#development

ah

for them it works in basically every game ive tried

on ios I would patch the ipa with a bunch of detours to my own code

thats a userland process

you're not having to do silly little exploits to get krw

but its not runtime

because when you install an ipa you're signing it with your certificate

and you have your private key

doesnt editing the memory break the code sign and cause it to crash

you do not have apples private key

mhm

not when you sign the edited memory with your cert

but your cert can only entitle apps to basic things

ahhh i see

so if I sign it myself and then write to a specific address it will be fine

wait are you patching the memory at runtime or statically

runtime

I used to do it statically

the dylib you load has to be signed with the same cert as the app which is one thing

but once thats loaded, you can edit your own memory

for your process

oh ok

apple employ hardened runtime on iOS and one of those quirks is that all loaded libraries have to be signed by either Apple or the same developer

so thats why it works

because you inject the dylib into the ipa and sign them both

yes

bruh

I have been lied to

How

Not really in the mood of spoon feeding a jb bypass rn

its not even jb

The app has sideload and jb detection, just the sideload detection was easier to bypass so far

even tho i should try to bypass jb (i have no clue how)

I'm trying to recreate the ios media play in html/css/js for fun or whatever, but I'm running into an issue. idk if it's a WebKit issue or if it's a skill issue. basically, when you click/touch the div, it sets it to active then applies the scale-up thing to make it look like ios16. But when you let go (stop touching it) the active thing seems like it's still applied. and only when you click another interactive div/button does it remove the active. This issue does not exist on my pc/desktop

css -

`.mainconmeddiaplayer .progress .bar {
display: flex;
padding: 4px;
flex-direction: column;
align-items: flex-start;
flex: 1 0 0;
-webkit-overflow-scrolling: touch;
-webkit-user-select: none;
}

.mainconmeddiaplayer .progress .bar:active {
transform: scale(1, 1.5);
}`

js -

` <script>
function pauseplay() {
const pausePlayImages = document.querySelectorAll('.pauseplay .cont11 img');

            console.log('button clicked');
            console.log(pausePlayImages);

            pausePlayImages.forEach((img) => {
                img.classList.toggle('hidden');
            });
        }
    </script>

html - <div class="bar">
<div class="barBG"></div>
<div class="barlight"></div>
</div>`

How do i fix this ?

Using node v18.16.1

Im aware of NODE_OPTIONS="--openssl-legacy-provider", but if i set that, then electron cries

https://stackoverflow.com/a/67643629/13062807 what if u use js to listen for touch events and apply/unapply the style programmatically

:active is probably different for mobile devices
if it was a webkit issue, safari on mac would have similar behavior
but it's supposed to only be applied when the main mouse button is held (active) on the element on a desktop ofc
i think the problem is that with touch devices you have hold actions as well as dragging while hovering (in the traditional sense) doesn't exist so js for detecting that stuff is better

thats what i was thinking but hoping there was some like magic :ontouch lol, thanks

reading up on it, it seems like :hover is used for touches

yeah on mobile, hover/active doesn't really make sense. you can't "hover" without a cursor

so tapping an element makes it hovered/active, until you tap something else

connects a mouse

It is possible to sideload without changing bundle id

and can vm_write only write 4 bytes?

so it looks like it since it takes an unsigned long as param

i mean i've only ever sideloaded using traditional methods but sideloadly has "sideload spoofer" which can have an app think it has the original bundle id

bundle ids only really have to be unique if you're going through apple to sign it (free accounts, sideloadly, altstore, xcode)

if you have something like esign and a valid cert then you can use any bundle id you wish

no, and that's why i mentioned the feature sideloadly has

and i mean, esign is just someone elses dev account anyway

think capt think
you can just inject a tweak

doesn't really matter what the bundle id is (on device) if the app just reads another one

what's the goal then

i mean for what reason

then why don't you just inject a tweak

damn i haven't used sideloadly in a minute. they added a ton of features lol

jailed sounds like pain regardless

im a r

we stan install_name_tool here

true

hey capt

youre a bitch

best city in the world

where do u live

yea what i thought

bitch goes to see joe every weekend

me too

all you did was disassemble it

okay

my brother in christ the purpose was to make your own

quit wasting time then

smh

also please remember who the devs of sideloadly are

and what they make

90% are just mod menus

so i wouldn't be surprised if they based it on existing tweaks

my point is, just be careful just calling it malware because you see extra functions
a lot of people use this already so

what is this

whats that tweak

that sounds normal

is that hopper

yes

Is it better than ghidra

a tool is only as good as the person who uses it

whats wrong with it

what else does it do

what do u want me to figure out

well i realized that once it tried to tell me that an int function was void

i dont do free work

not a liberal

i dont volunteer

ok

mal as in malice
i'd prefer if we didn't label it so fast

calls it malware and barely looks at what it does

i'm not saying that you shouldn't be cautious at all, i'm just saying that saying it's malware will just scare people away from sideloadly as a whole
and that wouldn't be fair without proper investigation

and?

julioverne is a pirate, we still used the things he made

who made it

me

yeah fuck you bitch

still missed my point
remember how people legitimately thought icraze made malware because people said it as a joke

oh i would def not be surprised if sideloadly does some sketchy shit

im sure it does

neither would i
but you shouldn't just immediately call it bad without looking into it properly

that's all i'm saying

didn't i just mention the mod menu thing

they probably didn't write it from scratch

whats storekit

app store shit

purchases nd that

crazy

anyway, you're in hopper, you can figure that out

zefram malware

why haven't you hacked ios yet

opa could use some help

that's what zefram is

whats a convenient way to open my ui?

False reasons.

