#development

just the processes that have windows

im sorry

alright i need to find it one moment

yes it makes sense

i just got them through NSRunningApplication idk

i can tell its not injected into other stuff just gui things

yeah

launchd is better?

:noted:

what do you mean

i think so

its not crashing the dock though

it never does

just programs in general

system settings, firefox, etc

yes

yes somethings null correct?

it worked on CTFontCreateWithFontDescriptor

its custom

wait

yeah

is appkit loaded tho

im still recovering the code but i already tried that

can i just show the updated code? because i tried to hooked something else in the end

but it never worked either

yea

void (*CUIRRFOriginal)(struct CUIDescriptor const *arg0, CALayer** arg1);
void NewCUIRenderFunc(struct CUIDescriptor const *arg0, CALayer** arg1)
{
    CUIRRFOriginal(arg0, arg1);
    NSLog(@"called");
    return;
}

__attribute__((constructor))
static void menubarInitializer(void)
{
    MSHookFunction
    (
        MSFindSymbol(NULL, "__ZN20CUICoreThemeRenderer28CreateOrUpdateMenuTitleLayerEPK13CUIDescriptorPP7CALayer"),
        NewCUIRenderFunc,
        &CUIRRFOriginal
    );
     
}
``` this targets a CoreUI.framework function, which i know for a fact is loaded

the issue is the image is null

use MSOpenImage

yea

✅

i swore i thought i tried that

but thanks guys

no

heh

borked

for sure

same error

ill try with ellekits injector

uh

@tepid olive is there an example tweak somewhere

how do i setup the plist

with ellekit it get a different crash

its talking about some dyld cache stuff

error 9?

as soon as it opens

and with my injector i get the exact same error as before

it uses normal iOS tweak plists

yeah i figured that out

idk if this is place to ask but, could some one make a tweak for the permissions dropdown ting like in ios 16? it shows what the app(s) are and what they are using.

you mean this thing

what happened to that gif

it's slow in the head

hey i ended up getting it working!

thanks guys. ✅

Does anyone here know where is the expiration date of iOS betas located?

⬆️

#development message

is there a theos toolchain for linux with the new arm64e abi?

YOU HAVE GOT TO BE KIDDING ME!

what terrible thing happened now

New ld64 doesn't support new arm64e abi

No

And there won't be for a while

hey cuties

https://tenor.com/view/minecraft-peter-gif-26460060

https://tenor.com/view/family-guy-funny-i-want-it-now-destroy-everything-messy-house-gif-15213216

yes

from xcode 13

I have no idea

@grave sparrow fix this

enum libcd_signature_query_ret
libcd_is_blob_a_linker_signature(const uint8_t *buf, size_t buf_len, int *is_linker_signature)
{
    if (buf == NULL)
        return LIBCD_SIGNATURE_QUERY_INVALID_ARGUMENT;
    if (is_linker_signature == NULL)
        return LIBCD_SIGNATURE_QUERY_INVALID_ARGUMENT;
    if (buf_len < 0x65)
        return LIBCD_SIGNATURE_QUERY_INVALID_ARGUMENT;

    *is_linker_signature = 0;

    CS_SuperBlob *sb = (CS_SuperBlob *)buf;
    if (buf_len < ntohl(sb->length))
        _libcd_err("superblob is invalid");

    if (ntohl(sb->magic) == CSMAGIC_CODEDIRECTORY) {
        CS_CodeDirectory *cd = (CS_CodeDirectory *)buf;        
        *is_linker_signature = ntohl(cd->flags) & CS_LINKER_SIGNED;
        return LIBCD_SIGNATURE_QUERY_SUCCESS;
    } else if (ntohl(sb->magic) == CSMAGIC_EMBEDDED_SIGNATURE) {
        for (uint32_t i = 0; i < ntohl(sb->count); i++) {
            CS_CodeDirectory *cd = (void *)(sb + ntohl(sb->index[i].offset));
            if (ntohl(cd->magic) == CSMAGIC_CODEDIRECTORY) {
              *is_linker_signature = ntohl(cd->flags) & CS_LINKER_SIGNED;
              return LIBCD_SIGNATURE_QUERY_SUCCESS;
            }
        }
    } else {
        _libcd_err("Unknown blob magic");
    }

    return LIBCD_SIGNATURE_QUERY_NOT_A_SIGNATURE;
}

wtf

lol

super dumb fix

-            CS_CodeDirectory *cd = (void *)(sb + ntohl(sb->index[i].offset));
+            CS_CodeDirectory *cd = (void *)((uint8_t *)sb + ntohl(sb->index[i].offset));

how else am I supposed to do it smh

what’s wrong with pointer arithmetic

just like you fr

capt appreciation <3

bro shes 16

1984

can't say

k

y

s

HOW IS SHEP LAST

and how am i not on that list

ok andrew

you already put 2 minors on there

1 more wouldnt cancel you

https://tenor.com/view/hi-andrew-omori-gif-24373582

sorry i like real men. you’re a software engineer

fuck you you asian mf

eat a frank you musty tub of lard

no one likes you

typescript devs aren’t real software engineers so i’d date them

🙏

@next wadi

fr

TS bad

no

what

nah

stfu

https://tenor.com/view/chris-tucker-hurry-up-screaming-yelling-gif-17877545

i am stepping back on my statement of becoming a tweak dev

bro

%hook

its not hard

its not the difficulty

its that i lost my jb chance

i said this

but like

you can just use ipas

and sideload the tweak

gm

gn

Gm

@tepid olive happy birthday

oh shit wrong channel

thx a bunch!!!

petition to add @indigo peak to the gc

@tepid olive happy birthday other kirb!!!

thank you other kirb!!!

@tepid olive hbd real kirb!!

ty icraze

@tepid olive happy birthday big man

thank u!!!!!!!

hbd new kirb

leave for a while and a mf undergoes mitosis

hbd!!

@tepid olive happy birthday

thank yaa!!!!!

tyy

and tyy

@rain falcon

FU

yo what’s the github with linux xcode tools?

thank you ntwerk lover

Anyone interested in helping update libmacho to 64 bit?

Anyone know any reason why a properly notarized app would fail to launch on Ventura?

Like spctl -a -vvv -t install <app> shows a valid signature

And so does spctl -a -v <app>

Is there an error

write your own macho library

It’s not properly notarized

'The application "app name" cannot be opened"

aka generic af

there should be a better error in Console

im suspecting that but how do you verify that? I also heard about how creating zips of the exported app sometimes mangles the notarization on ventura?

yep that's my next step

(debugging for someone else)

so wanted to see if there's anything obvious to do before asking them to pore over console output

oh well

okay apparently the exported app works fine but when they send it over the internet it breaks

unless zip is fucking up the notarization

Quarantine

https://github.com/apple-oss-distributions/cctools/tree/main/libmacho ?

Oh planetbeing's?

Why not just use llvm

StringRef

I want to make my own tweak but I don't know from where should I start
Can someone guide me?

Start by using your brain instead of using other people to do it for you and search instead of asking stupid questions

woah

calm down

take a deep breath

youre right

but relax

do you have a mac?

if not, quit while you're ahead

bro...

windows development >>

hell nah

lol

fiore built diff

up

People like this are the reason why JB community is shit tho, no wonder there are no JB devs, nobody wants to deal with this kind of questions trying to support his stuff

