package does support both, then i'd expect a preinst to move stuff to the right install dir i think

Nope

You expect way too much from xina

what's wrong with 1800

i mean it would be the same result but still

wait then i'm confused, if it's just iphoneos-arm then wouldn't apt just not find the architecture in a rootless-only repo

They don't use the rootless

They use the normal repo

no, i mean if you were to add a repo like palera1n's one

But force everything to run dpkg with --instdir=/var/jb

you are expecting too much out of a guy who didn't ask anyone before doing anything that they did

It would be like if you added that repo to checkra1n

It would say "unsupport architecture" or something like that

didn't need to do anything to have a dangerous and unsafe thing in saily

https://github.com/SailyTeam/Saily/issues/104

💀

I must say I'm impressed

This whole thread is ridiculous

Lakr doesn't seem to realize that the point of gui package managers is to baby it's users, because they're dumb

the denialism is crazy lol

they don't even seem to understand apt at all

they definitely didn't read docs in full

@lime pivot sorry that you also had to read that man

Does xina15 redirect all paths to /var/jb?

tweak etc

yeah

but he so made paths of his own for some reason

ooh

when i analyze an app in IDA, i found a subswift class in a class. but that class not in dump headers.
e.g: App.Foo.Bar.init(params)

how can i hook that function ? i tried to access with objc_getClass and %hook but looking not working

One thing you could do is make a posix spawn hook and edit the mach header after spawning suspended

Or custom dyld

Checkra1n already patches dyld

So how did you solve it?

oh i just removed all the yes/no questions

if you’re talking about fi you have to put # /usr/bin/bash at the top

something like that

pointless hate

Pointless hate on saily?

imo yeah, the point outlining if users install incompatible tweaks and it forces to uninstall Essentials upon uninstalling, that's purely a users fault and still shows how some users disregard reading compatibility

the problem is this jailbreak also encourages incompatibility

by actively forcing shit to attempt to worn

and ontop of that saily actively allowing it

Opening an issue on saily saying "this software sucks" is a little rude, but warning users about the issues that saily can cause is justified imho

I agree with that but it just feels a little over the top

pure elitism

When is someone going to create a jailbreak that uses aptitude as the default package manager

aptitude-swiftui

someone probably could and get ridden into the ground immediately because of "established methodologies"

get the swift symbol and use c function hooking

extremely rude I’d say

like, don’t ever do that

but otherwise the concerns are reasonable

I need a bashismless shell script to essentially emulate a call to getRootPath https://pastebin.com/35HiESYk and save that in a bash var, if anyone has done something similar already, please let me know, I suck at shell scripts, even more at bashism less ones

@ocean raptor this seems like your field

See, I was going to

Then I decided not to

export rootPath=""

function getRootPath {
    if [[ -L "/var/jb" ]]; then
        # get symlink target
        destination=$(readlink -f /var/jb)
        if [[ "$destination" != /jb ]] && [[ "$destination" != /jb/ ]]; then
            export rootPath="$destination/"
        fi
    fi

    if [[ "$rootPath" == "" ]]; then
        export rootPath="/"
    fi

    echo $rootPath
}

getRootPath

source ./getRootPath.sh

$rootPath holds the rootpath

That's bash dude

He wants POSIX sh

whats the difference

i legit dont know

one is bash one is sh

bruh

im sorry i even tried

dont be

tone is difficult to interpret on the internet and it was likely not meant to degrade you

what if I just mkdir /var/jb on a rooted device?

it looks for a symlink

ln -s / /var/jb

bruh

can someone send me /Library/Developer/CoreSimulator/Profiles/Runtimes/iOS 14.5.simruntime/Contents/Resources/RuntimeRoot/bin/launchctl

how do i obtain the 14.5 simruntime

gorn.dev

export rootPath=""

getRootPath() {
    if [ -L "/var/jb" ]; then
        # get symlink target
        destination=$(readlink -f /var/jb)
        if [ "$destination" != "/jb" ]; then
            export rootPath="$destination/"
        fi
    fi

    if [ "$rootPath" = "" ]; then
        export rootPath="/"
    fi

    echo $rootPath
}

getRootPath

but

readlink is not POSIX

so

i dont get it

what part do you not get

I doubt he knows what POSIX is

oh like the entire thing

shut the fuck up

i mean, he said bashismless, not posix

^

bash without bashisms is posix sh

yes, but you don't need bash for readlink

Shut up

looks fine, other than not quoting the variable in echo and using function instead of getRootPath ()

yeah, function is a bashism

Run it through shellcheck

i did

https://www.shellcheck.net/wiki/SC2113

👍

i want build zebra2

how do i fix this error

fr coal

what does SUB168() in ghidra decompiler output mean 🥺

SUB168

going to assume that means subroutine

wait really lol

I think I had this issue at one point

Has anyone compiled node higher than v12?

