#development

https://cdn.discordapp.com/attachments/742264872535982231/1083263982346965002/image.png

chad

@gentle grove

is there any security setting i need to disable on aarch64 macOS to do simple buffer overflows? i get bus error no matter what payload i use lol

@grave sparrow your xpc thing doesn't seem to be working if the mach port comes from host_get_special_port

xpc_pipe_routine seems to return 5

hi opa

wyd bbg

does the daemon need to check in into the port or something?

debug it

yeah I checked amfid

see nothing special there

yes

but I get the port fine

just the xpc thing doesn't work

isn't there this weird priviledged flag

but on macOS right?

@grave sparrow

i hate apple

I see

so you say I cannot use bootstrap_look_up synchronously from launchd

I guess because that goes back to launchd and it can't process the message as it's deadlocked waiting for a response

can I not just find the function inside launchd that does the look up and use that?

I think I have it idk

you know, patchfinding exists

https://media.discordapp.net/attachments/688122301975363591/1077671431875346494/caption.gif

no1 cares about early shit

For early shit I will probably use either mach directly or file descriptors or some crap

heck maybe just even writing to text files

I will call that libshit

idk

I just have to get primitives back to launchd

from some process that had been running through the userspace reboot

shouldn't be too bad

launchd deadlocks and waits for the other process to write the ppl mapping back to launchd and give it the address of the mapping

kcall is a different beast, no fucking idea how I will get that done yet

there is PPL mapping

PPL mapping is magic mapping in process space

and you can map whatever physical memory you want into the process using this mapping

and when you have kcall and pplrw, you can give this mapping to whatever process you want

you give the shit to a process, then make launchd do execve, then make the process give it back

yes

if you have the mapping applied

like the mapping is basically a higher level table of other mappings

and when you have this table mapped into your process you can write entries to it and then other pages will be mapped into your process space

@naive kraken we can exploit on fugu twice though

we can launch oobPCI and jbd again

the kernel exploit doesn’t require any spray

no i've already trademarked this for every library i've ever written

lolol i'm actively working on that

https://headers.cynder.me/index.php?sdk=ios/16.0&fw=PrivateFrameworks/SpringBoardHome.framework&file=Headers/SBIconListView.h if you want to hook it, SBIconListView has a layout property that controls the row/column count for that list

just no

the kernel exploit is unstable as is

you can also just like, use some functions to grab the pointer to the existing config and update the values there

SBIconListGridLayoutConfiguration *config = 
[[(SBIconListGridLayout *)[[[objc_getClass("SBIconController") sharedInstance] iconManager] listLayoutProvider] 
layoutForIconLocation:@"SBIconLocationRoot"] layoutConfiguration];
[config setNumberOfPortraitColumns:5];
[config setNumberOfPortraitRows:6];

@grave sparrow what hostspecialport are you using for your jbd?

wait what

damn

Maybe port 15 is just already taken idk

what do I know

not that i know of but i'm doing some RE to try and figure out if there's a better way to do it than this

whatever this means

wait

do I need to add 7 when doing host_get_special_port?

hm but I saw Fugu14 was using 22 or something

x86 does what it is supposed to do, aarch64 throws bus error

huh

fugu uses HOST_CLOSURED_PORT

aka 21

hm I can write one too tbh

if there were though you'd have to either call this one demonic function or respring for the layout to get updated afaik

so 15 not 0?

ok

then that's the issue

probably

what

it uses 21

ok

https://github.com/LinusHenze/Fugu14/blob/7cba721b6d62555dd0c0b47416ee103ee112576e/arm/iOS/jailbreakd/Sources/jailbreakd/PostExploitation.swift#L1539 ?

yes

what do I know

communicate from launchd to jbd

how many ports are there

32?

Yeah I guess? I have my own kickstart binary that calls launchctl api

balls

yep 15 is in use

ports on iOS

gorn

gm “developers”

so you'd rather have me do more port fuckery?

but that's what you're suggesting

Also jbd is first before launchd

I'm not even in launchd yet

just making sure hsgp works

bro no one's using that crappy port

otherwise it would be taken

lol

I don't

Hm I get it

anyways what port number is this

I mean I am using the launchctl api lol

That seems more trouble then it's worth

wtf

ramdisks

yep 16 works

no error

xpc works

yes...

lol sorry opa

yes it was just the port that was already used

thanks @steady nest

I thought it wasn't used

it isn't

🐒

speaking of which, I should put them up for sale

do you have a use for it

I'll gladly trade a 256 for your 15.4.1 128

I'll get one eventually

or I'll have two available for Fugu16

all my devices are on 14.x

wait no the A12X ipad is on 13.5.1

wtf

rows is kinda busted

columns is fine

what vers are u on

are u hooking

L

yeah so you're setting every single location to 5

you need to check the iconLocation

no

you can check the existing values and compare them to what you know they should be for a given location but there's a reason doing it there sux

%hook SBHomeScreenViewController

• (void)loadView

why i'm looking lol

then:

SBRootFolderController *rfc = [[objc_getClass("SBIconController") sharedInstance] _rootFolderController];
    for (SBIconListView *list in [rfc iconListViews])
        [list layoutIconsNow];
    [[(SBRootFolderView *)[rfc contentView] dockListView] layoutIconsNow];
    [[(SBRootFolderView *)[rfc contentView] dockView] layoutSubviews];

to flush layouts

dock ones not relevant if you arent touching those

no run that in that hook

after my orig code

but yeah if you call that same hook code again with new values and then run that stuff ^ it should also update

enough moving parts respringing is probably safer/easier though

a few months ago?