People be asking “how to jailbreak iPhone 14? Can I use your JB on iOS 16? How to download JB? How to install tweak xx it crashes? Etc

lol

bro i just ignore

Nah, I want these people to know that they are stupid

Im waiting over a year for a JB

Because of these people

which version you on?

15.3.1 SE2020

oh bruv

lmao rip, at least you have trollstore

fungus tweaks is coming soon™️ though

https://cdn.discordapp.com/emojis/842474263914217483.png?size=48&quality=lossless

I do, but I need a systemwide parametric EQ so only after opa and evln finish their fugu max I’ll be happy

do you know how to program in any language

english

chatgpt be like

Fungus tweaks

@lament mica send the bocchi sticker

…in development?

wtf how are we here

yes??? where else would you send it at?

Meanwhile mfers like Riley Testut who just writes a wrapper around ldid makes $11k/m in donation

How to get bobafunding

for bobaweb

bobafeetpics

bobano

icrazesad

We need to standardize paid jailbreaks that bootloop you if you pirate lol

engrish

Wanna know something really messed up

https://github.com/apple-oss-distributions/cctools/blob/main/libmacho/ppc_swap.c#L74

Apple uses import in C too

Also

Clang literally emits a warning if you do

Use #include with #pragma once

Or normal ifdef guards if you need it to be portable

How does it break

sed

WHATS THE ERROR

Change it to an include

Same error?

So use include

import probably breaks the include_next actually knowing what's next

find . -name '*.c' -exec /usr/bin/sed -i '' 's/^#import/#include/' {} +

or something like that

Fixed

You can do that with sed and a find . -name '*.h'

find . -name '*.h' -exec /usr/bin/sed -i '' '1s/^/#pragma once\n/' {} +

Try that @grave sparrow

too much effort fr

for captware

ElleKit works fine for me

L

I’m sure it wouldn’t have the issue

What is the issue then

also testing 101: don’t use your main machine

Literally what is the issue

Ill test

What did you do 💀

Why are you doing that

And you bootlooped?

Can’t you just remove a cs flag

can’t you just turn it off

https://media.discordapp.net/attachments/688122301975363591/1077671431875346494/caption.gif

lmfao

just enable sip

fr

Speaking of which - how’s your arm64 iOS 15.5 weightbufs jailbreak going?

Idk

It’s okay

It’s gonna be 15.1 cuz weightBufs doesn’t work

Ok fixed kpf for 15.1

look at fugu15

feet fungus

opa please step on me

…

no it isn't

CLASH ROYALE

Crash royale

clash royale laughing guy holding up flag

what flag

yes

I have been work with python, C++ and java

honestly im thinking of downgrading my m1 macbook to 11.2.3 so i can use foulplay to decrypt an app i wanna dev for

entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>platform-application</key>
    <true/>
    <key>com.apple.private.security.no-container</key>
    <true/>
    <key>com.apple.security.exception.files.home-relative-path.read-write</key>
    <array>
        <string>/var/mobile/Library/Badger</string>
    </array>
</dict>
</plist>

Rootless?

it works on root, i am not completely sure if everyone having issues with it is on rootless, but i only remember people reporting about it on iOS 15/16 which is where there are rootless jbs

do i need to add com.apple.private.persona-mgmt

No

It's cause PATH is not set correctly

o

will i have to posix_spawn /var/jb/usr/bin/sbreload then to just specify path manually on rootless

on rootless, should the system wide dylib add /var/jb stuff to PATH?

Hmmm, it'd just have to be handled once in launchd then it'll affect the rest of the system

the launchd path gets passed to other processes?

All of its env vars should

what about DYLD_*

Idk

I feel like that doesn't get inherited

I haven't looked at launchd much

They may do weird stuff

Load launchd into your RE tool of choice and search for calls to posix_spawn, execve, getenv, setenv, and unsetenv

I feel like posix_spawn in general does not pass down DYLD vars by default if you pass it NULL as environment

what

I thought it meant "inherit"

even ChatGPT told me this

@grave sparrow https://github.com/opa334/Fugu15/blob/max/BaseBin/systemhook/src/main.c can you proof read this code for me and see if you spot any obvious issues?

with an emphasis on the exec* stuff

????????? why

hm

Okay I see why

dylib injected via DYLD_INSERT_LIBRARIES

yes...

oh wait

no

I forgot lol

yes I do

this is DYLD_INTERPOSE

it only hooks calls from external libraries

don't I also need to deallocate this port https://github.com/opa334/Fugu15/blob/max/BaseBin/systemhook/src/main.c#L36 ?

ARC is not enabled

this is plain C

I'm dumb and so used to ARC that I forgot

anyways the stolen headers are in the repo

under _shared

https://github.com/opa334/Fugu15/blob/max/BaseBin/systemhook/src/main.c#L170

it either gets freed or it gets forcibly deallocated by exec

oh I think I forgot that

I'm dumb

wait no

that does get freed

in the loop

are you sure the exec shit is correct?

also I inherit envp from environ in some places

so this is no no right?

https://github.com/opa334/Fugu15/blob/max/BaseBin/systemhook/src/main.c#L109

are there any exec functions that are supposed to inherit the env?

I want to match system behaviour

?

what about the reply that xpc_pipe_routine writes

doesn't that also have to be released without arc

I want to make my own tweak but I don't know from where should I start
Can someone guide me?

You're asking this for the third time

start with google

What wasn't answered for the last 2 times?

I have been start with google but I get confused 😂

I understand one of those was a bit rude, but you should've at least googled stuff...

if you get confused from a simple google search i dont think coding is for you

I have been work with python, cpp and java

But I'm new in jailbreak and tweaks field

then google is a perfect place to start

hell

go on youtube

😂

😂

its not funny.

im being serious.

I search every where

Last place is here

I asked experience people

legit the first youtube search

Yes I saw them but I get confused that why I'm searching know for good site that is friendly with beginner

I don't know if you have a good roadmap for learning those stuff

install theos
make tweak

my jb phone just died and i dont feel like booting my ubuntu pc

@tiny tartan look at pinned

does anyone know what frameworks and methods are responsible for enabling old-style interfaces on apps compiled with old xcode versions

i can never find what does this

diff it

oh it’s in the info plist

The sdk version

when i try compiling theos tweak with swift (from orion) im gettin this error: no such module: 'SpringBoardServices'

in this code line: import SpringBoardServices

link it in thre makefile

i tjhink

ye i dont have it linked how can i link it?

tweakname_PRIVATE_FRAMEWORKS = SpringBoardServices

still showing the same error idk

hm ok

faptain kink

How do some tweaks do it then? https://github.com/ryannair05/Little11/blob/3e0ef9d13318e17a6cb201939b8729572b77c3c7/little11prefs/Makefile#L8