I think procursus has v14

How do I check the iOS version in C?

should I use if (floor(kCFCoreFoundationVersionNumber) >= 1800)

ye cfversion seems best

probably

since you have corefoundation though theres a neat (undocumented) function CFStringRef CFCopySystemVersionString();

returns Version 12.6.1 (Build 21G217) on mac for me

worse really bc private api but if you want a nice display name

i guess you could do what sw_vers does (whatever that is)

Did you find a fix for it?

i joined zebra discord before. but i dont know how to find the branch

thanks!

i try it!

thanks that looks usable

Run it through shellcheck too

https://twitter.com/ios_euphoria/status/1603190356597768192?s=46&t=I2PIXXj0YgBR6GccL6oR9g dmca this fool, tryna sell a gui

the app is 1gb

https://twitter.com/ios_euphoria/status/1603232702924300289

They said foss

All the braindeads in replies thinking they made the actual jailbreak

Ofc

Is there a way to prevent the substitute injector from injecting into specific processes?

I mean it'd work, as long as it's pointing to /

This should be done as an april fool prank lol

Is there any info on how to connect to SSH on a device running Palera1n?

OpenSSH server is installed with the bootstrap

ssh mobile@deviceip

If you need access before bootstrap install you're going to have to boot an SSH ramdisk

Is it on port 22? I tried to iproxy it and had nothing.

Nope, this is after the bootstrap and I installed OpenSSH.

Open tips or the palera1n app and run do all

22 / 2222

if you're using ssh from an app on the device then use 2222

Thanks all, going to give it a try.

@tepid olive do you mind explaining what pieces of ellekit I need on iOS and where to put them? I was abusing substitute's loader before so I don't really know

#781041045760770049 message

Is there a good guide for tweak development with swift?

@grave sparrow is that vm_allocate(mach_task_self(), &addr, round_page(arg1), 0xf0000003)?

I am sorry sir I am developing my own libcolorpicker it will be trash, but it shall be my trash

No I won't add it as a package dep until 6 or 7 months down the road

POV binja user

wtf does "wrong platform to load into process" mean

the issue was that I forgot a 0 💀

only cause ghidra makes weird choices sometimes

cloud.binary.ninja is my backup

@grave sparrow Mr cbt, please review https://github.com/ProcursusTeam/launchctl/commit/07c225255d3b9d2c5234dfae138ecf169c306705 🙏

README dev reviewing launchctl moment

sure

where are you at now, i suppose you tried it already

so uh

i have managed to break my jailbreak 3 times now

i'm going to do what i've been doing step by step with reboots in between and see where it breaks

aaaaand i clobbered my fs again

ffs

Classic palera1n

i think i'm just skill issuing with rsync

rsync is very easy (I mess up the flags all the time)

i keep clobbering /etc

Just remember, if there is a / at the end of the source path it's copying the contents, if there is no / it's copying the dir

yea i had that from the beginning

 -K, --keep-dirlinks         treat symlinked dir on receiver as dir

this is prob what i need

ffs it's stalling during boot again

ugh

@timid furnace you need to get rid of substitute

it bootlooped me when i tried to bundle ellekit

my test device just doesn’t work anymore now

that's epic

John Xina

this is first boot after restore rootfs

palera1n when

i am on palera1n

use doras thing

what is doras thing

ayakurame or something

might not even work with ellekit cuz it overrides launchd

well you see

16GB moment

nvm it does

Lmao

maybe i should just update the 6s to iOS 15

I should actually test ellekit on iOS myself

i have 2 test devices

here we go again

lmao

Hi Capt

Tell us

btw do i need to fakesign loader with task_for_pid-allow and platform-application

yes

dimentio entitlements

well for the few seconds i managed to run it an hour ago i got loader: no task for pid access

hydrate managed to run it

you also need to run as root

so i'm gonna assume i need the entitlements

i am root

yes

i will go add signing script

Make sure to put pspawn in the /usr/lib dir and substrate in /usr/local/lib and /usr/lib

Because I forgot to add the iOS path to the launchd hook

smart

i dont forward injection personally

https://github.com/ProcursusTeam/Procursus/blob/main/build_misc/entitlements/dimentio.plist

oh i ended up changing the paths bc they were inconsistent

launchd hook had /usr/local/lib, loader had /usr/lib so i just changed both

finally

Parent only injection

Skip children

What

Yes

joe

Just make sure my vm_allocate usage and stuff is good

@tepid olive ```
iPodSE:/etc/rc.d root# ./ellekit-loader
[+] got task 2563
zsh: trace trap ./ellekit-loader

dhinak@Dhinaks-MacBook-Air ellekit % atos -o '/Users/dhinak/Documents/Others/ellekit/build/Release-iphoneos/loader.dSYM' -l 0x1006e8000 0x1006ede9c
main (in loader) (main.swift:68)

it dies at ```swift
return UnsafeMutableRawPointer(bitPattern: UInt(page_address))!

https://github.com/evelyneee/ellekit/blob/main/loader/launchd.swift#L16

u probably have the wrong entitlements

it worked for @torn oriole tho

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>get-task-allow</key>
    <true/>
    <key>task_for_pid-allow</key>
    <true/>
    <key>platform-application</key>
    <true/>
    <key>com.apple.private.kernel.get-kext-info</key>
    <true/>
    <key>com.apple.private.security.no-container</key>
    <true/>
    <key>com.apple.security.iokit-user-client-class</key>
    <string>AppleMobileApNonceUserClient</string>
</dict>
</plist>

Is there a pspawn.dylib at the path you set

(i stole the dimentio entitlements)

And a libsubstrate in /usr/lib

yes

i think page_address is null

for some reason

Bad kpf patches then

Launchd is missing cs debugged

@tepid olive Any idea what causes this?

