#development

I’ll test the dudes flask tomorrow thanks so much though!

@lime pivot i updated theos and then swift stopped working

fiore@DESKTOP:~/kfd$ make clean package
==> Cleaning…
> Making all for application kfd…
==> Building Swift support tools…
sh: 1: swift: not found
Failed to build swift-support: command failed: SPM_THEOS_BUILD=1 swift build -c release --package-path /home/fiore/theos/vendor/swift-support --build-path /home/fiore/theos/vendor/swift-support/.theos_build
make[2]: *** [/home/fiore/theos/makefiles/instance/rules.mk:204: internal-kfd-swift-support] Error 2
make[1]: *** [/home/fiore/theos/makefiles/instance/rules.mk:62: before-kfd-all] Error 2
make: *** [/home/fiore/theos/makefiles/master/rules.mk:152: kfd.all.application.variables] Error 2

why you building it with theos

@native orbit hello good sir

would you mind adding me to the taurine148 repo

i am getting a 14.4 ipad pro 11inch

a12x

i dont know if i can?

and yes

i know it doesn't work on 14.4

it does

oh

?

i thought it was broken

on 14.4

mineek told me that

i think it fine iirc

plelase add me to said repo

or

that was a10 so

give permission for mineek to allow said thing

will you guys let me into repo

ill ask mineek, i dont think i have repo admin perms

ok

msg has been sent

i dont have a mac

ok now i have ```
/home/fiore/theos/toolchain/linux/iphone/usr/bin/swift-build: error while loading shared libraries: libFoundation.so: cannot open shared object file: No such file or directory
Failed to build swift-support: command failed: SPM_THEOS_BUILD=1 swift build -c release --package-path /home/fiore/theos/vendor/swift-support --build-path /home/fiore/theos/vendor/swift-support/.theos_build
make[2]: *** [/home/fiore/theos/makefiles/instance/rules.mk:204: internal-kfd-swift-support] Error 2
make[1]: *** [/home/fiore/theos/makefiles/instance/rules.mk:62: before-kfd-all] Error 2
make: *** [/home/fiore/theos/makefiles/master/rules.mk:152: kfd.all.application.variables] Error 2

nvm back to the first error

ah makes sense

i have a hackintosh but its big sur

and kfd xcodeproj isnt made for that low of a version

are you using my toolchain?

how do you calculate the vnode offsets?

i'm looking into the kernelcache in hopper and i am still unsure i found a few lines that mention an analogous comment description to the variable name in the vnodebypass for kfd

nexus jumpscare

A class method can call an instance method right? Just that self doesnt work in it, or does self work?

you can call it on an instance but self wont be an instance of the class

@implementation AmongUs
-(void)lorn {
  NSLog(@"lorn");
}
+(void)gorn{
  AmongUs *a = [AmongUs new];
  [a lorn];
}
@end

yes

@grave sparrow give me money

Where can i get the .tbd files of libsubstrate and cydiasubstrate built for iphoneos?

Theos tells me, that my current ones are both built for simulator ios.

you can ignore that warning

hey um i just found a kernal offset for ios 16.2 iphone 14 pro if anyone needs it. https://github.com/34306/kfd_offsets/issues/1

development

go away pink name

orange-only here

Silence child

• dogs

Jazzy is r/jb queen so she is allowed to be anywhere.

is there a way i can check if a color is set using alderis in prefs

i've been checking if the alpha is 0 its not set but now i need alpha so i cant do that

so im wondering if theres a way i should be doing it

i compared the offsets found by tihmstar's tool with the ones published in kfd's github on iphone 14 pro max and ios 16.5

Shadow redefines MSHookFunction to use Hookkit like this. And theres also this file hooking a lot of things using it. Is it possible to do that using only MSHook?

No

Thats what happened after i updated theos

theos will be updated after you update theos nvm thought u said what happens if i update theos

Could you please tell me how? The hooks, hook symbols right?