So they were ill advised and wrote that part unnecessarily?

Interesting

Huh. How does the compiler know where to link the function then?

is assumes that this a sprinboard tweak

springboard will already have SpringBoardServices loaded

compiler doesn't do anything because its called at runtime and not statically linked

^

%c isn't valid c or objective c code

really should learn what logos is

its basically like a transpiler

%c(Balls)

eg ts -> js

in this case .x -> .m

[%c(YourMom) insertIntoMouth:%c(MyBalls)] @grave sparrow

SBSCopyLocalizedApplicationNameForDisplayIdentifier() is a C function though, no?

SBSCopyLocalizedApplicationNameForDisplayIdentifier

I like the short function name

And does the Springboard framework get loaded into the preferences app?

use MobileCoreServices

well... you can link against it tho why can't u

or whatever

I think it's just called CoreServices now

dyld blocks tbd linking? @grave sparrow

https://git.ckatri.com/tweaks/tree/QuickActions/QuickActionsPrefs/LSApplicationProxy+AltList.m#n65

I thought the allowed clients was only in the tbd and if you just remove it then you're fine

@prisma grove better way to get display name

stolen from opa's AltList

then do [[LSApplicationProxy applicationProxyForIdentifier:@"com.apple.preferences"] atl_fastDisplayName];

k

y

s

nobody cares

well you should make an app or two with xcode and Objective-C it'll go a long way in helping you understand iOS before making tweaks

me fr

do what i did

• objc as first lang
• code inside of filza
• no syntax highlighting
• tweaks before apps

only true way to learn

fr

you'll piss people off but it's the right of passage

i love pissing off @grave sparrow

especially when i'm pinging @grave sparrow

please piss him off, bro pinged linus with a full dissertation

holy fucking shit

he did

omg

need clion plugin

anyone have altlist for rootless

Yes

It sucks balls

Of course you would say that

Nah, I'm taking this one at the college

gender studies

gender studies is fun

liberal

@grave sparrow can you DYLD INSERT on macOS with SIP enabled

Ignore system binaries

Theoretical rn, I'm trying to think about how far my insertion would get

Say yes

What if I wrote the target app and the library (same signer?)

What about system apps/__RESTRICT or whatever it's called

What if the library was apple signed

Alr so I have to patch that check

But if I patch that check, it'll still require validly codesigned (either apple signed or same developer id, depending on whether library validation is on or not) binaries if I leave SIP on, correct?

Great I can still have some semblance of security

Well basically I want to dyld_insert my own libraries into system apps without letting anything else be injected in
My libraries are treated as platform

Target audience is dumbasses

But yikes

Well

All I need is a decently flexible (across macOS versions) patch, my patching is done from kernelspace

Benefits of your own bootloader and kexts

Oh yea this is already a done deal

Somehow still hasn't broke yet

I just need the dyld end pretty much

Bind mount would probably be the cleanest, but then you'd have to get bind mounts working

And if you want version agnostic you'd need to copy it somewhere first I think

My route is the last one, hook cs_validate_page in the kernel and patch it in there, but two problems:

1. Page boundaries (this is rare, but when it does happen you're kinda fucked)
2. everything now sees that modified file, which breaks delta updates (but I don't think this is a concern for you though)

And I don't think you can take this route without a kext

If it's simple I can do it myself, if it's pain I'll lyk later

This is a project that I want to do sometime soon but I got more immediate things to finish rn

How early does your jailbreakd run?

I mean I guess you could use jailbreakd to patch it
What are the pitfalls of that

patching the kernel to pick a different dylib is sorta easy, you just replace the string "/usr/lib/dyld" with idk "/var/lib/fyld" and that's it

of course not

I thought you meant static patches

can't you boot a patched kernel on macOS without even disabling SIP?

https://media.discordapp.net/attachments/933428639620542474/1067152949211574332/caption.gif

i dont understand what is causing cowabunga to still bootloop unless the people complaining didnt read and follow the prompt to get out of the situation before it happens

it should be avoidable assuming corruption of the asset catalog is what caused the bootloops

i only saw 2 complaints in 2 days so ig thats better than the initial release

would it be possible to make a tweak to get the ios16 iMesages message delete and edit function on a JB? @naive kraken ?

anything is possible

so downgrading to ios 14.3 is?, lol

who could i ask that would know how to do that?

It is, if you have a sep exploit

i do not🥲

If it’s a skill issue then I’d totally let it stay like that, at least it filters off a few the stupid people from the jailbreak scene lol

(Waiting for the fr kids to react)

but what if its not

what if it is genuinely not detecting that it is about to bootloop

Well then it’s a serious issue that needs to be solved before more people who don’t deserve bootlooping bootloop

luckily there are ways out of the bootloop without having to update or even lose data but still

Are there?

I thought on A12+ on iOS 16+ that bootloop is like hard bricking one

no

theres 2 ways out

in a lot of the cases, the bootloops stopped after like an hour

in worst case scenario, icloud resetting works

iCloud resetting?

resetting the device remotely with icloud

Oh, but that means data loss, right?

ye

Btw by iCloud you mean like the FMI reset?

If yes does that not require updating as well?

(Sorry if those are uneducated questions)

But if that reset doesn’t need an update through iTunes afterwards then I guess a huge red disclaimer that stuff like that might happen and a backup recommendation should be good enough until you figure stuff out

You know, like when you first open the app

So people at least get a hint that they should have a backup and don’t get mad when their phone gets temp-nuked

is there like a sandbox extension type thing for location spoofing

yeah it doesn’t make you update

Then IMO a disclaimer with a backup recommendation is good enough

has anyone used macdirtycow to repoint functions in an apps binary and not a system process

@lime pivot Should I plan on cephei rootless being on chariz at some point or should I not rely on it for rootless

Instant vertical scrolling:
Hold phone horizontally and swipe pages

@lime pivot So I finally also found a way to hack the Kwikset app so that I can use it however I want, like with Shortcuts or URLs or whatever.. I spent a long time trying to figure out the Swift ABI. Looking through the heap trying to figure out what pointed where..
Spent a while looking at disassembly..