i haven't touched ios in years wtf

yeah

also ren might know better on layout stuff at this point not sure

could bother them

no on the layout shit lol

i'll look at vertical scroll later™️

hi, does anyone know how i could remove these? they block me from creating a new cert. right clicking does not work

looks like a need a paid acc for that

should have noted that i have a free one

following an apple support thread i deleted them from keychain but that didnt really change anything

forgot to censor have my last name

chad self-doxx

real

it’s fixable

the exploit is literally zero overhead

ok but why would we even need to do this

we can persist ppl primitives easily

the hard part is pac

can’t we build a pac primitive from pplrw

not really? idk

that’s what oobpci does

what to do here developers

@naive kraken using altlist, would it be possible to have it so when you toggle one app from the Applications section, it goes to a section called like Enabled and THEN that section allows the user to control the order in which the items appear one by one (like how the control center modules are customized)

oh gm simon

That is not possible

Does azule work with github actions?

does anyone have a way to contact ren?

https://youtu.be/p8u_k2LIZyo

interesting af video

Should’ve left no comments

this man: “sudo rm -rf / --no-preserve-root”

You can't delete /, only everything inside it

yes but you'd need to write the logic on your own

man, this statically linked zsh is borked

oh i had to use the installer for static

the entire thing is possible? would I need to overwrite methods to do this

or would it just be easier to make my own

anyone know how to use PongoOS for m1

i built it but idk how to boot it

@sly knoll set it as the boot object

I don’t know how to do that

i got these files

kmutil configure-boot -c?

yes

do i need make new partition or?

sorry for ping

or can i usse them to boot macOS (maybe no)

and i dont know what is the home directory path on recovery mode

ping me when you reply🙏

you take the base class and overwrite what you need

although I feel like someone else already did this…

average icraze code

How do you mount a modern iOS restore ramdisk DMG? I've tried 16.3.1 ramdisks from both iPhone X and iPhone 14 Pro Max IPSWs, and trying to mount both of them outputs this error, even though they supposedly aren't encrypted.

you have to remove the img4 header

the payload is a dmg

Why do no mfs know how to hexdump head

we spent that time looking for bitches

good morning

@winter viper

How can you codesign an IPA in JS (online) ? I can't find anything anywhere talking abt this.

you rewrite ldid in js

or use wasm

if you need a tester for fugu15 max, here is a volunteer 🤓

like actually overwrite it in my own files, or make a tweak that injects into altlist

i feel like someone did too, but idk

you make your own subclass of the base class that AltList provides

by linking the framework

ATLApplicationListControllerBase?

im assuming its that

yes

OHHHI GET IT NOW

idk why it didnt make sense

i get it, but idk how to apply it LOL

or rust

logos.rs

There are many already

😅

Don’t worry we won’t take that long

😎👍

Nice

which one

oki

xina support ?

changing column count once on springboard
updating it in real time

I can't complain about xina, it's worse not having a jailbreak and tweaks working. but i'm excited to try fugu15 max when it's released

me? glitchy code? impossible

cynder not leave challenge

difficult

stkc also has trouble with that one

@stkc

true

also wtf youre using emotes almost every message like a true dev here

tbf i've had no reason to be in this server till this week

been trying to find something to do after work other than "just keep working" and it was this or sewing

tell cam (not procursus one) he can send me fabric to make me leave

what are good plugins for xnu re

so real

true. please leave

fabric

sewing is for nerds and virgins

doing meth is for real men

I dont sew

schizo

fr

Florida men

send link

anyone know how to release ram from mdc?
ive tried munlocking and munmapping yet its not lowering ram usage when the task is done

its leading to files being corrupted or having it abort with bigger operations like icon theming

or if it is freeing up the ram, it isnt doing it until the iteration is done

my dongle cock

nah fr tho what the fuck is mdc

macdirtycow

o

ya gl

it has to load the file into memory in order to replace but it isnt releasing it from memory

when i replace, ram jumps up by 300 mb and then jetsam kicks in

swift should be doing it automatically but it isnt

swift

thats what the impl was coded in

swift devs when it doesn’t work

All the money you will make from 15.4.1 arm64e will be because Swift is good

every line of swift is built because C++ is good

I’ve been laughing at swiftui for the past hour because I just found out it didn’t support text boxes in Alerts until iOS 16

it does

u are doing it wrong

u need textfields not textboxes

same thing

stay mad

second is nexus

💀💀💀💀

works on palera1n rootless

Cap

Don’t you have a fugu15 device

my main

Lmao

Wanna try it

It’s fucking stable

Wait what device

what’s the chances of kicking me off this firmware atm

the iphone 13 pro x

A13

0

because it’s rootless

you can rm rf the rootless install and it’s gucci

yeah but theres MDC idiots getting bootlooped

when Xina came out some redacts deleted the wrong folder in /priv

no longer booted

MDC cringe

@tepid olive I’ll test it tmrw if it’s fine on my device (a13 15.1)

someone was spreading malware with cowabunga custom operations and fileswitcherpro and bootlooping people

cba to debug anything rn

that’s okay

what processes can currently be modified with fugu15 max?

ive only seen the ls so far

https://github.com/cellebrite-labs about everything on this account

Does xinaa15 use some new package layout?

if I had to explain the cursed shit it's doing you would hate me and everyone and everything

LMAO

oh too real

XinaA15 is some of the jankiest shit out there

example: it's using an iOS 13 rootful bootstrap that's heavily patched up (this is a common theme)