Now give me money

Yes

seek employment

😧

Qualcomm Shepdragon 8 Gen 2

I think i just overthought it, ..again.

Actually, theres an issue. One of these hooks makes the app crash, but the NSLog after the hooks still gets called, even after the app already closed. Im not sure if its the replacement function or the call itself.

Is it possible to decrypt an iPA without executing it? Bfdecrypt trys to execute the App and it’s fail because of the jailbreak detection :/ Can I start the app using debugserver and the dump somehow the iPA?

i personally would not use captappdecrypt

fr

capptdecrypt

defo malware

memes aside it works well but actually commending capt's work isnt allowed so

it sucks

hgis

:3

@tepid olive https://twitter.com/xsf1re/status/1684269309361782784?s=46&t=LUSNSGJyUZ15gupblBCd_Q

Thank you so much :)))
Is there a Rootless build for flexdecrypt? :))

Just realised i know nothing NADA about reading disassembly

Literally opened up the decompiled kernelcache and was lost instantly

Are there any video or text guides on how to use disassemblers properly, or is it a learn as you go thing

I’d say learn as you go

did you ever figure this out btw

Figure one out I'm on my watch so reply to this message figure one out

No i didn't

then the chroot thing?

I want to smash this watch with a brick

No

ahh ok

i’m too stupid to figure stuff out but slowly i guess

i did a fresh install of theos, and when it asks if i want to use the swift toolchain, i type y and then it installs

> Making all for application kfd…
==> Building Swift support tools…
sh: 1: swift: not found
Failed to build swift-support: command failed: SPM_THEOS_BUILD=1 swift build -c release --package-path /home/fiore/theos/vendor/swift-support --build-path /home/fiore/theos/vendor/swift-support/.theos_build
make[2]: *** [/home/fiore/theos/makefiles/instance/rules.mk:204: internal-kfd-swift-support] Error 2
make[1]: *** [/home/fiore/theos/makefiles/instance/rules.mk:62: before-kfd-all] Error 2
make: *** [/home/fiore/theos/makefiles/master/rules.mk:152: kfd.all.application.variables] Error 2

ah that’s the wrong toolchain then

how should i install your toolchain then

https://github.com/kabiroberai/swift-toolchain-linux/releases/tag/v2.3.0

what do i need to run to install it

i think ik what to do

but idk if im doing it right lmfao

extract it, remove your old toolchain from $THEOS/toolchains, replace it with this one

do i need to ln anything

bc the theos install script has ln -s $THEOS/toolchain/linux/iphone $THEOS/toolchain/swift

nope no need

I’m not home anymore, but when I ran make it was hanging

it might take a bit to build

ah

makes sense

I got no output so I thought it was just hanging

kentucky fried dobs

kentucky fried dildoes

https://media.discordapp.net/attachments/1067998815401025550/1133879691326005420/Zefram_Machine.png?width=1252&height=918

What

hope this helps

Oh

@cedar stag could u send a friend req to this acc now?

if u havent seen my other one got disabled

Send a friend request to you or md? I’m confused

to me, this account

i was just showing u were friends with me and i had a question too

@grave sparrow

its been 25 min

is that normal

that might be a bit much

where’s it stuck?

also try make clean all messages=yes

what gets logged if you ctrl+c

^Cmake: *** [/home/fiore/theos/makefiles/master/rules.mk:152: kfd.all.application.variables] Interrupt

can you ls $THEOS/toolchain

linux```

and what about theos/toolchain/linux?

fiore@DESKTOP-TU08N9T:~/kfd$ ls $THEOS/toolchain/linux/
host  iphone

i can tree if you want

no need your toolchain install looks fine

is there any Swift code involved here?

yeah

its a swiftui application

that worked fine BEFORE i updated theos

did you update your submodules?

im trying on a fresh theos install now

like i renamed theos to theos.bak

and then i redownloaded theos

try rm -rf .theos

in your project dir

ok and rebuild?