Real reason is cause you are lame.

so i made a window whicn appears over all others. But i want to open and close the stuff inside the window

ill look into it tomorrow

thanks

capt i hate you

we all hate capt

So true bestie

why did i even bother

ok so it just doesn't work with rootless

icraze ios

did you import Foundation or UIKit

should i?

yes

I'd just import UIKit directly

only if you wanna use foundation or uikit

well i'm just confused since it builds fine if i'm not using rootless

lol

show the makefile

TARGET = iphone:clang:13.7:latest

INSTALL_TARGET_PROCESSES = SpringBoard

include $(THEOS)/makefiles/common.mk

ARCHS = arm64 arm64e

TWEAK_NAME = magbar

$(TWEAK_NAME)_FILES = Tweak.x
$(TWEAK_NAME)_FRAMEWORKS = UIKit
$(TWEAK_NAME)_PRIVATE_FRAMEWORKS = Preferences UIKitCore
$(TWEAK_NAME)_EXTRA_FRAMEWORKS += Cephei
$(TWEAK_NAME)_LIBRARIES = colorpicker
$(TWEAK_NAME)_CFLAGS = -fobjc-arc

include $(THEOS_MAKE_PATH)/tweak.mk
SUBPROJECTS += $(TWEAK_NAME)prefs
include $(THEOS_MAKE_PATH)/aggregate.mk

hm looks fine

I think TARGET should be:
TARGET := iphone:clang:latest:15.0 for rootless

well i was trying to avoid rewriting it since what's there already works on rootful 15, problem is that some things used don't exist past 14.5 sdk

I see I see, does it throw deprecated warnings when you try and compile it?

i only run into this if using both rootless and FINALPACKAGE

can you post the entirety of the output

^

yeah it's a bit long

can you show us one of the methods referenced in there?

if its not too long ofc

UIColor * returnUIColor(NSString * realText) {
    NSString *cleanString = [realText stringByReplacingOccurrencesOfString:@"#" withString:@""];
    if([cleanString length] == 3) {
        cleanString = [NSString stringWithFormat:@"%@%@%@%@%@%@",
                        [cleanString substringWithRange:NSMakeRange(0, 1)],[cleanString substringWithRange:NSMakeRange(0, 1)],
                        [cleanString substringWithRange:NSMakeRange(1, 1)],[cleanString substringWithRange:NSMakeRange(1, 1)],
                        [cleanString substringWithRange:NSMakeRange(2, 1)],[cleanString substringWithRange:NSMakeRange(2, 1)]];
    }
    if([cleanString length] == 6) {
        cleanString = [cleanString stringByAppendingString:@"ff"];
    }
    
    unsigned int baseValue;
    [[NSScanner scannerWithString:cleanString] scanHexInt:&baseValue];
    
    float red = ((baseValue >> 24) & 0xFF)/255.0f;
    float green = ((baseValue >> 16) & 0xFF)/255.0f;
    float blue = ((baseValue >> 8) & 0xFF)/255.0f;
    float alpha = ((baseValue >> 0) & 0xFF)/255.0f;

    return [UIColor colorWithRed:red green:green blue:blue alpha:alpha];
}```

ok yeah there don't seem to be issues there

what happens when you do this, what compile errors/warnings are there?

is the target the same as the prefs

actually no the prefs would be linked separately

hm

yeah

yea

how would i make a drop down menu in tweak prefs if possible

im using cephei if that changes anything

uhhh

sure that works

or this

just something that'll let me pick from a list of options

well clicking "home fax" leads to that page on the right

on the right

yeah fuck that

is there like a github that has all the controls you can do in tweak prefs

wacko

ok

yea but u know theres some useful pinned msgs here

u never know

@grave sparrow gorn

why making tweaks gotta be so hard man

icraze moment

Webshade did something like this with its per website settings but it's probably pretty shit

https://github.com/WilsontheWolf/WebShade/blob/master/webshadeprefs/WSPSiteListController.m

Also I'm pretty sure my method breaks if the app gets switched out and backgrounded then restored to the page

"isnt it just raping the constructor or whatever"
my friends description of hooking

@hasty ruin help? idk trying to compile sm(not mine)

just import foundation

that thing is not necessary iirc

@import foundation; ?

@import Foundation;

ah

@radiant idol how do i comment somthing out in a Tweak.x file // or # ?

//

#import <Foundation/Foundation.h>
#include <Foundation/Foundation.h>
@import Foundation;

any of those

lmao

are there any differenes

@import and #import i think are the same, and import is i think prefered over include bc (i think) when you do import it prevents duplicate references

#include - doesnt prevent duplicates
#import - does prevent
@import - is for modules so you cant do @import "my_custom_header" for example. also good for like importing swift stuff into objc or whatever it is

like cephei for example helps to use @import

yeah

I normally do @import UIKit; for example

just looks cleaner

#import where available. else #include

no

Capt: "#import where not available"

L

Nobody asked

fr

yeah basically

#import for objc

#include for c

thats what i do

yeah

using the language properly

Impossible

Nah dude inline everything into one massive macro

#import 💀

thats not source code, that's a extracted IPSW

yeah LMAO this is just a extracted ipsw

BRO

CAN YOU GET 16.5.1

THIS MEANS WE CAN JAILBREAK

Skill issue

You’re an idiot

Rule 1

whitenames smh

bros a bit angry

im a pro jailbreak dev

you are a mad

Is there something like a super of a super in ObjC? I created a new UIWindow, then added a ViewController to it which then inits my UI, now i want the to change the bounds of the UIWindow from a function of the my UI

@tepid olive i might make a pr to accord for better pomelo support bc i'm bored and why not

Its a new discord account too, lmao, just a troll.

they actually admitted they're 10 in #jailbreak earlier

So ban then? https://support.discord.com/hc/en-us/community/posts/360050817374-Age-restriction

yeah i already pinged aaron (the administrator not owner)

#jailbreak message

i reported them to discord lol

tf happened here

also #import acts like @import when modules are enabled, so #import <UIKit/UIKit.h> = @import UIKit;, #import <os/log.h> = @import os.log;

no i didn't

jonathandata said the same iirc

except that dude is in his 30s or something

yup

thanks for that fun fact

never knew it

yeah thanks capt

not with variable names afaik

yup

that's what obfuscation in java does basically

how can you change the default value of a psswitchcell based on an if statement in tweak prefs

Im bad at explaining, if something is unclear please tell me. So i created an ui window, then init my ui over the entire window. Inside my ui is a button and i want to make a function that makes the window only as big as the button and only where the button is when i call the function to show the button

i got the psspecifier but idk if i can modify the default value

looking at the header for psspecifier i dont see anything that can do anything like that

@grim sparrow are there any github repos or code examples of people memory editing at runtime while jailed because when I do it, it crashes

it crashes when I write to the memory

im guessing it doesnt like memcpy

Thanks @grave sparrow for The fun fact

you cannot

finally something you’re able to RE

@grave sparrow do u know

i wish they atleast documented preferences framework

im pretty sure there isnt one

does psspecifier have a way to set a default value?