NewTerm and any other binary that uses the system libswift continues to not work because it rewrites /usr/lib/swift load commands to /var/lib/swift

bruh

is it worth just making a package called SwiftXinaFix which symlinks /var/lib/swift to /usr/lib/swift

ty

honestly… yeah probably

I was thinking of doing it in postinst

Might be worth just making a package for it

but then I don’t know if dyld is smart enough to follow a symlink to what’s supposed to be a shared cache binary

So that lots of tweaks can just refer back to that

Oh god I didn’t think about this

@silver rampart you might know the answer to that

you talking about string or launch command here?

if it's just a string you can bypass xinas binary patch

I still don’t have a xina device and honestly don’t intend to at this point, so that’s on you to test lmao

The launch command

well then

no clue

ur fucked I think

Yeah it’s not possible to fix without a Xina jb update, again

yep

You have no idea how long it took me and Adam2 to figure out this is the problem

the ugly alternative is checking the load commands in postinst, and if it’s been changed, then you un-change it and resign

but I mean… yeah…

how many levels of hacks do you want

hacks for the hacks

I told xina about this

not possible

I could not figure out how to resign a binary in a way that it actually works

and I tried just about everything

ldid doesn’t work?

no

oh because it does that dylibifying thing

sigh

no it doesn't do that at runtime

that has been done on the whole bootstrap once before it was packed

I think

hmm ok good

it really should be at runtime 😬

you could hook dyld and check paths

well i do now

Well that was worth a shot

if you do something janky like this it works, if that's enough to throw off whatever auto-patcher

(no symlink involved it'll just look for a missing file in multiple spots)

You know what, yes that’s actually perfectly reasonable

I’ve Set a reminder in case I forget, should have a chance to do it this week

omw to send them whilst i can

OK, removing the img4 header with img4tool appears to work on an iPhone X restore ramdisk, but then I tried it on an iPad (4th generation) restore ramdisk and it says:

img4tool version: 0.193-e6a43f7d130ae94e38898292844d7cf5933699c5
Compiled with plist: YES
img4tool: failed with exception:
[exception]:
what=File not recognised
code=20578312
line=314
file=main.cpp
commit count=32:
commit sha  =254b42f067893ce32a10e8a99b2dfbec2149cb54:```

I have an xcframework Swift project that I develop and build through Xcode. I would like to build it into a dylib for tweak injection. How should I go about doing this?

Whats a team identifier? From a tweak if it matters

You asked about a modern iOS ramdisk, the iPad 4 is far from modern

All 32-bit images are encrypted

You need to use xpwntool

I'm trying to mount an iOS 10.3.4 ramdisk, which shouldn't be encrypted.

@lime pivot xina wants broken example (the /usr/lib/swift thing)

just send me a deb

Already done

He fixed it (apparently)

he actually responded to me for once

lol

alright

#development message

What key am I supposed to use to decrypt it then?

xina is over anyways

no more wifi bug

https://twitter.com/xerub/status/1253468117700874242

How do I use this?

Is deb injection just moving files where they have to be or is it more complicated

Idk how it works with a jb, but if you’re adding a tweak to a ipa and side loading it you need to add a load command to the apps binary file in order for it to actually know what to do with those files

@coral gazelle just downloaded an ipsw for the iPad 4, 10.3.3, the restore and update ramdisks aren't encrypted

the root fs though, is

wait what, it's not lmfao?

wtf is apfs.framework doing in a 32 bits device ramdisk

for reference, this is the ipsw http://appldnld.apple.com/ios10.3.3/091-23117-20170719-CA973B02-6977-11E7-953B-279100BA0AE3/iPad_32bit_10.3.3_14G60_Restore.ipsw

Is there any deb inject thing other the azule (I know there are others but azule is the only one that picks it from deb file) which can be ran from the shell

I want to make smt with GitHub actions but it seems like azule fails at the part when it actually injects the deb file

you can use something like this, but you’d need to add some more functionality to work with a deb and ipa

https://github.com/tyilo/insert_dylib

bc it takes in a dylib and a binary

I mean how would it work with .bundles files?

uh no idea

I mean they are for additional ui I think

But uh do I have to specify the path that it will move the Dylibs to?

Then how do I mount the restore ramdisk?

Would there be a reason to not use @rpath

Wondering if I should just switch my rootful and rootless builds to @rpath

Instead of just rootless

@rpath >>>>

Ok capt, let's hear what idiotic thing you have to say

Hmm. Ok

anyone have security sso tweak for latest youtube, the one I have no longer works

WRONG

apps don't use @rpath

They use @executable_path or @loader_path

The only way that would work is if one of the LC_RPATH is @loader_path/ so it doesn't count

rip @ executable

L bozo

So it's using @executable_path/ but with unnecessary layers of indirection

(This is what is described in the dyld manpage)

https://manpagehub.com/dyld#DYNAMIC_LIBRARY_LOADING

what was this referring to? "I execute bash better"

does he understand something about why newterm doesn't work on xina?

xina moment

@unkempt raft happy birthday big man

@unkempt raft happy birthday big man

thanks

My dylib doesn't seem to get injected into some apps w/ Substitute. Any ideas why?

It gets injected into Airbnb for example.

1678618144.836 200ddd5 INFO  Airbnb(955): Injecting /Library/MobileSubstrate/DynamicLibraries/libAXServer.dylib
1678618144.838 200ddd5 DEBUG Airbnb(955): Injection of /Library/MobileSubstrate/DynamicLibraries/libAXServer.dylib completed in 2 ms
1678618144.838 200ddd5 DEBUG Airbnb(955): /Library/MobileSubstrate/DynamicLibraries/libAXServer.dylib used 64 kbytes of memory

But not Slack.