yeah

no output this time

@nimble parcel Would theos work via macos github actions for compiling a tweak?

it should

okay try THEOS_NO_SWIFT_CACHE=1 make clean all messages=yes

what’s your distro and version?

wsl ubuntu 20.2

hang on

im getting the full vs

I wonder if it’s a wsl issue

wdym

Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal

ah

20.04

i thought it was 20.2# myb

okay I’m gonna try to repro

gimme a bit but for now you can downgrade your theos

how do i downgrade theos

git checkout

and git submodule update

to what branch/version

Whatever you were on before

idk what it was before

try 9941262

that’s the commit

warning: unable to rmdir 'vendor/orion': Directory not empty
warning: unable to rmdir 'vendor/swift-support': Directory not empty

ignore?

yeah that’s okay

alr it works now

you can remove them if you want

only errors are in my code

any chance you could dm me your project?

yeah sure

@nimble parcel now its hanging on make[3]: *** Waiting for unfinished jobs.... and slowing my whole pc down

after downgrading?

yeah

💀

thats when i killed it

try downgrading your toolchain too

what version

use CRKatri's

swift malware

need theos 2

removes all swift support

ok i did that and it fixed my code's errors too 😭

what

@indigo peak I just tried on a fresh Ubuntu install and it worked lol

try updating your SDK

to 16.4

💀

also kfd_CFLAGS = -Wno-error should fix your build issues

different toolchain versions have different warnings

and Theos uses -Werror by default for some inexplicable reason

#if __OBJC__
    #include <Foundation/Foundation.h>
#endif

im not crazy

thats something i can do right

#import

    NSString *str = [NSString stringWithFormat:@"[kfd] %s", format];```

are you using it in a C file though

oh yeha

its being included in c file

im just tryna be able to see printf in syslog

since i dont have a mac

os_log might work in C

int printf(const char * __restrict format, ...) {
    va_list args;
    va_start(args, format);
    NSString *str = [NSString stringWithFormat:@"[kfd] %s", format];
    NSLogv(str, args);
    va_end(args);
    return 0;
}

or just rename the file to .m

#if __OBJC__
#import <Foundation/Foundation.h>
int printf(const char * __restrict format, ...) {
    va_list args;
    va_start(args, format);
    NSString *str = [NSString stringWithFormat:@"[kfd] %s", format];
    NSLogv(str, args);
    va_end(args);
    return 0;
}
#else
#include <os/log.h>
int printf(const char * __restrict format, ...) {
    os_log(OS_LOG_DEFAULT, "[kfd] %s", format);
    return 0;
}
#endif

hooray

windows defender doesnt like the code 💀

@indigo peak I cannot for the life of me repro your issue

😭

tried both 20.04 and 22.04 using Docker Desktop on my Mac

could be WSL

i dont see how WSL could cause issues but its possible

actually @indigo peak do you mind retrying with the newer Theos, and this time running make clean all --debug messages=yes?

I think I know what's wrong

a little incentive: on the latest commit you can run make commands to get intelligent autocomplete

do i need to change my toolchain too

yeah update to mine

ugh cant make this easy for me 😭

lmao

@grave sparrow wanna help me work on machosign?

@tepid olive I know why macos 14b4 tccd crashes

theres a new database named REG.db

and tccd breaks it somehow

i got one from someone who actually boots fine with it

and replaced mine

and now my macbook works fine

I used iBoot64Patcher to modify iBSS to change the pointer of the "go" command handler to 0x800000000, which is the value of the loadaddr environment variable and, from what I can tell, where files uploaded over USB reside. But if I boot into this iBSS, upload an unencrypted iBSS or iBEC without an IMG4 container, and execute the go command, it just reboots the device. Why doesn't it boot the uploaded iBSS?

.