psspecifier.h has nothing relating to default i think

@lime pivot do you know or maybe cephei has a way?

you need to set it in the properties dictionary

specifier.properties[@“default”] = blah

oh

oooh

i feel dumb

thank you

there are literally apps that do

that iGameGod thing

what if the process being edited is signed with the same signature as the process thats editing it

like an app editing itself

nah is ok, it’s hard

so how come this works then

bruh

I have done it before

it was memory editing

literally cheat engine

probably jailbroken

im on iphone xr with ios 15.6

I didn’t finish my message lmao

thats injected into the app

it’s hard to know if it’s the right way to do it when it’s just, a dictionary

yea thats what im talking about

.

its a tweak injected

and some but not all things have an objc property

and then the app sideloaded

ik thats what im working with

no i guess it isnt

its just memory that it being edited at runtime but its not actually runtime and doesnt change anything even tho it literally works

thats what im getting from you

if I directly edit memory in the game while it is running and it changes a value in the game is it runtime

so it is runtime

so it is possible

ok wait let me record it

https://youtu.be/EetjrXGBN7A

why because it will prove you wrong?

vm_protect moment

because you are wrong

ok wait

captain incorporated

this funny little line of code will patch the games update method to instantly return causing it to freeze

Woah look at that it made the game freeze for some reason

real

It patches the memory at runtime but the code to patch it is statically patched

its a regular tweak

it gets injected at runtime

but the code is compiled

lol

i think thats what they mean lmfao

this is patched onto the executable statically and then it runs at soon as it starts

what

thats not what I said

I wrote some code. I then compile the code to a dylib and inject it. Now the code that changes the memory to make that funtion return is injected into the game. I hooked CCScheduler::update which is called as soon as the game starts. Then the MemoryPatch() function is run and on the second update it returns instantly

I am

with the MemoryPatch function

thing is it isnt

@grave sparrow can u remap a page over the target

it stays open

yes

if the signatures are different

does it

how can you do page signing then

i thought you could freely move pages

but not modify them

modify the page table so that a page at 0x4000 is at 0x8000

i’m pretty sure u can

u could technically create a single ret page and map it over ur page

but aslr breaks that i think

did I allocate a new page at runtime?

oh wait i did

if it’s codesigned maybe?

dlopen from /var = no go right?

funny thing how it doesnt though

int 80h

no u can dlopen from /var

xina does it

dlopening from /var is complicated

nah the fith one

maybe you wont admit you are wrong

oh sorry im supposed to listen to you because you have a funky little orange username

so who's the professional?

corel would disagree

I give uup

have fun with no privaledges

lol

Moment

a day in the life of the dev channel

why are you reversing rosetta

liberal development

i can help

yeah i know all about that low level mach darwin stuff

did you know ive never owned a mac

yet i still know everything about darwin

nope

why would i

i think even if i did he wouldnt give it to you

yeahh

imagine having ios source code

why does apple need riscv programmers

no but they need risc v programmers

like the architecture risc v

https://jobs.apple.com/en-us/details/200481969/software-engineer-darwin-runtime?team=SFTWR
https://jobs.apple.com/en-us/details/200480884/core-os-driver-firmware-engineer?team=SFTWR
https://jobs.apple.com/en-us/details/200475378/platform-kernel-engineer?team=SFTWR
https://jobs.apple.com/en-us/details/200472223/coreos-darwin-virtual-memory-engineer?team=SFTWR @grave sparrow

there u go

lots of vision pro openings

walmart

nobody will

what things

yeah

413 jobs for vision pro

idk

apple really wants the best

phd/ms in computer vision, natural language processing, machine learning, computer graphics, or computer science for software engineer for vision pro

yeah bro

oh it says or 5+ years of equivalent industry experience

get this though

bs in compsci

fr

TRUE

do you enjoy making things up in your spare time or is this a job for you

how capt thinks the presidency works:

the text is reversed

oh damn you got me

The difference is that war is one of the things the president actually has control on

not as much anymore

blame bush or somethin

they removed some of the AUMF’s but not all of them

exactly

BASED

why do u thnik he doesnt have a job

if i have a window, to which i assigned a view controller that inits my UI and adds it as a subview to the window, can i then access the window from my ui class using super?

or is the super the view Controller?

@pale bough happy birthday big man

thank yew

:3

if the TouchBar is controlled by the T2 chip on Intel macs, im guessing the T2 "is integrated" into the SoC on M-Series right ?

> idevicesetlocation.exe 1 1
ERROR: Could not start the simulatelocation service: Invalid service
Make sure a developer disk image is mounted!

wtf

how

why

install an app from Xcode silly billy

im on windows silly billy

.exe

have you seen the new funny Apple thing

developer disk images are now signed with blobs

yeah coz zhuowei hacked ios with them

Trolled

fixed

idevicemount

or whatever it’s called

https://github.com/mspvirajpatel/Xcode_Developer_Disk_Images

Getting back to updating my tweaks for rootless, but am i missing some documentation? My preference bundle's can't seem to find the Libraries i depend on when loading, still thinking they are in the root /usr/lib path, instead of /var/jb/usr/lib

The library in $THEOS/lib/iphone/rootless needs to have rpath install path

https://github.com/opa334/AltList/blob/main/Makefile#L15-L17

ahhh gotcha

that seemed the trick, thx!

figured out how to do it

and its not complicated at all

so i figured out how to trigger a function on my pc from my non-jb phone over usb without networking involved

what was your solution

import subprocess

def get_udid():
    """
    Get the udid of the connected iDevice.
    """
    try:
        devices = subprocess.run(['idevice_id.exe', '--list'], capture_output=True, text=True)
        connected_devices = devices.stdout.strip().split('\n')

        if connected_devices:
            return connected_devices[0]
    
    except FileNotFoundError:
        raise Exception('idevice_id.exe not found.')

def main():
    """
    Start logging the syslogs of the connected iDevice.
    """
    try:
        cmd = ['idevicesyslog.exe', '-u', get_udid(), '-m', '[CommandHandler]']
        proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True)

        for line in proc.stdout:
            handle_cmd(line.strip())

    except FileNotFoundError:
        raise Exception('idevicesyslog.exe not found.')
    