1678618190.823 200ddd5 INFO  Slack(960): startup
1678618190.857 200ddd5 INFO  Slack(960): Injecting /Library/MobileSubstrate/DynamicLibraries/0Cr4shed.dylib
1678618190.860 200ddd5 DEBUG Slack(960): Injection of /Library/MobileSubstrate/DynamicLibraries/0Cr4shed.dylib completed in 3 ms
1678618190.860 200ddd5 DEBUG Slack(960): /Library/MobileSubstrate/DynamicLibraries/0Cr4shed.dylib used 128 kbytes of memory
1678618190.860 200ddd5 INFO  Slack(960): Injecting /Library/MobileSubstrate/DynamicLibraries/CepheiSpringBoard.dylib
1678618190.862 200ddd5 DEBUG Slack(960): Injection of /Library/MobileSubstrate/DynamicLibraries/CepheiSpringBoard.dylib completed in 1 ms
1678618190.862 200ddd5 DEBUG Slack(960): /Library/MobileSubstrate/DynamicLibraries/CepheiSpringBoard.dylib used 176 kbytes of memory
1678618190.862 200ddd5 DEBUG Slack(960): completed in 46 ms

I have already added both apps' bundle id to the plist file

No clue

Hi

No you cannot have boob pics

For free

isnt prostitution illegal or smth

Boob pics is not prostitution

I’m 18 I can legally sell my tit pics

selling feet pics

https://tenor.com/view/1984-gif-19260546

https://tenor.com/view/1984-gif-19260546

Thanks!

hbd!

🎉

@unkempt raft happy birthday big man!

the socks and slides come off?

https://cdn.discordapp.com/emojis/865333543193280522.webp?size=44&quality=lossless

im wearing them as i type this

selling lemonade

Underaged

hot

nah im fugly

we wouldn’t even know you’ve never done a reveal

wtf

i have like 5 times

fr

hand reveal doesn’t count

imagine never seeing the pic of shep repping the linux drip

fr

the tux plush

so true

Thx

Guys I'm back

been years since I've done iOS tweaks

dont

its all hopeless

I only make tweaks for apps I use

right not I only need youtube and freevee

@gentle grove why do you say its hopeless anyway

idk

theres like no more jbs anymore or something

and it keeps getting worse

I mean my a15 is on 15.4.1 so I have tweaks

¯_(ツ)_/¯

wtf

same as every year

your own fault if you didn't stay on the correct version

nothing has changed

I didn't even know there were any jbs for any iOS 15 version

lol you out of the loop?

Maybe

I mean mostly fully working jb (public) but tweaks are private

I only hear what's in general

the jb is public but the tweaks are not

https://github.com/opa334/Fugu15/tree/max

here

"the" tweaks?

?

I go to bed

finally found the magic trick for row/column adjustments on iOS 15+

yooo I need that color pallette

sauce pls

default vscode

I dislike code

lmao

:meth:

how to I hook a __PROTOCOL_ class

do you mean like this

or is there some epic new type of class i haven't seen

new type its swift

either its not called or it didn't hook

%hook PVPlayerSDK_Player

-(void)start:(id)arg0 {
    NSLog(@"[*] PVPlayerSDK.Player: start hook: arg0: %@ start", arg0);
    %orig;
    NSLog(@"[*] PVPlayerSDK.Player: start hook: arg0: %@ end", arg0);
}

-(void)load:(id)arg0 {
    NSLog(@"[*] PVPlayerSDK.Player: start load: arg0: %@ start", arg0);
    %orig;
    NSLog(@"[*] PVPlayerSDK.Player: start load: arg0: %@ end", arg0);
}

%end
...
%init(PVPlayerSDK_Player=objc_getClass("PVPlayerSDK.Player"));

// symbol: 000000010013f170 s __PROTOCOL__TtP11PVPlayerSDK6Player_ ::: 000000010013f170 s __PROTOCOL_PVPlayerSDK.Player

@silver rampart

i just wanna turn off this damned bar 😭

killing it on a loop is very inefficient

SIP enabled L

There was a bug that caused anything with the blink engine to not launch without some weird ipc boot arg

I still have the boot arg tho

but yeah, i got no reason to keep it on and i forgot why i turned it back on

discord moment

That includes edge, chrome, spotify

Lel

trolled by the entire internet

Yeah, starting in 12.3

It happens when you have sip and amfi disabled

Even though I never disabled amfi manually

touchbar is dead.

sip fucking sucks

Me when I like using straws and hate drinking directly from a glass

i love SIP

developers hating SIP and forgetting that normal people that use macs exist

fr

security 💪

you are not normal

how does this work

gorn

2 years have gone by and i'm still dumb as shit 😎

rip it out and send it to me i miss mine

yeah the left side pointer is a dead giveaway

job has brainwashed me into left side pointer always

You can unload system daemons with sip off

job like the guy from the bible

yeah

oh real

he told me god would kill my kids

if i didn't

https://tenor.com/view/understandable-have-nice-day-have-a-great-day-have-a-good-day-nice-gif-20850110

https://tenor.com/view/lord-jesus-good-morning-god-is-with-us-lord-jesus-gif-13982735

inshallah alhamdulillah

only 2 acceptable ways
SBIcon*icon
SBIcon * icon

tf

https://tenor.com/view/the-office-no-angry-steve-carell-michael-scott-gif-5606969

mine flickers unfortunately

need to keep it warm or it flickers

unfortunate

it's so strange. something has to be fucking up internally when the temp drops and i have no idea what that could be

fool

so that's why i've decided to just kill the touchbar server entirely

no bar no blinding lights

typedef SBIcon* SBIconRef;
SBIconRef icon;

ya idk blame joe

joe biden

Joseph R. Biden Jr

Uint8Ref data;

cursed

true

at least 3

https://tenor.com/view/club-pengun-gif-19485927

[news] orange name doesnt know what an IP is

No thats an ipv6 address, obviously

base64 ips when

how old is that pic now

prob not as old as capt though

dudes ancient

lmao

ugh

how to fix this

use kvc

the apple interns making 18$/hr

(swift)

face reveal

this is capt

can confirm

Bump. Would really appreciate help in figuring out why injection doesn't work in some apps!