What ios are they on

15.6 RC

How is it still signed

Wild

[+] got task 4867
[+] loader: about to run alloc func
[-] loader: about to alloc func?
[+] loader: page address before mach_vm_allocate: 0
[+] loader: page address after mach_vm_allocate: 0
[+] loader: finishing alloc func
[+] loader: page address before ret: 0
zsh: trace trap  ./ellekit-loader

pro debugging

Yeah this is because of CS_DEBUGGED

Semi untethers have this issue, they use kernel rw to change the cs blob

You have to get launchd to enable jit ents

i uh

have no clue how to do that so

this is clever, but stupid yet i did it anyway

swVersion=$(sw_vers -productVersion)
rawVersion="${swVersion//./}" # strip decimal | 12.0 --> 120
if [[ ${#rawVersion} -eq 3 ]]; then
rawVersion="${rawVersion}0" # 121 --> 1210
elif [[ ${#rawVersion} -gt 4 ]]; then
rawVersion="${rawVersion}.${rawVersion:3:5}" # 10.12.6 --> 1012.6
fi

versCheck=$(bc <<<"${rawVersion} < 1210 ") #

# insert if statement here

sort -v

i cannot get prefs to work on ios 15

for whatever reason

more info? what exactly isn’t working

like the tweak doesnt reflect the changes of the tweak

i tried using both hbprefs and a function written to read the pref file

but it works on other versions of ios?

and neither works

when i made it on 14.3 it worked then

nsuserdefaults never fails that’s all i’m saying 💯

hbprefs is cephei yeah?

yeah

i mean if hbprefs isn’t working and reading the preference file isn’t either it’s likely there’s another underlying issue

and now the actual bundle wont even load

lmaooo

😭

id advise checking if the preference file’s contents are actually being changed

i gotta get it loading first 😭

and making sure you are using the same identifier in your preferences and when you’re using hbprefs

keep in mind cfprefsd might cache the changes and not write it to disk instantly to minimize io operations

(depending on how you’re doing it in the preference bundle)

brooo

wtf

I can’t get it to work anymore

shouldnt it automatically ldid

when you do make package install

Classic, fiore not reading

ldid what part of it

brother 😭

Christmas ghost

bro can everyone just shut the fuck up

i get it

im a r slur

💀

Will it filter my message if I say the f slur too?

You

dont think it is

no wait

it is

im slow

so cephei isnt reading the change

Not necessarily

what else could it be

wtf

dghost is here

That's like when people chmod in postinst

based tbh

cope

what's wrong with that

Just compile the tweak in the postinst

real

how could i use killall on ios 15 but also make it work on 14

- (void)apply {
    pid_t pid;
    const char *argv[] = {"killall", "MobileSMS", NULL};
    posix_spawn(&pid, rootifyCPath("/usr/bin/killall"), NULL, NULL, (char *const *)argv, NULL);
}

isn't working

idk

💀

posix_spawnp

id be surprised if it was a cephei issue
are you sure you’re using hbprefs correctly

yeah

im 99% sure

i changed it to use my own function

you should investigate the 1% possibility then /s

true

ty

it has like a 50/50 chance of working

Ok&?

Yet everybody says I'm in your mom

rootifyCPath(char *path) returns path with the root appended to it
so for a rootless jb it appends /var/jb
and for a regular jb it just appends /

NSString* getRootPath(void) {
    static NSString* rootPath = nil;

    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^{
        NSFileManager* fileManager = [NSFileManager defaultManager];
        NSDictionary* attributes = [fileManager attributesOfItemAtPath:@"/var/jb" error:nil];
        if(attributes) {
            NSString* fileType = attributes[NSFileType];
            if([fileType isEqualToString:NSFileTypeSymbolicLink]) {
                NSString* destination = [fileManager destinationOfSymbolicLinkAtPath:@"/var/jb" error:nil];
                if(![destination isEqualToString:@"/jb"] && ![destination isEqualToString:@"/jb/"]) {
                    rootPath = destination;
                }
            }
        }
        if(!rootPath) {
            rootPath = @"/";
        }
    });

    return rootPath;
}

NSString* rootifyPath(NSString* path) {
    return [getRootPath() stringByAppendingPathComponent:path];
}

const char* rootifyCPath(const char* cPath) {
    NSString* path = [NSString stringWithUTF8String:cPath];
    return rootifyPath(path).fileSystemRepresentation;
}

i knew i shouldve trusted the chinese code

//system函数执行命令的替换方法
extern char **environ;
void run_cmd(char *cmd)
{
    pid_t pid;
    char *argv[] = {"sh", "-c", cmd, NULL};
    int status;
    status = posix_spawn(&pid, "/bin/sh", NULL, NULL, argv, environ);
    if (status == 0)
    {
        if (waitpid(pid, &status, 0) == -1)
        {
            perror("waitpid");
        }
    }
}```

idk tell that to opa

wait

so should i just manually replicate the code for the function

good

old unc0ver thing or something

here

let's just make a plist with the details of the jailbreak

name, version, rootless key if rootless, etc

? Why is dyld acting based off the symlink path? Any sane software will go based off the real path

json

CF

^

CF is loaded into libSystem nowadays anyway iirc

Based!