def handle_cmd(cmd):
    if "CommandHandler" not in cmd: return

    cmd = cmd[cmd.find('[CommandHandler]') + len('[CommandHandler]'):].strip()
    
    if cmd == "function":
        print("Call function()")
    elif cmd.startswith('cmd_with_args'):
        arg1, arg2 = cmd.replace('cmd_with_args ', '').split(' ')
        print(f"Arg1: {arg1}, Arg2: {arg2}")
    else:
        print("Unknown command.")

if __name__ == "__main__":
    main()

and then on the phone NSLog(@"[CommandHandler] function"); or NSLog(@"[CommandHandler] cmd_with_args 123 xyz");

more or less just call idevicesyslog, monitor that output and when you get a log with [CommandHandler] just filter out the junk and using the remaining string in the log just call a function

oh that makes sense actually

yeah trust me, i was surprised when it actually worked

it’s not gonna constantly be streaming, only when I need it I’ll have it on

@grave sparrow when’s the last time u drank

oh damn world record

i mean personal record

longest time sober

chinese

white

drinking piss doesn't count bro...

yes it does

learn trouble

least controversial coldplay opinion

nah but ur right

ive listened to every single coldplay song

while we were driving to florida i was like fuck it

every coldplay song

etiaw mv is boring

But you forgot it's connected via usb so it's charging

Although it might be smarter to look at idevicenotificationproxy

I think then you can just listen to specific events and also you can send responces

its not gonna be streaming that whole time

id plug it in, spoof my location unplug it

when i need my real location, just plug it in, reset location unplug

import requests
import subprocess

def get_ios_version():
    try:
        proc = subprocess.run(
            ["ideviceinfo.exe", "-u", get_usb_udid()], capture_output=True, text=True
        )
        output = proc.stdout.strip()

        version = re.search(r"ProductVersion: ([\d\.]+)", output)
        if version:
            return version.group(1)

    except FileNotFoundError:
        raise Exception("ideviceinfo.exe not found.")

def fix_mount():
    """
    Fix "Make sure a developer disk image is mounted!"
    """
    version = get_ios_version()
    if version is None:
        raise Exception("iOS version not found.")

    ddi_url = f"https://raw.githubusercontent.com/mspvirajpatel/Xcode_Developer_Disk_Images/master/Developer%20Disk%20Image/{version}/DeveloperDiskImage.dmg"
    r = requests.get(ddi_url, allow_redirects=True)

    open("DeveloperDiskImage.dmg", "wb").write(r.content)

    signature_url = f"https://raw.githubusercontent.com/mspvirajpatel/Xcode_Developer_Disk_Images/master/Developer%20Disk%20Image/{version}/DeveloperDiskImage.dmg.signature"
    r = requests.get(signature_url, allow_redirects=True)

    open("DeveloperDiskImage.dmg.signature", "wb").write(r.content)

    print("Mounting Developer Disk Image...")
    subprocess.run(
        [
            "ideviceimagemounter.exe",
            "-u",
            get_usb_udid(),
            "DeveloperDiskImage.dmg",
            "DeveloperDiskImage.dmg.signature",
        ],
        capture_output=True,
        text=True,
    )

close ur files

real

why would i write safe code

def fix_mount():
    """
    Fix "Make sure a developer disk image is mounted!"
    """
    version = get_ios_version()
    if version is None:
        raise Exception("iOS version not found.")

    ddi_url = f"https://raw.githubusercontent.com/mspvirajpatel/Xcode_Developer_Disk_Images/master/Developer%20Disk%20Image/{version}/DeveloperDiskImage.dmg"
    r = requests.get(ddi_url, allow_redirects=True)

    with open("DeveloperDiskImage.dmg", "wb") as f:
        f.write(r.content)

    signature_url = f"https://raw.githubusercontent.com/mspvirajpatel/Xcode_Developer_Disk_Images/master/Developer%20Disk%20Image/{version}/DeveloperDiskImage.dmg.signature"
    r = requests.get(signature_url, allow_redirects=True)

    with open("DeveloperDiskImage.dmg.signature", "wb") as f:
        f.write(r.content)

    print("Mounting Developer Disk Image...")
    subprocess.run(
        [
            "ideviceimagemounter.exe",
            "-u",
            get_usb_udid(),
            "DeveloperDiskImage.dmg",
            "DeveloperDiskImage.dmg.signature",
        ],
        capture_output=True,
        text=True,
    )

better?

now write it in c

gotta shave off 20 microseconds fr

if it works it works

Fr

METH

idc ab what lang its in

gotta be fast 🔥

unsafe

https://swift.org/blog/introducing-swift-http-types/

We’re excited to announce a new open source package called Swift HTTP Types.

kirb — Today at 2:17 PM
https://swift.org/blog/introducing-swift-http-types/
Swift.org
Introducing Swift HTTP Types
We’re excited to announce a new open source package called Swift HTTP Types.
Image
shepgoba — Today at 3:32 PM
We’re excited to announce a new open source package called Swift HTTP Types.

rust has had this forever BOOOO

please apple

kill rust faster

decline

he wants me so bad

captain incorporated

@naive kraken Question, do you know any apps triggered the launchd jailbreak detection?

City Bank, Bitwarden

Bitwarden has jb detection?

Yeah, was like what, I used bitwarden all the time when I was jailbroken on checkra1n/oddyseyra1n on ios 14.

Bitwarden is fully open source, so I wanna check the source cause I don't think it has jb detection.

The only thing I see is that Bitwarden would crash on chimera but a chimera update came out that fixed it

It doesn't look like Bitwarden actually has any jailbreak detection

@naive kraken Yeah, bitwarden doesn't have any jb detection, couldn't find any in the source at all, so the launchd stuff must be an error somewhere else. https://github.com/bitwarden/mobile | https://github.com/bitwarden/mobile/issues/493

https://github.com/opa334/Dopamine/issues/226 this is the source

I meant I couldn't find any jb detection in the bitwarden source code from a basic look, once on my pc will check some more. I only have an iphone 6s though so can only use palera1n which doesn't have your launchd reporter.

my work app has the same issue as bitwarden its not detection I can assure you

backtrace shows mono jit

both my work app and bitwarden use mono jit

Why tf would Bitwarden give a fuck about a device being jailbroken??

it doesn't its an issue with the mono library using exception ports?