But what really got me somewhere was using the memory dump with xCode.

I was looking around at important instances of Auth related classes/structs and I found that the JWT was stored in this NSDictionary. Well some ObjC type was using some low level NSDictionary type that isn't publicly available in the STD lib.

So I started using Frida to just search all NSDictionarys.. This would crash the app. Then I go and find that off of the AWSMobileClient it has a reference to a NSDictionary with the jwt in it.

So I can use frida to get an instance of that AWSMobileClient and then I figured out the offset in memory from that object to the ptr to its NSDictionary.

From there I can just print the description and get the JWT.

Since its swift I had to figure out what to hook to get the openURL deeplinking stuff working. Turns out its on the SceneDelegate in SwiftUI:

ObjC.Object(ptr("0x107553550")).delegate()["- scene:openURLContexts:"]

That ptr being the SceneDelegate.

So yeah you were def right. Just reversing the HTTP requests was probably the easier approach. But now I don't have to run a server that's constantly refreshing JWTs and stuff. I just use FridaGagdet configured to run a script on load that sets up the openURLContexts and when I open Kwikset with a URL it finds the JWT in memory and uses frida to send a request to lock/unlock the door.

Pretty stoked

Wish I knew a good way to learn more about what Swift objects looked like in memory.
I think I have some good resources and just need to spend more time on it. But if anyone knows of anything related to that. Let me know. I got lucky finding that NSDict off the AWSMobileClient really

Stuff like this was helpful: https://academy.realm.io/posts/goto-mike-ash-exploring-swift-memory-layout/

gm

clyde ftw

tits

gm

who would've thought, semaphores

thanks clyde

clyde suggested semaphores

you didn't mention semaphores once

clyde did 18 times

yep it’s definitely coming

good research, glad you got it working! of course you don’t need to refresh JWT constantly, if you use the Amplify SDK yourself from eg Python with their keys, you should have everything you need to let it spawn, update JWT if expired, and fire off the specific request you need

so the script only needs to run for a few seconds in response to the shortcut being fired

Yeah so originally, I just had found a few unique IDS like this thing called a pool id. And I had some text telling me what the AUTH flow was. From there I was able to write my JS implementation that used the AWS cognito libs and followed the custom auth flow that Kwikset uses. There are a lot of diff auth flows you can follow so using charlies proxy to follow the requests was super helpful.

My main goal was that I wanted to be able to use Siri and shortcuts to lock/unlock the door. And I didn't want to write a whole new iOS app to do this AWS Cognito Auth flow I just figured out how to recreate in JS. So I just created a web app which does the whole Cognito Auth flow and gets the JWT and refresh token. It has an endpoint too which uses the JWT to make the lock/unlock requests. It refreshes the JWT as it needs to and I can make an HTTP request from an iOS shortcut to this server I setup to lock/unlock the door. (Also not super secure/safe/whatever)

But my original goal was to just take advantage of the functionality already in the app. It already does this whole Cognito auth flow and stores a JWT and refreshes it. So I wanted to just add a URL handler (since I know thats one easy way for me to trigger an iOS app to launch and do something) that would call the same methods/functions that are already implemented in Kwikset and used to send the request to lock/unlock the door from the Kwikset app itself.

I'll write up everything I tried and implemented in case anyone is interested

Just wish I knew how to poke around memory better with Swift objects to find their properties and then get the vtable and find the functions they have and know how to call them.

It seems like Swift has so many different memory representations for different types so this can be challenging. And I am still a little confused if every Swift object is really an ObjC object.

I need to keep reading up on this.

Thanks again for all the help though

In lldb if I get a pointer to what I am sure is a Swift object I am still working through figuring out how I can work with this:
Im pretty bad with Swift but it looks like unsafeBitCast is what I want:

unsafeBitCast(0x7df67c50, SomeClass.self)

With the interesting stuff these properties are private I believe though?

So is my best best still to just try and dump memory around the ptr to a Swift Object in memory and then inspect all ptrs around it to find what it references?

Thats really what I had to do to get the JWT programmatically with Frida . I get the AWSMobileClient and I know it has a ptr to this NSDict at some consistent offset where I can find that jWt

This is my hack:

var awsMobileClientPtr = Number(ObjC.chooseSync(ObjC.classes["AWSMobileClient.AWSMobileClient"])[0].handle);
var awsMobileClientDictPtrStr = Number(awsMobileClientPtr + 0x0000000000000088).toString(16);
var awsMobileClientDictPtr = new NativePointer("0x" + awsMobileClientDictPtrStr);
var dictPtr = awsMobileClientDictPtr.readPointer()
var myString = new ObjC.Object(dictPtr);
var dstr = myString.toString();
console.log("String argument: " + dstr);
var regex = /.("eyJ.").*/;
var jwt = JSON.parse(dstr.match(regex)[1]);

ask @grave sparrow for swift info

ask @grave sparrow for swift info

@grave sparrow how do i import a swift class

dn

dn 👍

i got immediately sidetracked 👍

he says in the server where everyone is forced to use LLVM to compile things

MSVC💪

gnot cool compiler

great cummy compiler

@grave sparrow

@grave sparrow take notes

i give up

bootloops are kinda unavoidable but at least my detection works

Just throw in the disclaimer

And if some kids start complaining that’s their shit

on the bright side it allows u to back up ur data before the inevitable

Tiktok ceo vs congress

so basically sometimes you're just fucked and you have to accept that?

that doesn't seem like a good practice for the end user

some people are

ive only seen it with 1 person

everyone else was able to get out of it by following the directions

I mean I'll reiterate that I think it's better to have icons not fully apply than to risk a bootloop but it's your software so

^

not fully applying is an unrelated issue

this is a macdirtycow issue

I'm referring to 8.1.4 or whatever

yes

that was an unrelated issue

so you're telling me the exact same bootloops happen on 8.1.4 as well then?

8.1.4 didnt have the same ram management so mdc ran out of ram

not with icon theming but in other places

its too late to recall v10 again

isn't the only issue with 10.x bootlooping icon theming now or is it every part of the app now

It really isn't

SwiftUI moment