Force sbingner to add libiosexec to elu

Ok

Palera1n made /.installed_palera1n a json file 💀

That's so much worse than plist

And how is that an issue?

(iOS has multiple plist parsers: cf, foundation, expat, and xpc, but only one json parser: foundation)

Who tf is scanning the loaded libraries?

I had mistaken foundation using libswift for libSystem using CoreFoundation 💀

Brain fart

Gonna rewrite launchctl is swift

I should rewrite defaults in swift

Or netctl

Speaking of swift

@marble perch please fix shshd, building it is broken with swift 5.7 iirc

I know that building it is broken, I don't know if 5.7 is the reason

I have a better method: Architecture: iphoneos-arm64

Wdym?

Procursus will never distribute a rootless Architecture: iphoneos-arm (this is not armv7 only), so they have no choice

I agree

Procursus 1800+ is rootless only

Tell that to xina

so true

Wrong. There's 1 standard, but it's the dumbest standard ever

And everyone has Stockholm syndrome to daddy saurik

@naive kraken What would be the best way to lookup tweak bundles from a sandboxed app

I have full launchd code exec and code exec to all children

read the plist and the path

maybe this should be done in launchd

yes

i’ll just handoff to launchd

read the plist from there

Isn't that substituted's job?

I don’t want a daemon

no

I’ll do it inside launchd

Nvm

he’s right i think

💀

What does substituted do then?

substituted looks up the bundles

on old unc0ver builds /var/jb points to /jb and when you don't exclude your code breaks on the devices that have this symlink

and handles safe mode

no clue, caches pages or something

what do I know

Well you seem to know what it doesn't do

you should read the code on github

spoiler: it's closed source

substituted is open source?

ah right

that’s the old one

My question is: how is that legal?

Ok so @tepid olive do you want to know how current hooking frameworks do this or what I would say would be the best solution

idk I think it is

just the part they modify (libsubstitute) is open source

latter

Is libsubstitute not GPL? Does substituted not link libsubstitute?

i'd rather not do it through this

not inject in every process

https://github.com/comex/substitute/blob/master/LICENSE.txt

https://github.com/evelyneee/ellekit/blob/main/injector/injector.swift @ocean raptor wanna rewrite this in C

90 loc

Just parses the bundles

ok so would I would say is: parse the macho in launchd, get all framework identifiers it links against (you can take some code or inspiration from Choicy if you want, it does just this in it's pref bundle). Then enumerate through the plists and find matches.

and if no match, don't load anything

and if one or more matches, load your loader

that's what i thought

why parse the macho

cause you can filter bundles

like e.g. if I filter com.apple.uikit

So LGPL, if substituted static links libsubstitute we can ask sbingner to OSS it

ah right

my dylib injects into all processes that link uikit

ffs

forgot about this

I have no idea if he uses anything from libsubstitute in substituted though

it definitely does not I think

nothing really links libsubstitute I think

only tweaks do

so loader dylib load tweaks and the tweaks then load substitute

or rather via substrate shim idk

Using xpc or CF?

you can also filter classes, but that's shitty af and basically no1 does it and also impossible to predict

so I would say don't support that

basically the check in the loader dylib is whether NSClassFromString gives something back lol

Add support to filter for any app

or rather objc_getClass

CF

Filtering for UIKit is dumb, since you catch other things that are not apps

yeah but make it optional somehow so that I can both support this and fall back to com.apple.Foundation on other injection frameowrks

yes, but filtering UIKit isn't even enough

How can you even find a bundleid for a framework

if you want to truly inject into every app you need to filter Foundation

It's in the code sig

because there is, and I kid you not, some apps that don't link UIKit

do u know how to parse that

Or check the plist

Sadly

I do it by one path back and then parse info.plist I think

lawful neutral

cursed

but idk

pls do it then

Check Choicy code

it has all of this

No

smh

fine

can u do just the tweak plist parsing

he's too busy making launchctl 2 sorry

https://github.com/opa334/Choicy/blob/master/Preferences/CHPMachoParser.m

No, I'm far away from my computer

I can make a C dylib loader if you really don't want to do it yourself lol @tepid olive

Where even is substituted?

that code needs some rework tbh

I will do it eventually I just despise CoreFoundation

Ideally I'd only use the stdlib

Is there even a libSystem xml parser

When you make it, don't forget to sort dylibs alphabetically

@ocean raptor you'd know

xpc

really important for determistic order

huh?

How would you parse a tweak xml with xpc

you can create an xpc dictionary from a plist

CFDictionaryRef is your friend

xpc dictionary is objc

No?