I don’t even think that those devs would even spend the time creating jailbreak detection anyway

They got better shit to do tbh

yeah but citi bank actually shows a detection alert

even if you disable injection with choicy (which works on anything non 1.1.1)

Hmm, so it triggers jb detection and a random crash on apps that have no jb detection then, what.

Is this bounty ok?, and is it realy worth 10$ for a simple tweak like that? It doesn’t really need settings pane thing, I think I could jus do it all in the like Tweak.x file ?

its fine, but fix the grammar 💀

how to blow up your display in one easy step

?, it’s not to remove the limit it just to also limit the slider

Literally the stupidest tweak

yeah this is the worst tweak idea ever

oh ok, I wount post the bounty

How often does your phone overheat lol

unless you’re putting your phone in the sun or playing some intensive game it shouldn’t overheat

iphone xs:

this is a certified TenS moment

I don't know for sure but I do wonder how much of it is really something the OS is aware of, and how much of it is handled internally to the display/battery coprocessors

somebody point me at the doc telling me what ellekit expects? it seems to be ignoring my dylibs and such so I assume I need to change something

maybe plist format?

plist format should be the same as substrate/substitute

hmm seems to be ignoring PreferenceLoader too

/Library/TweakInject is where your dylibs/plists should be

/var/jb/Library/TweakInject if rootless

it can be a symlink to the old path

yeah it's the same place preferenceloadeer dropped its dylib and plist

what jailbreak are you using

dopamine

hmm

maybe a reboot and rejb will help, you can also try a userspace reboot

I wonder if something didn't make a symlink for TweakInject

yeah i did that

iPhone-13-Pro:/var/mobile/Library/Logs/CrashReporter root# ls -l /var/jb/Library/TweakInject 
lrwxr-xr-x 1 root wheel 48 Jul 11 14:14 /var/jb/Library/TweakInject -> /var/jb/Library/MobileSubstrate/DynamicLibraries/

didn't seem to help

That's backwards, no?

I see tweakinjector loading from /private/preboot/3D593E00FCD3B03C263AFE0020DF602550FA26FB86394FD78CCD3D77BCEF880DD5EBB1819714DBA1A3D892E7359E5F65/jb-8OIChZ/procursus/usr/lib/ellekit/libinjector.dylib but nothing after that heh

i was going to say maybe reverse the symlink

yeah I can move it around and see if it helps, shouldn't matter generally

didn't seem to matter

i think theres an ellekit log somewhere

somewhere in /var/mobile i think

DynamicLibraries should point to /var/jb/usr/lib/TweakInject

i thought it was library

Library/TweakInject doesn’t exist

that symlink should exist anyway

aah ok

the usr lib one

moves it to usr/lib

we gotta change this path every 5 mins 🤣

there we go, things try to load now thank you

not sure why the jailbreak didn't do that

There was an issue with the symlink getting deleted on some betas (I think it was before public betas even), but definitely shouldn’t be happening now

Very weird

if it did then a remove jb and jb again should fix

Maybe the symlink should be checked on each jailbreak

@upbeat wyvern do you have plans for elucubratus rootless?

I have one working on appletv now thanks to nito - but what he has there is pretty different 🤣

which symlink

and I already had it for macos

DynamicLibraries

but I never pushed that code anywhere becaue it didn't seem like people were particularly interested

there's no fucking way that's a problem again

no

i refuse

Fr

yeah it's been a problem sicne ios11 idk why we insist on moving it all the time

what about iOS for checkra1n or whatever, iirc they intended on going rootless for iOS 15+

sbingner still has me blocked
real

real

how u get that to happen

is it possible to have a view controller hold prefs that are loaded from a plist/xml file like how a tweak's prefs are loaded

if checkra1n works on appletv I'd expect being able to do something similar on ios to be pretty simple

Yes

like the code is the same as a pref?

related to my complaints about changing arches: I made my dylib happily load on either type using @rpath but it still needs a different package because arch 🤣

appletv doesn't have SSV

(if you meant rootful working there)

we know

but I'm talking about rootless

alr

are there any examples of this on github or smth

I’m not sure, pretty sure you just load the prefs the exact same way you do in normal preferences

Yeah, that's a good solution as long as your runtime rootless checks to determine if to use /var/jb paths are correct

Don’t generally care which one I’m using at runtime 🤣

yeah i think that part works, i just cant figure out how to present it lol

its in a spritekit skscene

You can read the value display a switch then programmatically set the value when the switch changes. Or if you really want you can render a psspecifier iirc.

I think I did this in SnapBack? It’s probably cursed tho

cursed or not, if it works it works

I know snapshots are broken now with APFS. Are there any papers on what Apple did? Never got a straight answer and am just curious

@upbeat wyvern your issue with dylibs may have been because you created the directory before installing the tweak injector

Yes likely

there’s usually a check for it in my postinst but it might have not worked

😅

#development message

#development message

im big clueless in tweak dev, how do i hook all of these to log whatever passes through them so i can figure stuff out? to any concerned persons, no i am not doing malicious stuff, i am trying to fuck steam over to give me MY OWN TOTP SECRET

so i can put it into bitwarden

it says those are methods

@drifting dust https://theos.dev/docs/installation

Write objc + logos hook directives and compile with theos

If you're totally lost, start with basic programming in objc and look at open source tweaks

well yea i know that, got this far

however the values are either not present in the hooked classes, or encrypted with
%hookf(int, SecItemCopyMatching, CFDictionaryRef query, CFTypeRef *result)...

Is that function being passed the unencrypted secret?