just say "I give up on trying to resolve the bootlooping issue, as people who do follow the steps to not bootloop can still risk getting bootlooped. As a result, I am pulling all versions of cowabunga v10 and encourage everyone to not use those versions."

Or something along those lines

it took a while for Taurine 1.0.5/1.0.6 to get pulled

but it still did

also the person who bootlooped used the pirated v10 beta which means they could have had a corrupted backup file

which i think is the most likely explanation for why they are the only one that fixing the bootloop didnt work for

was there a beta that had a corrupted backup file issue or was that beta modified in any way?

no if u pirate then u dont get the correct file path to back up

is that your drm of sorts?

it usually should crash without it but the pirated version bypassed it

part of it yes

they also had the beta before more anti bootloop measures were introduced

can I also say as well that imo just an alert saying "hey do this or you'll bootloop" isn't necessarily the smartest thing ever (humans aren't smart - they'll skim through the steps like they read them all)

Also could be issues with lack of translation

didn't even think of this but if it's not translated that's 100% correct

theres no okay button

they have to close the app

even if they just close and reopen the app it will try the bootloop prevention

ok, say I'm an average person, who decides "hey cowabunga aborted I'm gonna close it and so something else for a while"

what likely happens

their fault then

you can't fault them entirely when that's literally the first thing they're going to read when they see it

they arent reading

thats the problem

i give up on this

I absolutely agree

how do you even go about making this

Poor guy is trying to make something and has to take shit from stupid people who don’t read instructions?

I just don’t understand why are you supporting people in being stupid. This way the community will never get any better, it’s just going to be more and more full of stupid lazy annoying people who can’t even read the instructions and annoy devs with stupid shit

I don’t support people being stupid - I’m saying people in this community can’t read and that while it is true we shouldn’t coddle them we shouldn’t act like those people don’t exist

Those people do not deserve any support

It’s entirely their own laziness

That causes them issues

so are you also saying this is laziness?

No, not that

But we ain’t talking about translation

Doesn't matter

Imo if an app can bootloop you if you don’t follow the instructions and it does warn you about it, then there is 0 reason for the dev to take shit from people who bootloop

That's not how things are done

Remember most users are barely tech savvy, they only want a theme on their phones

A warning is a band-aid fix

It isn't even a fix

You can't just fix something by placing a warning

It’s a temporary fix

And don't call people stupid for that

Until you find the solution

yeah, what about until you find the solution, you don't let the public use it?

the dev himself bootlooped

how can you blame innocent users

not everyone is stupid for not following instructions

that's just human nature

I agree with that

I’m just fed up by the actually stupid people who spam the same stupid questions every day

Sorry about that

just pull the release

Taurine was pulled for less

I mean the dev SSV bricked for different reasons

but still

Tbh If I had some superpower to remotely bootloop any iPhone, I’d just bootloop half of the local community. “Can i jailbreak iOS 16 on iPhone 12?” Bootlooped! “What version to downgrade my iPhone 14 for jailbreak?” Bootlooped!

if you mean that seriously, that's fucked up

Imo it’s fucked up that people don’t even bother doing a basic google search before annoying other people

Okay now I’m just venting, I apologize

you do realize google is full of scams and shit, right?

But r/jailbreak isn’t

There’s all the info someone needs to know

bro you aren't a new user

That’s true

you don't know how easy or how hard for them this is

Imo there should be some unskippable banner for all the new people that refers them to some quick guide on what can and what can’t be done

Yep

Or at least a pinned message

But if you check for example pins in #jailbreak theres just a bunch of random BS instead of anything useful

I don’t think people really check pins for actual information most of the time anyways to be honest

pins aren't exactly evident tbh anyway

True

true

(on mobile you have to do an extra swipe anyways)

I mean, I remember when I started myself, I was also confused and had no idea where to look for stuff, but at the time there was no discord so I had to use my own brain to find stuff and I still somehow managed find r/jailbreak and get all my info.

congratulations, when you started is much different than now

Maybe all the new users should be put into a channel with a link to a quick guide and only after like a day they would get the permission to write here

Not really

The online scams were the same

But there were far less compiled guides so imo it was actually harder

Because you had to first learn how shit works and then search for what you need while now you can just check the guide, click on ur device/version and you have all the info

this server should have onboarding i think

Yeah but i think you can skip it and go straight to asking stupid questions

If there was a delay before being able to write that would at least motivate people to click the link with the guide (if there is any)

its slowly integrating more and more into discords native features from what i can see

on the other hand, if they're willing to skip it, they might just leave if they see a delay

So? Good for everybody else

I get it, not everybody wants to wait to get their stuff working but if during the wait you are offered a guide that’s basically mandatory to read no matter what, then what’s the problem?

jailbreak thanos

Another issue is out of date info but I think that’s mostly a thing of the past, few years ago even if I found some useful info, it was hard to tell whether it’s updated or not so i would also ask stupid questions back then (not that there was any place where I could ask them tho), but now whenever stuff gets released or whatever, pretty much all the wikis and guides are updated within hours/minutes

Okay I vented enough, I’ll peacefully fuck off now 😅

i'm waiting till it's closer to actually stable/usability to blab too much, but it's on the dragonbuild github if you're interested in the code side

rjb developers trying not to insult someone’s intelligence because they don’t know some obscure fact about ios

https://tenor.com/view/spongebob-angry-strain-gif-12284425

DRM but instead of bricking the phone if it pirates, it checks for open tickets in #genius-bar

TRUE

im just putting some thoughts out here for anyone just in case they wanna look into this too