weird. does it inject if you set the injection filter to com.apple.UIKit?

Let me try.

just to test

dw im not about to make typecentury2

captware

Nope. Still just Twitter and AirBnb works. Doesn't get injected into stock apps too.

cat /var/log/extensionloader.log

true

see: Notion doesn't get injected

But Twitter does (libAXServer.dylib)

@grave sparrow sir

incorrect bundle id

Right, I'll give it a shot

ofc you have

I am pretty confident it isn't getting injected because Console doesn't show Notion though

nice assumption that they're using theos

theos? idk whats that. I'm compiling it manually

with swiftc and clang

there's no deb

it's a dylib file i dragged into /Library/MobileSubstrate/DynamicLibraries

in the same direcory as the dylib? /Library/MobileSubstrate/DynamicLibraries

lemme rename Cr4shedMach.plist to libAXServer.plist

captinc.me

owned by Andrew [redacted] in [redacted], VA

shepgoba.net

.ret

@tropic axle what command you use for compile you project?)

c3

your mom isnt a virgin(ia) either

swiftc ./AXServer/AXServer.swift ./AXServer/Bundle.swift ./AXServer/AXOverlayWindow.swift ./AXServer/ControlsView.swift ./AXServer/AXSnapshot.swift \
    -emit-object \
    -module-name AXServer \
    -emit-objc-header-path AXServer-Swift.h \
    -sdk /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS16.2.sdk \
    -target arm64-apple-ios16.2

clang -c ./AXServer/DylibEntrypoint.m \
    -fobjc-arc \
    -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS16.2.sdk \
    -target arm64-apple-ios16.2

clang DylibEntrypoint.o AXServer.o Bundle.o AXOverlayWindow.o ControlsView.o AXSnapshot.o \
    -dynamiclib \
    -o libAXServer.dylib \
    -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS16.2.sdk \
    -target arm64-apple-ios16.2 \
    -L/usr/lib/swift

install_name_tool -id @executable_path/Frameworks/libAXServer.dylib ./libAXServer.dylib 

/usr/bin/codesign --force --sign "Apple Development" libAXServer.dylib

maybe you use theos?

I can give it a try.

anyways the plist file is in there correctly

Permissions look good.

oh shit it works now

i have no idea why

i just deleted the plist file and scp it back in. no content changes.

I am using com.apple.Foundation in the plist.

thanks everyone

maybe Substitute doesn't listen for changes to the plist unless you explictly delete it?

i did that

yeah haha

at least add a constructor filter

yeah, wouldn't want it to be injected into every single library 🙂

so say my jailbreak tweak causes the target app to crash in some cases... how do i debug it? where are the crash logs?

https://github.com/apple-oss-distributions/cctools/blob/main/misc/segedit.c#L116

wtf

byte_sex

[[cr4shed]]

UNKNOWN_BYTE_SEX

???

who codes like this

@grave sparrow why is string not found

yes

how to fix the dump and hook

wym by instance of

maybe clean this up + pin?

other pins can also be unnecessary if you know where to look for the right docs

but new devs prob dont know really about the objc runtime and what it can do

nice formatting

yea thats the mid way though

(rawInstance + rand() % 240)

@grave sparrow got it working but just says obj is the original class not a new object

SBIcon
*
icon
;

please swift hooking support in logos 🙏

what I mean is accessing swift members from the module class

current methods are hacky to say the least

You can try Orion instead?

I don't need to write swift because I don't know it anyway

need to hook swift from theos(so objc)

hooking works fine but accessing data is tricky

Orion has full swift hooking support?

if u dont wanna use orion just avoid swift 👍

No

@grave sparrow want to work on a project with me?

It's a very simple project

Involving FreeBSD

Basically

Codesigning on FreeBSD

Not sure if this would be helpful in creating a fix for Activator Tweak for iOS 16 on palera1n-c (since in the past someone have created ActivatorFixiOS14), but I will leave this here for those who might want to come up with a solution since the Dev of Activator is MIA and tweak is not open-sourced.

It may have seemed that rocketbootstrap was the issue. So I went ahead and installed the rocketbootstrap from havoc instead along with libhooker-shim, and the following error was generated. I will leave this here.

One of the FreeBSD devs was donated an m1 laptop to add support

But

It has a Japanese keyboard

And he needs US

So he can't even type his password correctly

Or something

Kyle Evans

what about USB keyboards?

Hey, I have been spending days doing my best to reverse engineer this IOS app for my door lock. It supports Google Home but I just want to use Siri with it. I have a plan to add a URL scheme and from that handler call into existing code that trigger my lock to lock or unlock.
So far I actually have that URL scheme aspect working (created a Dylib that adds a method to the AppDelege for handleURL).
But from there I am stuck because the app is written in Swift.