Your script worked Perfectly thank you so much :)))

captware working

Imo this is the wrong approach it’s not much effort to just create an img4

how can i install kok3shi9 on ipad mini on 9.3.6 jailbroken with phoenix previously. no pc

I haven’t gotten booting IMG4’s to work with much of anything besides iBEC.

this makes no sense whatsoever

why is it different on the lock screen than it is on the homescreen

oh wait, that’s legacy

#969343289641828382

general doesn't exist
we are not in off-topic

🤓

@shrewd smelt

https://cdn.discordapp.com/attachments/1002131370400809010/1067685619066740807/F96603AB-2F1E-4AE0-9E5F-3E49157EECDC.gif

feel that

thats treu

this reminds me, for some reason the UK still uses the old subway branding

@grim sparrow why is your country so weird

yah even with the correct patches, there is a wrong way and a right way

it depends on device though

So if all we need to worry about now is ppl, that leaves a few possible ways to attack it. Because it manages kernal code, in theory that would mean it HAS to run before baseband or any kind of radios kick in right? If that's the case, the keys have to be stored on the device to check against. Can we overwrite those?

whar?

I'm bored and trying to look into ppl feel free to correct me if I made a wrong assessment, there's not a ton of ppl info

i don't see how the baseband has any relation to ppl

It doesn't that's the point. So how does it know if something is signed? That means it has to be stored somewhere on device right?

you know what

i suggest asking @grave sparrow directly, he is the most knowledgeable person in this server on ppl-baseband communication

schizo rant

Nah those come later once I've smoked a bowl or two

@vivid dew happy birthday big man!

i wonder who this blocked message could be from

I wonder if kfd can overwrite memory on ppls stack. Overwrite the memory for ppls check, make it think it's checking code that is actually signed, as opposed to the code it's actually verifying?

I can't believe @grave sparrow didn't think of that

well he is a dumbass

It's ok I'll run through all the bad ideas and get caught up and then I'll be helpful promise 😛

@grave sparrow in shambles rn

It’s a good idea to always test the ideas people say won’t work yourself

we could have had a jailbreak years ago with this guys ideas

I have no idea how to test them lmao I assume I need a Mac and I'm too broke for that

So instead I just shout ideas into the void until one sounds smart enough to mean something

not an idea if you don't know what you're talking about tbh

Bad ideas are still ideas. And good ideas start out as bad ideas. And also everyone has to start somewhere so maybe one day I will know what I'm talking about. Until then won't stop me saying ideas about what little I do know

yeah but they aren't even bad ideas

in about 30 minutes you will hop back on league of legends and forget this ever happened

they aren't anything to start

To start with, you need to know or at least have an idea what PPL or a Kernel is

Else you'll just be spewing bs and will not learn anything

Ok by starting out I didn't really.mean starting out lol. I'm a programmer, just not for ios. And i know linux which is similar even though I'm well aware it's not the same.

was trying to zero out cr_label+0x10 and copied some of pattern_f's code in. looks like i have the wrong offsets here https://github.com/pattern-f/TQ-pre-jailbreak/blob/1a13ceb2b1519ad46be9fe83e50348500442bda6/mylib/k_offsets.c#L39
do I have to look through the kernelcache to find them?

i just panic when trying to

yep rip

funVnodeHide(kfd, "/System/Library/PrivateFrameworks/CoreMaterial.framework/dockDark.materialrecipe");
funVnodeHide(kfd, "/System/Library/PrivateFrameworks/CoreMaterial.framework/dockLight.materialrecipe");

hide dock with kfd

5 day streak? pfft, amateur

my streak is like 210 days

Mein Deutsch ist nicht sehr gut

ez

Das ist gut!

void gibmebar(uint64_t kfd) {
    funVnodeChown(kfd, "/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist", 501, 501);
    funVnodeChmod(kfd, "/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist", 0107777);
    NSString *filePath = @"/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist";