im fairly sure that this code can be used for a basic location spoofer with a jailbreak

@interface CLLocation : NSObject
- (CLLocation *)initWithLatitude:(double)arg1 longitude:(double)arg2;
@end

%hook CLLocationManager
-(CLLocation *)location {
    return [[CLLocation alloc] initWithLatitude:0 longitude:0];
}
%end

(i dont know if this is the right way to do it but i think it is)

but shouldnt it be possible to overwrite the CoreLocation framework's location method to point to a method that returns a CLLocation
which in turn would basically allow for location spoofing on iOS 16 w MDC?

no idea if any of this is right or not

or how dumb i sound, but its just a thought

Is it possible to save OTA blobs for a version that requires Delay OTA to update to? Theoretically, it should be, but how would you set it up to send a TSS request for blobs for a deferred OTA update?

https://twitter.com/PR0GRAMMERHUM0R/status/1639643328043155456?s=19

facebook mom meme

dont care

make it curly braces

then its ok

Yes, that would work

I’m just not sure how I’d find the ask for returning a CLLocation

How do you mean?

so like, the way WDBRemoveThreeAppLimit works is by finding a location in locationd's memory that runs return true or mov x0, #1 and just repoints performVerificationWithError: to that found address

in this case, we'd need to find an address that returns a CLLocation in order to repoint location to that address

CLLocation *__cdecl -[CLLocation init](CLLocation *self, SEL a2)
{
  return (CLLocation *)-[CLLocation initWithLatitude:longitude:](self, sel_initWithLatitude_longitude_, 0.0, 0.0);
}

like that could probably work

but idk if what i see in ida is what id patchfind

; CLLocation *__cdecl -[CLLocation init](CLLocation *self, SEL)
__text:00000001871E670C __CLLocation_init_                      ; DATA XREF: __objc_methlist:00000001871F164C↓o
__text:00000001871E670C                 ADRP            X8, #selRef_initWithLatitude_longitude_@PAGE
__text:00000001871E6710                 LDR             X1, [X8,#selRef_initWithLatitude_longitude_@PAGEOFF] ; SEL
__text:00000001871E6714                 FMOV            D0, XZR
__text:00000001871E6718                 FMOV            D1, XZR
__text:00000001871E671C                 B               _objc_msgSend

but shouldnt it be possible to overwrite the CoreLocation framework's location method to point to a method that returns a CLLocation
which in turn would basically allow for location spoofing on iOS 16 w MDC?
well... no

if this is genuinely implemented in CoreLocation.framework, then it's in the dyld cache

which means you're fucked

if it's implemented in locationd, then maybe

its in there yeah

does /System/Frameworks/CoreLocation.framework/CoreLocation not work?

im confused

binaries haven't been on disk like that for years

patching dyld cache isn't a good idea

and i don't even know if it'd work with MDC

given that the dyld cache is already loaded into memory

wow no way you live on Null Island?

you could disassemble how locationd sends the current location coords to the app

would be an xpc agent I'm sure

gm

I tried doing that, but I know little ab xpc services/agents/clients and it’s too difficult to understand

@lime pivot had some issues with theos rootless, so decided to reinstall, now I get this (?)

oh, because I supposedly had macports installed once... wtf

non-issue, I'm dumb sorry

appreciate you mentioning it anyway, I wonder why it gives priority to macports

Dude

TF is zefram

malware

2 to 1

Dude, stop posting this unreadable 10 pixels of BS and just post text

Maybe it’s mobile discord being a bitch but I can’t read that

If that was to me then I don’t get the joke

From my understanding zefram is a made up thing and thats the whole joke

yeah that’s the joke

Oooooh

I was actually getting mad that nobody wants to tell me what it is 😅

Sorry I’m a bit slow sometimes

@grave sparrow good joke man

never coming out

Well, that instantly made it way more funny

(as it's malware)

Idk why nobody could tell me this when I asked the first 729347 times

Zefram is malicious software, commonly referred to as malware, that is specifically designed to hack Apple devices such as iPhones and Macs. This malware has the capability to compromise the security and privacy of Apple users by infiltrating their devices and extracting sensitive information. The purpose of Zefram is to gather sensitive information such as login credentials, financial information, and personal data, which can then be used for malicious purposes such as identity theft and financial fraud. Zefram uses various techniques to spread and infect Apple devices, such as phishing scams and software vulnerabilities. It is highly sophisticated and can evade traditional security measures, making it difficult for Apple users to protect themselves against this threat. To stay protected, Apple users should regularly update their devices and be cautious of suspicious links and emails. Additionally, it is recommended to use robust security software to detect and prevent attacks from Zefram and other similar threats.

that's the text

Does anyone know why my NSTask doesn't seem to produce output on rootless iOS 15? It works fine on rootful, but on rootless, the output string is (mostly) empty. I'm calling it like this:

NSPipe *pipe = [NSPipe pipe];
NSTask *task = [[NSTask alloc] init];
task.arguments = @[@"-c", @"dpkg --version"];
task.launchPath = [NSString stringWithFormat:@"%s/bin/sh", THEOS_PACKAGE_INSTALL_PREFIX];
[task setStandardOutput: pipe];
[task launch];
[task waitUntilExit];

NSFileHandle *file = [pipe fileHandleForReading];
NSData *output = [file readDataToEndOfFile];
NSString *outputString = [[NSString alloc] initWithData:output encoding:NSUTF8StringEncoding];

Almost anything just gives me an empty string, with (so far) the exception of just calling pwd, which returns /. Even a simple whoami doesn't return anything. Do I have to do something different for rootless?

/var/jb

or "" when compiling for non rootless

you should be using the Macro however

ROOT_PATH_NS(@"/bin/sh")

(but that's not the issue)

I'm in Preferences, but as I said, it works fine in a rootful environment.

tbh I can't tell you. It's pretty old code I'm currently going through, and I have no idea why I did spawn a shell here. I probably tried to run dpkg directly but ran into issues, but I couldn't tell you

ah, i remember now. while calling dpkg directly works (with e.g. --version as argument), I don't seem to be getting any output when calling it with two arguments like -s com.my.package)

seems like for some reason, dpkg can't find dpkg-query when called from NSTask. Calling dpkg-query directly works though, so I'll just be using that

probably path issue

setenv("PATH", "/sbin:/bin:/usr/sbin:/usr/bin:/var/jb/sbin:/var/jb/bin:/var/jb/usr/sbin:/var/jb/usr/bin", 1)

maybe this helps?

hm you probably want to set it on the process you spawn though

L

what if it’s not suspended to begin with