That I'm not sure. I would assume so because it's the function that stores the value into the keychain, with the class EXSecureStore (https://docs.expo.dev/versions/latest/sdk/securestore/) and looking at the react native code, it seems to just be calling it with unencrypted values

i'd hook into react native itself so i can snoop around in there but the problem is i have no idea how to do that or how i would find the 'needed' function

Ah trying to hook React sounds treacherous

yeah...

maybe i should ask the folks that made enmity, discord is react native too after all

https://github.com/expo/expo/tree/main/packages/expo-secure-store that library is open source which may be helpful

You might also try getting the string in a less direct way, such as hooking NSString

The unencrypted secret may never be stored in an NSString, but if it is, you could extract it

im doing something like this right now,

- (void)getValueWithKeyAsync:(id)key options:(id)options resolver:(id)resolver rejecter:(id)rejecter {
    %orig(key, options, resolver, rejecter);
    NSLog(@"[STEAM KEYS]getValueWithKeyAsync:%@ options:%@ resolver:%@ rejecter:%@", key, options, resolver, rejecter);
}

but all it gets me is:

[STEAM KEYS]getValueWithKeyAsync:SteamNotificationsReadRetry76561198130400365 options:{
} resolver:<__NSMallocBlock__: 0x282f26f40> rejecter:<__NSMallocBlock__: 0x282f26f10>

so i think im doing that wrong

its the function that i have most common in the log, but its async and i have no idea how to handle that

the world if flex didn't crash

So those blocks seem to capture the key

Have you tried calling that method yourself?

from flex - insta crashes the app

and from my tweak i have no idea how to handle it being async

OH

there's a sync function and calling it gives me plaintext everything

Nice

Was gonna suggest trying to call the async function yourself in objc, but that works better 😀

now to figure out what to do with it

i'd like to make some kind of alert with a copy button, would appear on the app launching and would first call the getValueWithKey thing then display that value

Why this crash?

cpu 1 caller 0xfffffff01e334168

ok bcs u a dev u gotta fix it.

It crashed because a crash was caused

Why not work

the key you're trying to use as a foreign key is a foreign key already?

Nope

Theres literally only 2 tables with their PKs set

thats it

except for triggers that run the UUID() function on insert for the ID fields

If i try to connect user_ID while it doesnt have an index, it complains about no index. If i set an index on it, then the above message

I cleared the DB out and now it worked

god i love mysql

it’s not bad

Fair, I've never tried/don't really know how react works internally so I didn't know

Am i going to jail for this ?

Yes

Well, what other options are there

I mean, maybe jail is nice

Anyway I’d think followers would be a separate table

That links two ids

So that’s probably what uou have there

Well, this is a seperate table

oh

you mean for the users ?

wait

im dumb

It would just have an index on user_id then multiple entries for each following_id

Maybe what you did, I just said yes because you asked jail and I found it amusing

primary key on user_id,following_id

Looks weird, but i guess it is what it is

Should work in theory

I’d think you’d want a timestamp on the follower record at least :p

Citi Bank is working now with the latest update, thank you!

When trying to enroll in trusted ID so that I can use Face ID it still says not available on jailbroken devices though; is there anything that can be done about that?

Can someone please explain how Prysm themes worked back in the day? I'm making a remake of Prysm (for rootless and iOS 15+) and I'm trying to have backwards-compatibility to previous Prysm themes so that theme designers don't have to do more work. I've installed the original Prysm on one of my devices as well as a test theme and SnowBoard seems to directly replace the icons in Prysm's /Library/Application Support/Prysm/Icons directory, instead of properly theming them. So what can I do, short of directly hardcoding the paths to those files in the code?

Not quite sure what to do. SnowBoard seems to automatically handle the movement of the icons to the Prysm directory, but I've researched a bit and a lot of old themes seems to tell the user to move the theme manually. So, how can I make the icon both theme-able as well as backwards-compatible with previous Prysm themes? Rootless SnowBoard does not seem to do the same procedure with moving the icons and whatnot. I've installed a rootless control center theme that should support Prysm, however SnowBoard does not seem to automatically be moving the icons to /var/jb/Library/Application Support/Prysm/Icons.

the way it handles themes just sounds wrong… it should have used a bundle so it can be themed with snowboard. or provided a theme loader of its own

(not that I’m expecting you to hop in your time machine and ask him to correct that)

Haha yeah that would've been nice, replacing files directly seems like a horrible way to do it, but what can you do

Is it really worth figuring out how to use the format, if theme devs have to repackage their themes for rootless anyways?

Or are themes some kind of no arch or smth

They don't have an arch

They can be freely turned from rootless to rootful and vice versa

Also yes, this is what I wanted to do; make a bundle. That way the theming process is proper and whatnot. However, how would I support old themes then? That's the dilemma. I really do not want to hardcode paths as that just makes things difficult, but at the same time I also want to support old themes, so yeah.

@lime pivot do you know how to use converters in c++/winrt

Windows cannot deploy to path AppX of file system type exFAT.

i hate windows so so so much

there is no reason to limit uwp programs to ntfs only

cant even run them on refs

Can someone please explain how Prysm themes worked back in the day? I'm making a remake of Prysm (for rootless and iOS 15+) and I'm trying to have backwards-compatibility to previous Prysm themes so that theme designers don't have to do more work. I've installed the original Prysm on one of my devices as well as a test theme and SnowBoard seems to directly replace the icons in Prysm's /Library/Application Support/Prysm/Icons directory, instead of properly theming them. So what can I do, short of directly hardcoding the paths to those files in the code?

hilarious

hello

Hello Developers

Hello Tale

Hello Nightwind

Okay so can someone actually help me understand why my preference keys aren't working? Or I could just be on crack

Everything else logs properly when updated except for live_lyrics

I'm trying to figure out what it could even possibly be that causes this

self.liveLyrics always defaults to YES

But it works on everything else

?

I also wrote this in 2020, give me a break

Capt explain this part then

You have many

real

I guess I'll just throw this in here

dark mode toggle

so are you gonna meow back or not

Maybe the NSNumber cast?

It's a boolean cuz it's a PSSwitchCell

Without the cast it complains about id

I think I may have fixed it

Nvm

This is so fucking annoying

Like you

Oh

Are you kidding me

I did YES and NO not @meager halo and @NO

Capt after y’all are done with the prefs stuff can you suggest a good way to make a better theming platform for my remake whilst keeping compat with old themes? I genuinely have no idea what to do

Make a new format

Write a tool that converts them on the fly

Right but that stuff will be have to fed into SnowBoard

And idk what to do with that

Right right, I kinda explained it in the two messages, basically it just had a static path in /Library/Application Support/Prysm/Icons and had the icons there

So what SnowBoard would do is just replace the icons with the selected theme

Which is a bad way of doing it, a bundle would be a much better alternative

I want to have the icons be in a bundle, but I also want to keep support for those old themes

you can look in the new location, and if it isn't there look in the old location

Yeah that would work expect for the fact that Prysm themes don’t seem to correctly apply to the original location on rootless, maybe a bug on SnowBoard’s part.