    // Check if the file exists before proceeding
    if ([[NSFileManager defaultManager] fileExistsAtPath:filePath]) {
        NSMutableDictionary *theDict = [NSMutableDictionary dictionaryWithContentsOfFile:filePath];

        if (theDict) {
            // Replace the key "ArtworkDeviceSubType" with the value 2796
            [theDict setValue:@(2796) forKey:@"ArtworkDeviceSubType"];

            // Save the modified dictionary back to the plist file
            if ([theDict writeToFile:filePath atomically:YES]) {
                printf("Dictionary successfully modified and saved to file.");
            } else {
                printf("Error: Failed to write dictionary to file.");
            }
        } else {
            printf("Error: Failed to read dictionary from file.");
        }
    } else {
        printf("Error: File not found at path:");
    }

    // Reset file permissions and ownership
    funVnodeChown(kfd, "/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist", 0, 0);
    funVnodeChmod(kfd, "/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist", 0100755);
//    xpc_crasher("com.apple.mobilegestalt.xpc");
    xpc_crasher("com.apple.frontboard.systemappservices");
    xpc_crasher("com.apple.backboard.TouchDeliveryPolicyServer");
}

why does this fail to write

it seems like the perms change properly according to the logs for the file

[i] Patching /var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist vnode->v_gid 0 -> 501
[i] /var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist UID: 501
[i] /var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist GID: 501
[i] Patching /var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist vnode->v_mode 100644 -> 107777
[i] /var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist mode: 107777
2023-07-28 00:41:25.061222-0400 kfd[610:13188] Error: Failed to write dictionary to file.
2023-07-28 00:41:25.061305-0400 kfd[610:13188] Error details: (null)
[i] Patching /var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist vnode->v_uid 501 -> 0
[i] Patching /var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist vnode->v_gid 501 -> 0
[i] /var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist UID: 0
[i] /var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist GID: 0
[i] Patching /var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist vnode->v_mode 107777 -> 100755
[i] /var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist mode: 100755

^kfd logs

Ik kfd is the topic right now but can anyone help me understand why Frida-ps -U would kernelpanic iOS 14.2?

edit: I realized the issue

did you manage to write to MobileGestalt?

vnode permissions?

No I need a better sandbox escape It’s based on x1fires sandbox escape (in his previous commit he had a function called vnode research which did some mount hax to give us r/w to var but not subdirs.)

I realized I couldn’t write to subdirs after due to the sandbox escape escape method. Apparently he has a new method but that one crashes my device so I am waiting to see if he patches it.

Is it functionally possible to use NSFileManager with the newer x1fire r/w function?

Like i think it's based on your method

of getting MDC emulation

does the mdc emulation have to be in binary

I'm kinda lost so I figured I'd ask it here. I want to build a stock, non-jailbroken iOS app that utilizes curl, openssl and libcrypto. So I grabbed the static libraries from procursus, and added them to Xcode to be linked with the mach-o. However, Xcode does not seem to be recognizing the libraries correctly. It gives undefined object errors related to libcurl

also, when I instead use dynamic libraries to link the app, it compiles just fine, but unable to run due to stock iOS refusing to work with dylibs.

stock iOS should work fine with dylibs — you probably have linkage issues

oh I thought dylibs were not allowed in stock iOS?

they are

though if you care about App Store safety then bundle them into a .framework

here's the crash log

sorry about the png

check your syslog

nsfilemanager extension

Ya but the x1fire sandbox escape works through pmap to change contents of files

I don’t think you can use nsfilemanager with the binary stream from pmap

@naive kraken @tepid olive idea: are jetsam restraints protected by ppl?

i don’t think so

We could give app unlimited money

Mem*

But I'm more interested in launchd haxx

If it gives unlim ents then jetsam ent would be easy

there are further dependencies you need such as libbrotli and I suppose librtmp

it may be better to compile your own copy of libcurl with only the features you need? it'll be a bit heavy in binary size otherwise

well you get all the launchd entitlements….