tim cook with the xnu backdoor

what

what if it is resuming itself

And theres not some lower level call that can do so?

hook kill and make it always use capt's pid

@grave sparrow does ktrw still work on macos

https://tenor.com/view/computer-games-gif-26049515

it’s a google project zero project

to bypass ktrr through a next

kext

I see

I wish it was doable on ios

buy android problem solved

thread::sleep(u64::MAX);

wait no

loop { thread::park(); }

rust

cope

copium is good

what's a good way to decompile and dump headers from an iOS app? Preferably that I can run on my m1 mac.

er, what tool do i use

pip install gorn

cargo install gorn

Omg

https://crates.io/crates/gorn

bet

i'm probs still gonna have to manually adjust them but it'll be fun ;)

can i build flex for armv7 on macos 13 & new xcode? i'm having lots of issues

@grave sparrow arm 2

@silver rampart https://twitter.com/anuolfraccoon/status/1639840815366152192

hate you for pinging me on this

You’re the reason I know what it is

hate even more that i get it

You originally mentioned the idea of getting the hoodie because people would never be able to acknowledge it

ive found wearing homestuck fanmerch has a similar effect

trollface emoji

Hehe

I really need to get a bd sticker

what's the trans h sticker

Hack club

o

headers with trans rights

anyone know the repo for vim (rootful)? I swear it used to be on a default palera1n repo, but I can't seem to find it now

nano on procursus 👍

oh, looks like the sileo search was just buggy, now it appears. weird

I'm not answering to that 😄

Nano supremacy

nano is also fine actually

nano is more than fine

it's a way of life

is there a rootless version of libFlex yet?

The pinned flexing deb bundles libflex

not true

there is no replacement for vim

🙏

there's nothing

In the thread

Oh

Noisyflake isn’t in there

https://github.com/PoomSmart/FLEXing/releases

thanks!

Can someone identify the issue in this crash log? Crash happens as soon as the user opens my Preferences page, using Fugu15 on 15.4.1. Preferences work fine on palera1n 15.7. I don't see how this is anything that my tweak causes, because it seems that the RootController doesnt even get loaded

https://pastebin.com/raw/WZmg0fm8

this is old arm64e ABI issue

you need to compile your rootless package with the new one

probably a stupid question, but how do i do that? 😅

right now I'm using latest theos on WSL, but I can switch to macOS if it's necessary

so I guess it's not possible on WSL/Linux?

I assume the latest one here won't work? https://github.com/L1ghtmann/llvm-project/releases

since it's using clang 11.x, it's from XCode 11. Guess I'll have to compile it on macOS then

there was a new source drop recently but I‘m not sure if there is a build for it already

it's fine for now, after compiling it on my mac it works now. but of course it would be nice if in the future I could still work on my WSL install instead 😄

catch me dead with a programming language sticker

based jetbrains user however

catch me dead with a sticker

true

<snide remark>

I don't think new ld64 supports new ABI...

☠️

why though?!

Unstable ABI not for developers or some bs like that

so they give us the old ABI

that's not only unstable but also no longer works

nice

oh you legit wanted me to make it

@grave sparrow ask cynder

mannnn

just rewrite everything from SBIconScrollView down

take his dev role away till he writes vertical sb scroll

^

@restive ether

fr

@grim sparrow so it turns out dave and busters doesnt store the tickets/swipes on the nfc card

its uid is assigned in a db and when you tap it reads from the server

If it helps, Cylinder does this as one if its effects: https://github.com/ryannair05/Cylinder-Remade/blob/9cd80ebddf90890e6b61544626b8b1251d78cea0/tweak/CylinderAnimator.swift#L401

Not all pages are loaded or part of the scroll view. So using numPages for height would be wrong. It reuses pages, so it uses at most 3 pages (last I remember). Previous page, current page, and next page. Also its not as simple as just changing content offset and size, you'd have to make sure it loads the current reusable page when current page changes.

Unless you are going for the visual scroll effect only in which case you can probably just specify translation.

Which I assume is what cylinder is doing.

I was thinking if you have the effect, from there you could probably just change the swipe gesture and it would be basically the exact same thing

Pretty sure its not a separate swipe gesture, it just uses the scroll view's swiping. In which case you'd be doing lot of hacking to have vertical scrolling to do the translation.

wtf

ghost alive

shocker

there was always a chance

gorn

yeah maybe 8 years ago when someone did that and they realized "shit"

at best

I’m developing a jailbroken-only app on iOS 14. I’m currently using TrollStore to install, but I kind of hate entitlements after my plist has become a mile long and I still don’t think I found enough. Can I bypass them entirely and give myself all of them somehow?

that is possibly the worst idea i’ve ever heard

you probably don't need 50 entitlements to achieve whatever you are doing

i did NOT read the console

If that was for me, you’re probably right. Is there a way to check anyways for testing purposes to see if this is even an entitlements issue?

console tells you what you need to access the functions you’re using afaik

usually

might need to enable info/debug messages

I was actually poring over the console output far too long even with everything enabled. Maybe I’m not facing an entitlements issue, but I’m not really sure why the app is failing create a sandbox extension to read its own container otherwise

@snow python since youre prob the most knowledgeable out here for location spoofing, do yk what CLSimulationControllerAdapter in locationd is for

im trying to use location spoofing on ios 16, if you have any info on this, dm me i can/try to help

do you have platform-application and an unsandboxing entitlement

Yes, I have platform-application and com.apple.private.security.no-sandbox

I’m calling sandbox_extension_issue_file to get a sandbox extension with read access to the app’s own container in /var/containers/Bundle/Application, but it won’t yield an extension. I think I can’t do it because of some entitlement.

well

you need an entitlement for sandbox_extension_issue_file

the problem is that entitlement requires listing the path you're trying to generate a sandbox extension for

i don't know how you'd do that because the uuid changes

If I gave myself an entitlement for / (the root directory), would that cover it or would I then have to issue the extension for / as well?

the entitlement gives you the ability to use sandbox_extension_issue_file

idk if issuing it on / will work though

oh i see what you mean

It would definitely be ridiculous to try to do it for 2^256 possible UUIDs though