My only decent plan left is to try and write another DyLib in Swift or ObjC or some combination that maybe hooks or adds methods to expose the objects I need from the AppDelegate application:handleOpenURL: method. (Any ideas welcome, please!!!!)

I have exhausted all ideas with tools like LLDB and Frida. Using Frida's heap search I can get an instance of these objects I should be able to lock/unlock the door with but because they are Swift objects I cannot inspect/access their properties and methods.

I have even considered trying to just send a touch event to the middle of the screen from application:handleOpenURL: but couldn't figure out how to do that.

Does anyone have any ideas I haven't thought of by chance? Thank u so much!

It's not his until FreeBSD works on it so he can't

@hasty ruin looking for the loli key

????

https://twitter.com/kaevans91/status/1629211642587189249

https://people.freebsd.org/~kevans/m1/

Is anyone familiar with this? https://github.com/MTJailed/XNU-Kernel-Fuzzer

mtjailed probably is

perhaps

Huh haven’t thought of that

to be honest with you, I think you’re taking a more difficult approach than necessary. I’d suggest using FLEX’s network monitoring feature, or buying Charles https://apps.apple.com/app/charles-proxy/id1134218562, to see what requests are made to trigger events on your lock. then you can reconstruct these requests yourself without needing to rely on the full app

that’s assuming it talks over HTTP, which is true most of the time for smart home stuff. it may use some other proprietary protocol while on wifi

@lime pivot Thank you, I was thinking that would be a good idea too. Just wasn't sure which path to go down. I think I got excited about adding my own handleURL method to the app delegate and wanted to try to hook into the existing app.
But I can just figure out their auth process

The actual API/request to lock/unlock is simple
But they are using AWS Cognito ( https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html )which refreshes a JWT really often. So I need to figure that out.

The Kwikset app supports google home but not siri and has no other way to integrate. I thought it would be cool to be able to have my door unlocked by siri or by using iOS shortcuts.

I think you are right and that would probably be a way better use of time. I already have been dumping the HTTPS requests/responses using Charlies Proxy and think I am close with that route. Thank you so much!

Dont inject into launchd

launchd handles so much stuff I would not at all be surprised if it mounts disks

something like homebridge/home assistant might be a good idea for you, since it integrates it right into the home app without you having to really do anything (assuming there's a plugin available for it)

I'm assuming that's their goal, but they need to reverse the protocol first

https://twitter.com/hanning_thomas/status/1635657506520289284?s=46&t=cyQqQLZwlx9gR-gMwhtdWw

not funny. didn't laugh

That’s the type of joke I’d expect from someone named Thomas

is it even possible to make a char * const VLA in C

VLAs are cursed.

Use char** and malloc like a normal person

Im gonna murder the mf who made this default behavior

show your dylib

you mean the best discord server

???

???

does anyone know if Apple changed anything for app notarization in Ventura?

With CoreTrust you can insert a dylib into launchd and sign. I'm not that experienced with tweak injection or fishhook so this is prob not the best, but would this successfully inject dylibs into processes if compiled and injected into launchd or am i being a fucking idiot (i don't have a iOS 14.X device to test this out on) https://github.com/0xilis/Subsidiary/blob/main/posix_spawn_hook.m

it (should) hook posix_spawn and posix_spawnp and add DYLD_INSERT_LIBRARIES= environment variable, or modify it if it's already there to include the dylib

you also need a codesign bypass

yeah

the coretrust bug

isn't that a codesign bypass

or do you mean something else by that

it isn’t enough

springboard for example will have a trust level too high to allow injection

also it won’t have get-task-allow

ah

Do you need to be jailbroken for that? /s

Just noticed i forgot the /s

https://github.com/Cryptiiiic/libkrw/releases/tag/v1.1.2
https://github.com/Cryptiiiic/libjbdrw/releases/tag/0
https://github.com/Cryptiiiic/dimentio/releases/tag/0

https://tenor.com/view/give-me-give-it-to-me-now-gif-6486247

Waiting on my tax return so I can buy Lego

gonna go to the mall next week which one should I get

I just bought the captain Rex helmet

why does the lego store smell so good

There are no Lego store near me 😭

Nearest one is in Boca Raton 🤢

Rat city

plastic fumes W

probably intended, special scent they put out

arenas do this kinda thing too

i have big lego fan friends that have considered getting a part time job at lego just to buy a shit ton of lego with the discount then quit

lmao

you guys have tax return too wtf

There's a discount?

yh

The best thing about working for the Lego Brand Retail store is you can buy LEGO at a good discount price, for the first 90 days is 30% off, and after 90 days is 50% off.

Yes? Cause I made under $14000 or whatever

WOW!

hey @lime pivot, Zebra seems to prioritise iphoneos-arm packages when trying to installing a package available for both iphoneos-arm/iphoneos-arm64

example: trying to download Nexus from havoc gives the "non-rootless tweak on rootless jb" error, even though theres an iphoneos-arm64 build of nexus on havoc

(this is on rootless palera1n)

if you want to test with a free tweak: EasyAuthentication from repo.icrazeios.com

shameless plug

if you want to test with a paid tweak: Nexus from havoc.app

nexus is now free

oh

uh oh, really

that should have been working with Zebra 1.1.29/1.1.30

what does dpkg --print-architecture give you?