(afaik)

I would love something that doesn't inject anything more into launchd

it definitely uses arc and objc internally

Yeah as I said, parse macho in launchd

you have no other option

Ok&?

these are fine

that's completely irrelevant

Can you use CFBundleCreate and CFBundleGetIdentifier

i don't wanna dlopen other things

some lib injecting into launchd won't kill you

fair enough

yea

some lib injecting system wide into every process because your system wide injector library links it is way worse

true

i don't wanna have an injector ideally

I already gave you the solution

yep

i will do that

thank u

Your injector should be limited to only libSystem (+ it's reexports)

honestly you can probably calculate all injecting tweaks for a binary in launchd and pass it to the process via an env variable

then make your loader inject via DYLD_INSERT_LIBRARIES

and then the loader reads that env variable and loads the dylibs

CFPropertyListRef CreateMyPropertyListFromFile(CFURLRef fileURL) {
 
    // Read the XML file
    CFDataRef resourceData;
    SInt32 errorCode;
    Boolean status = CFURLCreateDataAndPropertiesFromResource(
               kCFAllocatorDefault, fileURL, &resourceData,
               NULL, NULL, &errorCode);
 
    if (!status) {
        // Handle the error
    }
    // Reconstitute the dictionary using the XML data
    CFErrorRef myError;
    CFPropertyListRef propertyList = CFPropertyListCreateWithData(
                          kCFAllocatorDefault, resourceData, kCFPropertyListImmutable, NULL, &myError);
 
    // Handle any errors
 
    CFRelease(resourceData);
    CFRelease(myError);
    return propertyList;
}

File to plist in corefoundation idk if you need this but
https://developer.apple.com/library/archive/documentation/CoreFoundation/Conceptual/CFPropertyLists/Articles/Saving.html#//apple_ref/doc/uid/20001175-CJBEHAAG

and in launchd yeah use corefoundation it's not that bad

ty

also you can borrow code from choicy

i think i'll use choicy's mach-o code yeah

i am not a jailbreak infra connoiseur

the code is a bit crap, it can be improved to not do all of that weird swapping

By just making it use OSSwapBigToHostInt32, OSSwapHostToBigInt32, OSSwapLittleToHostInt32, OSSwapHostToLittleInt32

you get the point lol

I just didn't know that back when I wrote it lol

tbh you can probably even get away with using Foundation and objc in launchd

that shouldn't be too bad

https://github.com/opa334/Choicy/blob/0f553a5d5d240d8d85d0be5eeea0c463f6bbead8/Preferences/CHPTweakList.m#L75 this is awesome

i did swift in launchd

no problems really

yeah at that point lol

https://github.com/CRKatri/trustcache/blob/main/machoparse/cdhash.c#L67

you can even rewrite my stuff in swift if you want

(I needed to support FreeBSD , Linux, and darwin)

well I only need to support iOS lol

Just keep in mind this Choicy code is very finnicky and basically everything in it is required to make it work properly, I have always needed to add small improvements over the years to make it as good as possible

Bro wrote his own bswap 💀

right now it detects tweaks that filter classes as injecting globally, everything else should be accurate though

Saurik moment (ldid has the same)

only because i needed to make it conditional based on the mach header magic order

(which is stupid and unneeded, I know)

Okay got it to build

the cache parser is not doing well apparently

Does Theos have the iOS 15 SDKS? stupid question and I haven't looked lol

https://github.com/theos/sdks

in other words, not yet

reasons are probably obvious though as the build system does need modification for rootless etc

so i'd assume the sdk would be there when and if theos does support rootless completely

That's a big "if" lol

I can see a fork probably popping up for rootless

no reason for that

Well there's no reason but it would make sense, one for Root and one for Rootless

why does that make sense it's just a path and arch change it's not serious

if it was only that much, it would've been done by now lol

you overestimate the progress and time available to the people who work on it

Still though I reckon it's a good idea separating them

That's just me tho obviously

ellekit

should i just do [rootifyPath(@"/usr/bin/killall") UTF8String]

still didnt work

neither did this

but replacing rootifyCPath w the other call instead

is there a modern libjailbreak-like api

that jbs use

or nah

nothing i'm just curious

i love u

i hate u

i love u

i hate u

i love u

i hate u

was looking at https://github.com/PsychoTea/MeridianJB/blob/master/Working_with_libjailbreak.md

@misty cradle

crazy how many mitigations have been made since Meridian

iOS 11/10 was the last time we could patch kernel

Not unc0ver though?

disclaimer: when it comes to development I am not smart at all. my coding experience is in java.
I am attempting to get the Music app from iOS 8.3 running on iOS 10.3.3 on a 5c. These iOS versions lack RadioUI.framework, so I dumped it from the 8.3 dsc using decache. It's a valid binary, but it has no code signature so when iOS attempts to load it, it returns this: /System/Library/PrivateFrameworks/RadioUI.framework/RadioUI: required code signature missing for '/System/Library/PrivateFrameworks/RadioUI.framework/RadioUI'

I'm on an iPhone 5c, I've ripped the music.app and dsc from the 5c 8.3 IPSW

I'm not sure how I would give it a code signature, even if it's invalid and will only work when jailbroken

ok I remembered ldid exists and ran ldid -S /System/Library/PrivateFrameworks/RadioUI.framework/RadioUI and now it doesn't error with a no codesignature issue. It now says /System/Library/PrivateFrameworks/RadioUI.framework/RadioUI: overlapping segments which I think means the binary is invalid?

or is it something I could potentially fix

"I am attempting to get the Music app from iOS 8.3 running on iOS 10.3.3 on a 5c"

It needs RadioUI.framework to run

iOS 10.3.3 doesn't have that

I'm putting my three braincells together to try and make it work but

im not smart

Yeah I know

I've gotten much farther than last time I tried

which was me not knowing why I couldnt find the RadioUI binary in the framework folder.