i think put /var/containers/Bundle/Application in your entitlement and try issuing it for your specific directory

i can't say i've tried it though

Silly question, but what is that entitlement, or how do I find it?

i think the entitlement is either com.apple.security.exception.files.home-relative-path.read-only or com.apple.security.exception.files.absolute-path.read-only

not entirely sure what the difference is between the two

and you can also change read-only to read-write

I’ll take a look. I could be wrong, but I think the difference is the home-relative-path is relative to mobile’s home directory

maybe

I just realized I already had /private/var/containers/Bundle/Application/ in there, so maybe that’s what Apple does? annoyed grunt

By the way, thanks for the help you’ve given. I appreciate it.

no a process can generate extensions for anything it itself can access

mdc is way too delicate for icon theming

no matter what i do it still ends up corrupting a file at some point

even allocating enough ram doesnt do anything

@wind ravine so why wont hidden icon labels work?

it doesnt work for half the apps and other apps it causes them not to open

i tried that, it didn’t work

i could try again but i doubt it would work

even after fixing the apps?

using the theme "fix apps"

just checked, doesn’t work

it needs to be reverted back again in order to not crash

weird

man

i wish i didnt ssv brick

thats a skill issue

fr tho if u wanna share how that'd be nice

.

ah bet

oh lol I meant how did you get autocompletion for UIKit

the two most recent projects on that github

• the clangd plugin and some dragon tooling to make it happy

compile_commands.json

python isn’t slow

wb pypy

me every day

/usr/bin/gcc

anyone good with CoreAnimation im remaking anilaunch if you have any ideas for icon animations lemme know

mm tru

me when luz is using "gcc"

(its actually clang)

thats what i literally just said

trolled

can i build flex for armv7 on macos 13 & new xcode? i'm having lots of issues building the package with theos. is there a way to just tell theos not to use flex and/or the code that opens it so i can get a valid IPA? i don't need flex of arm7

pretty sure Xcode 14 drops building for armv7

gcc is faster than clang

since it is 2 characters shorter

think of the hundreds of cycles saved not printing those extra characters in logs

Based

It all ASDS up

Minutes of time over the years

gcc supports more total targets

i hope it was clear that my proposition of 'the program is faster because it's name is shorter' was me bullshitting entirely

x86_64 is the only real target

what's the code look like though

arm64? Never heard of it

LLVM is hurting me but its mostly due to my own incompetence

and what is an armv7le

Even worse

Llvm doesn't support alpha hppa sh sparc64 or m88k

m88k was removed in gcc 4, but that's beside the point

Also, gcc is gas because it uses gas instead of an integrated assembler like clang

can we make fetch calls in Xen HTML widgets?

gass

yeah

just maybe not much

is there an easy way to strip armv7 binaries from apps so i can make tweaks w libraries compiled under macos 13/xcode 14

if not i'm hopping to 11.2.1 or whatever that let's me decrypt app store apps and also actually lets me write tweaks for apps lol

yeah that's what i mean

i'll read up on lipo

yeah capt uses it a lot

irl

Who knows the problem?

You probably didn’t provide correct login details

i’m watching it now

rollercoaster ride

i’ll watch all the movies and stuff like that too

WWWWWW

Watch the series then End of Evangelion

Rebuilds are a little weird

Weird compared to evangelion

So

depressed Hideaki Anno only

Question: are there many major differences between how tweaks work on palera1n rootless vs fugu15 max?

The thing is, there’s one rootful tweak that someone hacked up to work with xina so I want to try to hack it up even more so it maybe works with fugu but I don’t want to screw up and bootloop my my main phone so I would do it in rootless palera1n

But there is no other way

And I need that tweak

what's the tweak?

EQE

All I need is to apply a single custom EQ curve to Apple Music over car play, I’m willing to pay money for it to work

I see

The problem is that I suck at programing, I don’t have the creativity to come up with solutions to problems so I can’t just make a tweak that hooks mediaserver and applies a bunch of filters without another 9/11 happening in my phone

9/11 2 happened already

Hwat

it happened when zefram was made

I just got an idea though, maybe I can hijack the audio buffer and just send it to some AU host app

Actually no, because then the output of that app would get hijacked as well and it would create a loop…

Some of yall might remember that im creating a website related to data monitoring from IoT devices (Air statistics etc.)

Backend and frontend are seperate -

• Nuxt + Vuetify in the front
• Express with all its needed stuff in the back

Because of this, i have a question - Is sending POST, GET etc. requests for every single thing i need to display to endpoints the best way of doing the communication between them or is there something i might be missing ?

90% of the data ill be displaying is tables (json objects), which are sent back and forth as, well, json as of right now

i guess i could implement the sorting of the data in the front ( Device added by x user, show readings between this and that date etc )

Depends on how often the data should be refreshed. If you're only requesting it once on the page load, GET requests are fine. But if you want to continuously monitor it (e.g. you are polling the data every x seconds, or want to send updates from the server-side), WebSockets are probably what you're looking for

Yea, displaying it on page load is fine, so is refreshing. I guess i could just add a refresh button or sum that sends the get request if i need that

I also want to implement editing the values ( Create, Delete ) inside the table itself, thats gonna be bit more of a mess for me

Looking at their website (https://eqe.fm/) they have a link for a palera1n build. Not sure if thats rootful or rootless but you could give it a try. You might be able to contact the dev and thye can possibly try building it for fugu15 max

Nah, that’s rootful

I already spoken to the dev multiple times

He straight up refuses to update it to rootless, because he thinks rootless is just a hacked up temporary solution or smth

Also he was like “why rootless? nothing is preventing u from buying an iPhone 7”

is it open source?

Nope

He also doesn’t want to share the source

bruh

Yeah, So when fugu gets a bit more mature and neither I or anyone else will have any luck patching it up, i guess I’ll just post a $50 bounty and hope someone will do it

😅

lmao

I mean, I really need that tweak so…

Otherwise my expensive ass audio setup in my car is just an untuned mess and since I spend most of every day in that car that would be really sad