True. That could be the case. cc: @opal hazel, could you help out here? I’m not 100% sure how SnowBoard handles Prysm, so if you don’t mind, could you please explain? Thanks!

someone did make a fork of bfdecrypt for ios 15

well yeah the original one might not
it's hosted on the same repo as the vnodebypass fork for rootless

Hello. Someone got MSHookFunction working on rootless with the latest theos? I'm building a tweak that hooks swift function with it, but it seems it doesn't hook properly (It previously worked on my rootful device) though I'm sure it's called as I can hook them using Frida.

What jb are you using?

Are you able to share what function you're hooking and possibly show your usage of MSHookFunction

i thought xsf1re updated vnodebypass for rootless, idk if he ever released debs though bc there weren't at first

or was this before he did?

I'm using palera1n rootless(16.1.2)
And here is my code
https://github.com/m4fn3/Gommirativ/blob/master/Tweak.xm
(I'm compiling it on checkra1n(14.6) fyi)

xsf1re didn't update vnodebypass?

https://vxtwitter.com/XsF1re/status/1662482502953611265

oh wait that was xsf1re?

i mean that wasn't obvious

i guess the alias20 part wasn't obvious if you don't follow his twitter

well bfdecrypt is on his repo

with the name bfdecryptor

Does anyone know how to access THEOS_PACKAGE_INSTALL_PREFIX from Swift?

orion, right?

sec

Nope

oh

well uh either way you basically need a bridging header

I thought Orion had overhead

I have a bridging header

https://github.com/vendetta-mod/VendettaTweak/commit/93a23f96dabcc481a2d868632454c97a0791a258

But if I do ADDITIONAL_FLAGS = -DINSTALL_PREFIX whatever it says it doesn't exist

Oh

I was trying this

I can't do this, it's pure Swift

i think your only way then is to do something like:

ifeq ($(THEOS_PACKAGE_SCHEME),rootless)
    x_CFLAGS += -DROOTLESS=1
endif

and hardcode /var/jb

@tepid olive it seems like the CFLAGS just don't work with the bridging header

I tried this in my bridging header but I suppose I'll need to throw it in the Swift code

swift only has an #if

#if ROOTLESS

Yeah

Nah this shit still broken as fuck

Is there a swift_flags thing

i don't think there is anything specific like that no

I'm so lost as to why this doesn't work

I swear 90% of the work is fixing fucking tooling

Suddenly the rest of my defines are broken what the fuck

there is always the third even uglier option to do a runtime check

but rather check dpkg --print-architecture output than existence of /var/jb

No

I'm so confused why other things broke

i mean /var/jb shouldn't exist unless you're bootstrapped with rootless
no one is going to manually create it or try to install a rootless package to create it

SWIFTFLAGS is a thing

-Xcc -DWHATEVER fixes it

you could always just check for a subfolder such as Library for example

Or just use the THEOS thing

For future reference if you wanna access the Theos prefix in your bridging header add this:

// Bridging Header
static NSString *const installPrefix = @INSTALL_PREFIX;

# Makefile
XXX_SWIFTFLAGS += -Xcc -DINSTALL_PREFIX='"$(THEOS_PACKAGE_INSTALL_PREFIX)"'

do you not remember the sileo thinking you're rootless issue (bc of some rootful packages like snowboard creating /var/jb)

oh my bad

wasn't aware

But aren't packages already split by architecture

yes but /var/jb can still get created by mistake

or leftover from a previous rootless jb (though that is not an issue with latest palera1n as jbinit removes the symlink)

Well that's why i said to look for a subfolder that a tweak wouldn't create
Or use readlink on /var/jb

Holy guacamole

Apple have added a protection so that Console doesnt use all the ram your system has

when system memory gets low it automatically clears the oldest messages

@vivid dew happy birthday!

😦

real

i hope someone dies and goes to hell today

i vote capt

me too

me too

me too

me too

me too

amazing. only took checks notes 7 years

me too btw

thanks

multiple times before I’ve forgotten it was open, came back, the machine is crazy slow, says it’s out of memory, and I can’t do anything because the disk got so full the filesystem had too many errors and remounted read only

me when I reverse jailbreak my Mac

has anyone looked into/seen anything about libmobiledevice's functionality on arduino

or like, is it even possible

prob not since it needs usbmuxd and all that

all stuff you could implement on top of Arduino's USB stack of course

isnt that like mad work tho

it's possible limd's usbmuxd has multiple USB backends per OS. you could run that on a thread, then put your limd magic on another

eh ill just use a raspberry pi

prob easier

bc i dont need a usb shield and whatever

just gonna make a sketch power source lmfao

9v battery into a 5v step down converter

I wish they made raspberry pi support PoE without a hat

I got a riscv VisionFive 2, which I saw it mention PoE in the docs and got excited before I realized they just meant that they support the raspi's PoE hat

What I want is a pi zero size with a PoE ethernet port

armv7

armv8 🤢

@grave sparrow

armv7: 🤝
armv7 asm:

armv7 asm

x86-64 >>>

ching chong your religion is wrong

That's why riscv is best

Doesn't even have mov

Nobody asked

yeah i know like

6 instructions

https://cdn.discordapp.com/attachments/855848056163401728/1092479547687043184/watermark-1.gif

yeah its really good and popular

fail

Hello everyone,
Im pretty new to this type of stuff. I once saw a tweak which opens an app from itunes and then loading the tweak, so that you could still open it normally without it loading anything.
What would you call that and how do you do that?

this is the type of question you ask when you completely have no idea how anything works and are grasping at straws

I saw an app which starts up an official app from itunes, but with loading a tweak

skyy vodka

I dont know how the app did that so im asking

It launches another app but injects like a tweak basically

yah this is something no one here has ever heard of

we need context and an origin

we are more than happy to explain it but this isn't something to go on currently

need an exact source of what you are talking about

I dont know how to explain it. It was an app which opened another app when you opened it, but it also loaded a tweak into the app.

https://cdn.discordapp.com/attachments/855848056163401728/1092479547687043184/watermark-1.gif

I dont know how to explain it. It was an app which opened another app when you opened it, but it also loaded a tweak into the app.