64

im on 1.1.30

the value of that is what Zebra will put the most weight to when searching for a suitable package

let me see…

Use aptitude

omg it works!! apt better than

apt better than 🦓

that's like saying x86 is better than windows

x86 is better than windows

arm > windows

yea 32 bit arm is

https://github.com/keith/ld64/tree/buildable-13.2.1

wake up babe, new ld64

cc @nimble parcel or @ocean raptor or whoever wants to be a wonderful person and compile linux/ios builds of this

https://tenor.com/view/this-post-contains-misinformation-pausebeforeyoushare-misinformation-fake-news-lies-gif-22088420

@ocean raptor

and you're going to release it on chariz

Already working on it

https://github.com/CRKatri/tapi

Got latest tapi building as an llvm project

With swift 5.7 tree

-DLLVM_EXTERNAL_PROJECTS="tapi" -DLLVM_EXTERNAL_TAPI_SOURCE_DIR="/path/to/tapi"

bless

What do I use to compile ld64 though

Cmake or autotools

Or meson

Cause no chance in hell am I doing Xcode

lmao

whatever works for you honestly

I'm gonna do meson

It seems the easiest

ld64 as llvm sub project??

I can't wait for the day it is just part of llvm

but I'm not holding my breath for it

No we don't want that

what we want is ld64.lld to be good

I've been working on llvm-vtool too

Ironically

So it seems like swift runtime modification isn’t something that is really supported or made easy by the language. I see Frida had some useful looking swift bridge implemented a few years ago but now this crashes. Is the swift ABI just a moving target or something or is it something else that makes things like swift introspection and method hooking unavailable? I know obj c has functionally built in which makes a lot of this easier right? I can’t find a ton of example resources for hooking into Swift without recompiling an app from source. I was hoping to hook Swift with an injected dylib. I am looking at a few different ideas but figured you would all know what the best use of time is there. Thank you!

Btw @lime pivot still trying to reproduce the auth flow the app uses myself. AWS cognition doesn’t have great documentation for where I am starting from and the solutions I have tried have been out of date I believe, the protocol has changed and it’s rejecting one of my requests. This will probably be the right way to go like you said

The app has google assistant integration btw so maybe I could use that service that was mentioned earlier too

does this only apply to A12+

since tmk isn't pmap_cs preventing that, and A11- don't have PPL

(not referring to get-task-allow, only referring to TL)

how are you injecting a dylib into launchd without lowering its trust level with the coretrust bug

@grave sparrow Thank you so much for the breakdown. That makes sense.
I need to get better with lldb and read up on the swift ABI it looks like. It would be awesome to get https://github.com/frida/frida-swift-bridge working. Might try to see what is going on there.
I have been wondering if I can do something like dump memory from this running process. Copy out the bytes for a few Swift objects.
Then write a Frida script to malloc memory for these objects, copy the same data back in to recreate the objects. Adjusting any pointers if necessary. Then manually setup registers following the Swift ABI and jump to the start of the swift function.
Sounds a little crazy now that I write it out though..

Actually this is working if you just ignore this ContextDescriptorKind that is in a swift concurrency lib and make a few other changes.
The apple/swift repo here has the same enum that this frida swift bridge does: https://github.com/apple/swift/blob/main/include/swift/ABI/MetadataValues.h#L1491
But its finding:

Unhandled context descriptor kind: 8
in: libswift_Concurrency.dylib

8 isnt actually listed in that Apple Swift enum I listed. Is Swift changing so fast that apples own swift repos are out of date with what xcode produces?

Everything else parsed correctly too.. so I don't think it just read a value from the wrong location..

when i try to compile the xnu kernel i get these errors

i run this command make KERNEL_CONFIGS=DEVELOPMENT ARCH_CONFIGS=arm64

does anyone know a fix for that?

You might have to build dtrace to get that https://opensource.apple.com/source/dtrace/dtrace-209/
https://opensource.apple.com/source/dtrace/dtrace-209/tools/ctfconvert/ctfconvert.c.auto.html

Last time I built the XNU kernel I was building for Mac OS but I didn't need anything that wasnt already in the SDK. Are you following any guides?
If I remember right there was a decent amount of work that went into preparing the source for building after pulling it down

oh no i am not following any guide

i used the instructions from github

after it failed the first time, i asked chatgpt

but nothing useful

oh and thanks ill try that

can i use macports to install it?

as its listed on their website

Id have to look at their build script for it. Can u send a link?

https://ports.macports.org/port/dtrace/

If you pull down that dtrace code from https://opensource.apple.com/source/dtrace/dtrace-209/ it has an xcodeproj and Id bet that it would have a target for ctfconvert that you could build

the installation fails anyways

i am kinda confused how i can download stuff from there

Yup

I just checked

So U can goto: https://github.com/apple-oss-distributions/dtrace/releases/tag/dtrace-388

Download that source code, unzip it, open up the xcode project

Then select ctfconvert as a target and build it

ok ill try that

There are 4 dependent libraries actually.. it might take some work to get it to go this route

it tells me unable to find sdk 'macosx.internal'

Yeah let me poke around

If you goto each of those 4 targets and set the base SDK to a valid one it should build:

Ur gonna have to goto the signing tab and set that up too prob

Yeah I was just able to build it

well seems like this is fixed it, gotta do this for some other ones that fail with the same error

yay build succeded

so what exactly do i do now?

Nice.
When I try stuff like this, half the time I end up in a rabbit hole of finding tooling and libs like this. hope it works out for u

Put that binary and probably the libraries it created in ur path

where exactly are these?