Yeah

it exists in 9.0 too

Yes

Yeah

It does have Radio.framework though

which I think 8 doesn't?

lemme see

For what

how to find

ah found it

info.plist

com.apple.RadioUI

com.apple.Radio

done

install_name_tool go brr

exactly lol

ye

currently on ventura

done that, swapped binary

I probably need to resign the binary

i mean yeah ldid wouldn’t hurt

idk if the app has entitlements but if it does doesn't hurt to keep them too

you should keep them lol

it’s music of all things

theres a file Music-Entitlements.plist in the app directory

ldid -M or something if you didn't already strip them

ldid -SMusic-Entitlements.plist cock/Music

no space between S and Music-Ent

Same overlapping segments error

dyld: Library not loaded: /Library/PrivateFrameworks/RadioUI.framework/RadioUI Referenced from: /Applications/Music.app/./Music Reason: no suitable image found. Did find: /Library/PrivateFrameworks/RadioUI.framework/RadioUI: overlapping segments /Library/PrivateFrameworks/RadioUI.framework/RadioUI: overlapping segments Abort trap: 6

yes.

are you sure the binary is actually valid

dsc extractors don't generally create usable binaries

it didn't give errors about malformed mach-o

yeah figures

my best shot was decache using 9.0 since 9.0 has RadioUI and the decache github says `Decache extracts working and completely valid files from an iOS dyld shared cache.*

• Used to...it currently is built for 9.0 armv7s`

Everything else gave errors about malformed mach-o

yeah, same overlapping segments. guess I get to work out how to compile imaon2 and hope that works.

cool

whats the best way to parse a plist file in C

CoreFoundation

or libplist if you need cross-platform support and don’t wanna compile all of CF

Compiling CFLite 💀

any app decrypt tweaks working on Xina15?

TRUE ty capt

TIL xpc_create_from_plist that’s neat

Is private 😔

ugh

BUT THAT DOESNT STOP US

as always

Other interesting private xpc functions:

void xpc_create_from_plist_descriptor(int fd, dispatch_queue_t queue, xpc_handler_t handler);

char *xpc_copy_short_description(xpc_object_t object);
char *xpc_copy_debug_description(xpc_object_t object);

(I don't know what these look like, just that they exist)

short:

debug looks identical to xpc_copy_description 💀

void xpc_dictionary_apply_f(xpc_object_t xdict, void *ctx, xpc_dictionary_applier_f applier);

typedef void (*xpc_dictionary_applier_f)(const char *key, xpc_object_t val, void *ctx);

I mean hey partner servers get like 200MB per file or something

artists using telegram as means to transfer between macs & windows

idk who needs to share 200MB files without using a dedicated file transfer service but hey

(until the cache expires)

everyone who says they don't get deleted doesn't understand how CDNs work

I don't blame them, it is easy to assume a deleted file hanging around 30 secs after deletion means it'll stay around forever

but it'll expire at some point, idk when exactly

smh

What happend

this assumes that sideloading gamepigeon works to begin with

yeah pretty much

they do delete the object from Google Cloud Storage, but if the link has been accessed at least once then Cloudflare still has a cached copy till it expires

most likely datacentre-specific but I'm not sure to what degree

@grave sparrow just post it in private vc chat lmao

@indigo peak hi i have a question

do you know where ios’ keyboard headers are

trying to make a thing to insert images into text fields

UIKit

UIKeyboard* classes

Which one of you devs would like to go insane?

https://twitter.com/PoomSmart/status/1603577379393179648?s=20

i mean i thought muirey was considering that

Hopefully he has a easier time than I think he will

@grave sparrow ellekit now has no more injector :3

launchd handles the tweaks

btw

ur methods for zefram don’t work on iOS arm64e

At all

You can’t load a TL1 binary in TL3

trust level 1 = you
trust level 3 = launchd

good luck with ppl bypasses

how are you gonna do that

cursed

still requires ppl bypasses though

i’ll try to get the exception handler amfid technique going

errr, you sure about these trust levels? lol

it should be

that’s what coolstar put in her presentation iirc

trust level 5 = you
trust level 8 = launchd

what ios is that

15

how

fair enough

i need to write my CS_DEBUGGED thingy

or actually I think with the CT bug you get trust level 6

trust level 7 is dynamic trust cache

and trust level 8 is static trust cache

6 = app store

palera1n has such shitty patches that it sometimes has it set but sometimes not

5 = dev signed

Is tc 7 or 8 lol

fixed

lol

7 are the binaries in the trust cache that Xcode loads (the one we can modify with PPL bypass)

8 are the ones in static one that's in kernel text

only with PPL bypass

or you need to do extremely hacky stuff to downgrade the trust level of launchd

yes

the problem is the process needs to restart for it to downgrade

yeah but

launchd execs launchd on userspace reboot

and you need to intercept that from another process

to get your dylib injected

PPL bypass is the only way

afaik downgrading should work until 15.1.1

but idk

xina for example also has no dylib in launchd

PPL bypasses are like the only way we can do good jailbreaks for iOS 15+ for A12+

it's the only process he can't hook

so that's also why you have to do ldrestart on xina

and when you do userspace reboot you loose jailbreak

and sometimes the system does a userspace reboot in the night

like launchd downgrading is the most difficult thing

I ❤️ xina

you need to attach a debugger and then somehow do a userspace reboot while also changing the args of exec

with just a PAC bypass we can still do downgrading on 15.2+ afaik

so the future will be either shitty jailbreak with PAC bypass

or proper jailbreak with PPL bypass

Just run launchctl examine

fr fr

If only we could get physrw with a better exploit

here are trust levels on macOS dev kernel btw

anything engineering doesn't exist on iOS

so anything after 7 is -1 on iOS

What's engineering?