Wait what

The entitlements that are on /sbin/launchd ?

never mind just stop asking questions

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.apfs.get-dev-by-role</key>
    <true/>
    <key>com.apple.private.amfi.can-allow-non-platform</key>
    <true/>
    <key>com.apple.private.iokit.system-nvram-allow</key>
    <true/>
    <key>com.apple.private.kernel.system-override</key>
    <true/>
    <key>com.apple.private.persona-mgmt</key>
    <true/>
    <key>com.apple.private.pmap.load-trust-cache</key>
    <array>
        <string>cryptex1.boot.os</string>
        <string>cryptex1.boot.app</string>
        <string>cryptex1.safari-downlevel</string>
    </array>
    <key>com.apple.private.record_system_event</key>
    <true/>
    <key>com.apple.private.roots-installed-read-write</key>
    <true/>
    <key>com.apple.private.security.disk-device-access</key>
    <true/>
    <key>com.apple.private.security.storage.driverkitd</key>
    <true/>
    <key>com.apple.private.security.storage.launchd</key>
    <true/>
    <key>com.apple.private.security.system-mount-authority</key>
    <true/>
    <key>com.apple.private.set-atm-diagnostic-flag</key>
    <true/>
    <key>com.apple.private.spawn-panic-crash-behavior</key>
    <true/>
    <key>com.apple.private.spawn-subsystem-root</key>
    <true/>
    <key>com.apple.private.vfs.allow-low-space-writes</key>
    <true/>
    <key>com.apple.private.vfs.graftdmg</key>
    <true/>
    <key>com.apple.private.vfs.pivot-root</key>
    <true/>
    <key>com.apple.rootless.restricted-block-devices</key>
    <true/>
    <key>com.apple.rootless.storage.early_boot_mount</key>
    <true/>
    <key>com.apple.rootless.volume.Preboot</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
</dict>
</plist>```

These?

Oh

@tepid olive do you impersonate launchd services by dumping memory addresses or something

no

I was reading about an exploit that did this for sandbox

and if you have kernal read and write there is like a part of the memory as far as I am aware that is responsible for ownership right

of the process

i might be incorrect idk isn't ucred uid in memory

actually i'm 100% correct

// looks like it's comparing process ucred with kernel's ucred

processes do have ucred

and i think it is stored in memory

any response? @grave sparrow

so why did you say lmfao what

originally

i thought i might have said something wrong

so i googled it again and i was correct that this is a potential method for sandbox escape

is attacking the ucrid of launchd to impersonate services of launchd an effective means of escaping the sandbox

okay then

thank you!!!

@grave sparrow help me

why does kfd return 0x0 as my kernel slide

fr

Jul 28 20:04:40 eyePhone kfd[890] <Notice>: [kfd] fo_kqfilter: 0xddc556f018801fe8

#define t1sz_boot (25ull)
#define ptr_mask ((1ull << (64ull - t1sz_boot)) - 1ull)
#define pac_mask (~ptr_mask)
#define unsign_kaddr(kaddr) ((kaddr) | (pac_mask))

i wonder if it has smth to do with changing t1sz_boot from 17ull to 25ull

its not me

its kfd developer

no idea

also ask why its all in headers

so do i do that instead of u64 vn_kqfilter = unsign_kaddr(fo_kqfilter); ?

u64 vn_kqfilter = (uint64_t)ptrauth_strip((void *)fo_kqfilter, ptrauth_key_function_pointer);

u64 fo_kqfilter = 0;
kread((u64)(kfd), fo_kqfilter_kaddr, &fo_kqfilter, sizeof(fo_kqfilter));
printf("fo_kqfilter: 0x%llx\n", fo_kqfilter);

@grave sparrow https://github.com/felix-pb/kfd/blob/main/kfd/libkfd/perf.h#L187-L218

Lowkey, I think both

More 2 than 1 o guess

@grave sparrow I’m just tryna think if there’s 1 static offset that’s wrong for my version/device somewhere in this block