Hit Command + ,

Goto locations tab

There will be a dtrace folder in ur Derived Data path with the build in there

XCode used to have a products tab in the fileview but things have changed since I did much in xcode

Oh there it is, U can just use that and itll be easier

ah i found it

Maybe put the .a files in ur /usr/local/lib or some other /lib dir that clang looks at

and the bin somewhere appropriate

xcode told me build succeded but it failed anyways

but now it worked

its highlighted in red now and i cant really interact with it

i can press show in finder but it doesnt do anything

Something when wrong with the build then

After I setup signing and set the base SDK for ctfconvert and the 3 libraries it required it built fine

I can send u a zip but ur gonna run into way more issues then this trying to build a kernel

U should look for and try to follow something like https://knight.sc/debugging/2020/02/18/building-xnu.html

I have no idea how different the XNU kernel is from iOS to MacOS

ok ill just try this script

If you look at that link though ull see they are pulling down dtrace too and building all this

Cool yeah its a good starting point. Whatr u trying to do with a kernel image?

https://github.com/blacktop/darwin-xnu-build

thanks for that

fuzzing

proof bash is the best build system

L

@restive ether

cameron@freebsd.org

Need your opinion

thanks for all your help @peak hornet

not autotools

Let me just find someone to mentor me

Let me know if u get that setup! Id be stoked to hear about it

There are also more gists on github that are prob more up to date (more recent XNU sources) if u search. I dont think apple releases the XNU kernel code that is used in recent iOS versions btw. U'll be fuzzing against older versions of iOS. And thats if the XNU kernel ios uses is from the same source as OSX. I think it was but cant remember

I’ll let you know how it goes!

It looks like it is the same codebase for each archs kernel https://github.com/apple-oss-distributions/xnu

some minor restrictions on ios

Meson or cmake and attach it to llvm

power through, use xcode

like a MAN

NO

https://tenor.com/view/steven-he-asian-asian-dad-flex-very-impressive-gif-26102945

does ios 16 require some new entitlement to use posix_spawnp in an app? from what i hear some ios 16 users are having trouble with the respring button for badger

posix_spawn never works from an app

???

wtf

worked for me on ios 13

...

It's called the sandbox

yeah, the app is unsandboxed

Rootless?

does this libkrw fix mremap_encrypted or am i geeking

@indigo peak doesn't matter clutch already worked without kernel stuff

it only works with apps that dont have app extensions

extensions aren't usually encrypted

so you manually copy the app and replace the main binary with decrypted

remove SC_Info, then its good to go

hm

interesting

every well meaning build system eventually comes back to running arbitrary shell scripts

fr tho

https://tenor.com/view/always-has-been-among-us-astronaut-space-betrayal-gif-23836476

"it's all build scripts?"

@lime pivot hey u were the one saying to go and just reverse the http/s requests right?
I am pretty stoked I got that all figured out and it’s working great. Thanks for the good advice. There are zero examples, online of using AWS Cognito directly. I wonder if I share the code and blog a little about it how much trouble I would get in.

I’m gonna inject my dylib and use a info plist modification to make it handle a url scheme. Already tested th at and it works. Just gotta make the request from the app.. or I’ll prob just write a shortcut to do it

I really wish Frida had swift support or there was tooling out there for runtime introspection and hooking and all. This would have been a lot more fun that way. Still can’t figure out a good way to hook into or call methods on a swift object.. prob gonna mess with some arm assembly and see what I can do u less anyone knows of some better tooling. Just to learn

vim doesnt understand llvm IR

that’s great stuff. congrats, and I definitely think you should do a writeup. no doubt there’s a bunch of people that would find that info extremely useful

I think you’d be fine if you make it general, about any app using Cognito not just this specific one

@hasty ruin why

bored

https://github.com/llvm/llvm-project/tree/main/llvm/utils/vim

no way

im totally gonna use this so often after i add it

oh god its cloning the entireity of llvm into my plug dir

i think its shallow though

why would you do that

to add the plugin

i gave up because vim-plug kept hanging when cloning it

even though it was a shallow clone

Just copy the files to .vim or .local/share/nvim manually

lazy

do you have the file i sent you like however long ago

i have a really fucking dumb idea for how to do it this might work one sec

Can someone ELI5 what Single Page App and SSR/SSG is ?

single page app is you just render the entire thing client side with react or something

static site generator is a program generates your website by generating a bunch of static files that you can just throw on a webserver

server side rendering is the server generates the page on the fly

Think of it like the behavior of a blog vs a social media platform

The former can be static HTML files, while the latter requires some backend processing so that the content is always different

You all are NERDS

who says you need server side processing for a social media feed

dear lord

Yup have it all in the front end and give users direct access to your database 💯

use a static site generator

Or that. Why customize user experience when all users can see the same thing

@tepid olive is MSFindSymbol still borked on mac arm64e

no it works

why

its crashing

the code is long gone though i found something else

although i do have to try it again

anyway im trying to hook the Appkit C function _NSDrawMenuBarBackground

anyone know how?

the problem is its a private function

MSFindSymbol crashes tho

on ellekit mac anyway

thats why i asked @tepid olive

what symbol and what macos version

Appkit C function _NSDrawMenuBarBackground, MacOS Ventura 13.1

M1 if that matters

found it inside of hopper and figured id give it a go (im trying to change the menubar background image)

idk what controls the menubar drawing

i just found that function

but im pretty sure its it

Good

This works for me

Show code

uh

yeah

everything

well

im hooking the gui processes

its a injector i kinda cobbled together

why don't you use the ellekit injector?

it works on mac

i wanna sell it

lol okay

no uh

not like that

i dont wanna sell ellekit

yeah i get it

it's chile

have fun

but yeah this symbol is found on my machine

M2, 13.1

✅

send the crash log and your symbol loading code