something only existant in development kernels I presume

Ok, I would like to punch it

Fun fact: I've punched a lion in the face

No 😔

honestly should be doable tbh

(This is a completely true story)

you just need to find a way to get your process a IOBufferMemoryDescriptor object in kernel space

then you can reuse the Fugu15 technique

physrw is unrelated to KTRR

no

physrw is needed for Fugu15 PAC bypass

idk

and the pac bypass in needed for the ppl bypass

with physrw you're not restricted to the virtual address space

How does fugu's driverkit thing work again?

If only I knew

💀

btw

is this supposed to be public

not that I care, just apple or whatever

maybe not 😄

idk

I'm not going to go into detail where this is from

to protect it's source

yeah that too

L

(but it's all publicly available)

weren’t dtks just published

yeah I just didn't know the rules around KDKs

I mean it's a bunch of strings

not like they can sue me for that lol

dev kernel

palerain users

How can I debug launchd

I still can’t get it working

this thread should have everything needed https://twitter.com/cutesmilee__/status/1593300872720678912 for physrw

try it

doesn’t work

@grave sparrow join the dyld team

liberal

when did the kernel team hurt you man

you ever seen the linux kernel lol

alpha grindset

good

this is why I choose to run the NT kernel instead

@lapis vessel just fyi the getRootPath function I sent here earlier is a bit flawed because for whatever reason reading the location that /var/jb points to causes some daemons to crash with sandbox errors

This is fine for most tweaks but as cr4shed injects system wide you need the fixed one

NSString* getRootPath(void)
{
    static NSString* rootPath = nil;

    static dispatch_once_t onceToken;
    dispatch_once(&onceToken, ^
    {
        NSFileManager* fileManager = [NSFileManager defaultManager];
        rootPath = @"/";
        if(![fileManager fileExistsAtPath:@"/jb"]) // ignore old unc0ver versions where /var/jb is a symlink to /jb 
        {
            BOOL dir = NO;
            if([fileManager fileExistsAtPath:@"/var/jb" isDirectory:&dir] && dir)
            {
                rootPath = @"/var/jb";
            }
        }
    });

    return rootPath;
}

this one works better

considering just using objc NSString* rootifyPath(NSString* path) { return [[NSFileManager defaultManager] fileExistsAtPath:path] ? path : [@"/var/jb/" stringByAppendingPathComponent:path]; }

no

Ignoring it if it points to /jb is important

else you break support for some older devices that have a /var/jb -> /jb symlink

but just checking for /jb existance works aswell because it can't exist on rootless jailbreaks

I mean, look at the code

it will be checking for the existence of paths that cannot exists on rootless jailbreaks

yeah but you want to support both rootless and root jailbreaks, no?

there is no real reason to make a separate package for rootless atm

for example, I call rootifyPath(@"/usr/lib/Cephei.framework"), that returns @"/usr/lib/Cephei.framework" if /usr/lib/Cephei.framework exists, otherwise returns @"/var/jb/usr/lib/Cephei.framework"

ah

I misunderstood the code

lol

yeah I think it's better

as far as I can tell, this code looks foolproof

for what I need anyway

maybe it's better to check the /var/jb one first

and prefer that over the system one

NSString* rootifyPath(NSString* path)
{
    NSString* rootlessPath = [@"/var/jb" stringByAppendingPathComponent:path];
    return [[NSFileManager defaultManager] fileExistsAtPath:rootlessPath] ? rootlessPath : path;
}

I disagree. On non-rootless jailbreaks, /usr/lib/Cephei.framework cannot exist, whereas on normal jailbreaks, both /usr/lib/Cephei.framework and /var/jb/usr/lib/Cephei.framework can exist

I mean, obviously unlikely that /var/jb/usr/lib/Cephei.framework would exist on a normal jailbreak, but I want to always be using /usr/lib/Cephei.framework if it exists

yeah it depends but I don't think it matters too much in the end

the edge case is if both exist

and that will almost never happen

yh exactly

and the question is which of the two you want to prefer in that case

make gate a check

on iOS <= 14, prefer /

on iOS >= 15, prefer /var/jb

idk lol

probably unneccesary lol

yeah I think I will just be using yours

yeah as I'm basically just using hardcoded paths in cr4shed, mainly to lazy-load libs, I'm happy it will work for me

that func seems to respring loop on my unc0ver Xs 14.3 for whatever reason

what about the C version?c char* rootifyPath(const char* path) { if (access(path, F_OK) == 0) { return strdup(path); } char* ret = NULL; asprintf(&ret, "/var/jb/%s", path); return ret; }

oh also the rootifyCPath function in your pastebin is completely unsafe, it always returns a free'd pointer

I'm thinking of just making it a preprocessor macro btw

yeah exactly because of that

that may also be the reason for the crash now lol

just weird that it didn't happen before

yeah you absolutely can't do this: return rootifyPath(path).fileSystemRepresentation;

the lifetime of fileSystemRepresentation is only as long as the return value of rootifyPath, which gets released before the function returns

so it returns a free'd pointer every time

this should never crash tho?