This is what it looked like

https://media.discordapp.net/attachments/1087184981161414777/1094684158237868074/a_a7b40d4bc9a718045af8619d60ad7989-1-3.gif

The tweak only gets injected into that running instance of the app tho

Yes but doesnt it usually install permanently until you uninstall?

Uh ok

thats a dumb tweak

if you want something to be disabled sometimes there are a ton of tweaks out there

Is there a function in objc which gets the bundle id of the app?

yes

you're a big boy you can look it up

Thanks

Would i hook it like this?

%hook NSBundle

• (NSString *)bundleIdentifier {
  return @"com.apple.sms";
  }

%end

thats one way but iirc its a wrapper around core foundation apis

so if a program checks those it wont work

How does the Dopamine jailbreak perform a userspace reboot (i.e. what function does it call)?

reboot3

Can that be called from a terminal command or something?

https://github.com/ProcursusTeam/launchctl/blob/main/reboot.c

launchctl reboot userspace

@coral gazelle

idevicesyslog: symbol lookup error: idevicesyslog: undefined symbol: idevice_events_subscribe tf is going on

tried installing libimobiledevice on a rpi

Make it return the original bundle id, if i sign the app with a different apple id.

Any, i hope to learn how to hook objc like NSBundle

• add subviews inside of UIView’s layoutSubviews method

recommended

they boy wants to learn, he needs to learn what not to do first tbh

@grave sparrow

hi

rude

isnt obliterate a reset

do not use windows

yep!

So any malware could just call reboot obliterate

And ruin ur day

just got a tweak idea

you say that, but for a long time there was a method in SpringBoard

-[SpringBoard wipeDeviceNow]

lol

It's very possible that there are perm checks built in launchd

I know there’s an obliterate entitlement

That only settings has

We don't have that

But I’m wondering if root would bypass that

Who wants to test it

Just get a Sileo mod to @ everyone with it

Worked last time

If launchctl reboot obliterate works with mobile and no extra ents I'll remove it or lock it behind uid == 0

There’s no way in hell it doesn’t need ents

That would be ridiculous

ok i did it and the device is on a black screen

backlight on

Fr? 💀💀💀

finally rebooted

user data intact

Any weird logs

just panicked bc watchdog

There’s any open source for control center module can start feature in 3rd party app. for example vpn app. start vpn without open app ?

development

development

i hate all of you developers

elopmentdev

when you accidentally left click in a word document

very true

Where can i find out what all the different registers and operands do in arm64?

They are same for all arm64 systems right?

there's a manual

https://developer.apple.com/documentation/xcode/writing-arm64-code-for-apple-platforms

is it possible to NSLog using Siri Shortcuts

Anything is possible if you put enough hours into it

Not true Capt is still lame

yeah true

That just means he hasn't spent enough hours trying to not be lame

he certainly has

How would I get posix-spawn in an iOS SDK?

trying to make an app that runs commands

#include

here comes the 3 paragraph long capt writeup dont worry hes got you

i hate windows

file
cool im gonna delete it
delete it, hangs

do it from command line, hangs

do it from wsl, hangs

reboot, deletes fine

no process was holding it that im aware of

yeah word lemme just get the apfs windows 10 build

yeah it usually says tho

if a process is using it

and it did not

iirc NSTask is broken on Dopamine (as of this moment) so you might need to take not of that

👍

dopamine moment

nfr

Return from subroutine, branches unconditionally to an address in a register, with a hint that this is a subroutine return.

optimization

i tried this

it said

the function exists perfectly fine on iOS, but it's just not in the SDK headers. this means you can just define the function header yourself, and everything should work. another choice is using NSTask, which is under a similar situation. you can do both like so:

#import <stdint.h>

typedef void *posix_spawnattr_t;
typedef void *posix_spawn_file_actions_t;

extern char **environ;

extern int posix_spawn(pid_t *pid, const char *path, const posix_spawn_file_actions_t *fileActions, const posix_spawnattr_t *attributes, char *argv[], char *envp[]);

//posix_spawn example:
const char *args[] = {
    "/usr/bin/echo",
    "hello",
    "world",
    NULL, //the args array must have a terminating NULL
};
pid_t pid = -1;
int err = posix_spawn(&pid, args[0], NULL, NULL, (char **)args, environ);

//you can wait for the child process to exit by using waitpid(pid, NULL, 0);
//note that technically you're supposed to do more than just calling waitpid(), but for your purposes, this is probably enough

and the NSTask version:

#import <Foundation/Foundation.h>

@interface NSTask : NSObject
@property (copy) NSURL *executableURL;
@property (copy) NSArray<NSString *> *arguments;
- (BOOL)launchAndReturnError:(NSError **)error;
- (void)waitUntilExit;
@end

//NSTask example:
NSArray *args = @[
    @"/usr/bin/echo",
    @"hello",
    @"world",
    //this is a NSArray, so do not use a terminating NULL
];

NSTask *task = [[NSTask alloc] init];
task.executableURL = [NSURL fileURLWithPath:[args objectAtIndex:0]];
task.arguments = args
[task launchAndReturnError:nil];
[task waitUntilExit]; //waits until the child process exits

NSTask supports many other features too, including that special waitpid stuff. you can read about it here: https://developer.apple.com/documentation/foundation/nstask. to use them, you can just copy-paste their definitions from the NSTask docs into your @interface declaration

pretty good output

with how often ur on here id believe it

PowerToys my beloved

Tbh when I read your message I thought it was chatgpt...

Bro it's really easy

There's some on my GitHub somewhere

didn't see this, thanks lol. going to try it some time

https://github.com/hbang/libcephei/blob/main/main/Command.swift for a non GPL licensed version of that

(watch as everyone copies that code instead of using HBOutputForShellCommand)

simply luxurious

nwinnia

Alright, going to try it now. How would I use this in a Swift project?

(you will no longer be receiving help from capt)

lmao

fr

(real and true)

Swift have a reasonable number of keywords challenge (impossible)

fr

if for case let n? = n as? Int where n: CustomStringConvertible, rethrows -> { defer { return nil } }

most sane swift program

its cleaner tho!!!

* @ too bloated