no but it leaks memory

it doesn't leak memory if used correctly...

yeah but you need to free things

correct

no interest in doing that everywhere I use it

If I make a preprocessor that always goes through NSString for both things it should work tbh

#define NS_ROOT_PATH(path)([[NSFileManager defaultManager] fileExistsAtPath:path] ? path : [@"/var/jb" stringByAppendingPathComponent:path])
#define ROOT_PATH(cPath)(NS_ROOT_PATH([NSString stringWithUTF8String:cPath]).fileSystemRepresentation)

ok: c #define ROOTIFY(path) ((access(path, F_OK) == 0) ? path : "/var/jb/" s)

hm yeah that can work too

I quite like that solution tbf

this still gives you a free'd pointer opa...

nope

the only reason the pointer was freed was because of arc which freed it at the end of the function

I mean this is still kinda bad but from my experience it should be ok

But I will use yours for the C version

does ARC always insert objc_release calls at the end of the function?

yeah

at the end of the block I think

there is also autoreleasepools

idk

yeah I mean if you insist on using the objc stuff in the c version then I would have added a call to autorelease

can you do that in ARC?

no

whereas this will

==> Compiling HookCompat.m (arm64e)…
HookCompat.m:14:27: error: expected ')'
                void* lhImage = dlopen((ROOT_PATH("/usr/lib/libhooker.dylib")), RTLD_NOW);
                                        ^
./rootless.h:5:71: note: expanded from macro 'ROOT_PATH'
#define ROOT_PATH(path) (access(path, F_OK) == 0) ? path : "/var/jb/" s
                                                                      ^
HookCompat.m:14:26: note: to match this '('
                void* lhImage = dlopen((ROOT_PATH("/usr/lib/libhooker.dylib")), RTLD_NOW);

doesn't seem to be working

u wat

ur macro

ok idk

oh 1 sec

idk that much about string stuff in macros

maybe chatgpt can help me

meant to be path not s lmao

ah

works

changed parameter name, forgot to rename the one I used in the definition lol

until it gets a variable and not a contant string

smh

yeah that makes sense though

oh yeah it absolutely won't work for variables

will just go through the other macro in that case

ok so here's some code using your macro: objc #define NS_ROOT_PATH(path)([[NSFileManager defaultManager] fileExistsAtPath:path] ? path : [@"/var/jb" stringByAppendingPathComponent:path]) #define ROOT_PATH(cPath)(NS_ROOT_PATH([NSString stringWithUTF8String:cPath]).fileSystemRepresentation) void testStrings() { const char* path = ROOT_PATH("/bin/sh"); printf("path: %s\n", path); }

I've looked at the disassembly

Ugh objc makes me sick

#import <Foundation/Foundation.h>
#include <unistd.h>

// Use for NSString literal or variable
#define ROOT_PATH_NS(path)([[NSFileManager defaultManager] fileExistsAtPath:path] ? path : [@"/var/jb" stringByAppendingPathComponent:path])

// Use for C string literal
#define ROOT_PATH_C(cPath) (access(cPath, F_OK) == 0) ? cPath : "/var/jb/" cPath

// Use for C string variable
#define ROOT_PATH_C_VAR(cPath)(ROOT_PATH_NS([NSString stringWithUTF8String:cPath]).fileSystemRepresentation)

I consider this the final version now

although let me know what your results say lol

ARC does call objc_release on the NSString before the call to printf

BUT

it first calls objc_retainAutorelease

so your fileSystemRepresentation string will be alive until the next autoreleaseloop cycle

(me pretending I understand how objc memory allocations work)

alright so I guess it's fine lol

yeah should be. stringByAppendingPathComponent returns a string with a refcount of 1, objc_retainAutorelease takes it up to 2, but it will be decremented on the next autoreleaseloop cycle, then objc_release takes it back down to 1, then printf is called

what happens if you do

printf("path: %s\n", ROOT_PATH("/bin/sh"));

oh ROOT_PATH uses only string literals so they have no lifetime

they are never "free'd"

oh wait u mean ROOT_PATH_C_VAR?

I mean the same one you used in your prev test

yeah sorry my bad

so yeah, in the new version it's ROOT_PATH_C_VAR

exact same thing

interesting

well they're completely equivalent

That's a pain

anyway takeaway is that the return value of ROOT_PATH_C_VAR is safe to use temporarily, as long as you don't need to hold onto it for very long

You're limited to the PAGE_SIZE on every trustcache, you can't inject a cache more than 16384 bytes into the kernel. I liked the idea of @naive kraken about the daemon, but that will only work if that limit is not hit.

can you load more than 1 trust cache

Yes, you can

then load one trust cache per binary

ez

hmm idk it's certainly more difficult then I thought then

do you happen to know if dylibs in dynamic trustcache can inject into binaries in static trust cache

Just make an entry in Fugu like I'm doing for Procursus now, but I'll add a test entry too if you guys need to try out things...

tc users 💪🏼💪🏼

I haven't tested this

lol

someone said to me it works on iOS 14

but having read the code that does the check I feel like it doesn't in 15

but then again I could be wrong