I blame SwiftUI

true

.-.

alr 1 sec

finishing my Panera

Jul 28 21:08:40 eyePhone kfd[568] <Notice>: [kfd] fo_kqfilter: 0xA5A974F00CB8DFE8```

introducing CaptGPT
based on replies and comments from captinc in rjb development

yeah thats my .vn_kqfilter = 0xFFFFFFF007F49FE8,

in the offsets

what

dmed

doctored imagery

kernelcache.research.iphone12b

yeah now you see my issue

lmao

it calculates 0x0

what

more of a slide than 0x0

i blame capt

(write your question within a header file, else he won't reply)

can i just calculate it an old fashioned way

kernel slide

😦

https://tenor.com/view/mario-mario64-sm64-ttc-tick-tock-clock-gif-26295583

where are prefs stored on rootless jbs?

/var/jb/var/mobile/Library/Preferences/... iirc

ok thought so

I store mine there at least

idk about others

I'm trying to port a tweak to rootless for someone and I updated the prefs path (well I just used theo's ROOT_PATH_NS on it) but the prefs won't save

huh

check if the file is there even

I uhh lost my test device so I only have their device

thats what i thought

hm

should i rewrite that section

to not use unsign_kaddr

actually coult it be saving to another path but loading them elsewhere?

wha why not

It could. If I were you, I would get your tester to check the plist with Filza to make sure that it is there and that it is changing

hm

https://cdn.discordapp.com/attachments/688121419980341282/1128588327377981521/image0.gif

file doesn't exist in /var/jb/var/mobile/Library/Preferences/

doesn't exist in /var/mobile/Library/Preferences/ either

oh wait it does exist in the second

我认为创建文件时可能有问题

smh

the translator plugin

(I use it to communicate with the Chinese users of my tweaks)

So it might be something to do with the file creation then

didnt u make nexus icraze

oh wait it s another pref file from the same dev

yeah, i did

malware drm

fr

https://cdn.discordapp.com/attachments/688122301975363591/1117637975732404294/nexus-jumpscare.gif

that's it bucko, you're going on the list

ok

I make my own alternatives to tweaks

https://cdn.discordapp.com/emojis/923095151457497098.webp?size=48&name=gigaChad&quality=lossless

alternate these

ok imma just copy the writing code from my own tweaks

@grave sparrow any ideas or are you busy

@grave sparrow any ideas or are you busy

malicious software

me

photoshop

or xina

either one

ok bruh theos wtf you doing

I think your sdk is bad

i swear it worked earlier

why are you using a iPhoneOS 10.3 sdk?

use something like iPhoneOS 14.5

it was the closest sdk I had to the one the tweak was originaly built for

Oh okay

I think that SDK is for the simulator though

not iOS

oh yeah I had to set the SYSROOT varible to build the tweak idk why

theses so much shit I had to do to get this to build

Wait

I tried compiling that tweak a while ago

did you

It doesn't completely work on iOS 15 from what I understand

I have a build

but I gave it for someone to test and he said it didn't work completely

hmm thats weird the person I made this for said someone built it for them but it didn;t work

screw this the logic is simple enoguh I'll just rewrite it from scratch

I think we're talking about the same person then lol

https://tenor.com/view/learn-c-and-cpp-programming-learners-academy-programming-c-programming-cpp-gif-24622350

jumpscare

sometimes capt pisses me off

sometimes iCraze's drm pisses me off

I know this sounds like i’m expecting to get spoonfed and i’m being selfish but i can’t figure wtf i’m doing wrong here, even tho it’s prolly a simple mistake

https://cdn.discordapp.com/attachments/1133713501312008192/1134663224114036766/message.txt

I was trying to follow opa’s method using mmap read only, then vm_entry and set prot

this is using kfd and wh1te4ever’s fork

um pal

you broke the chain

how dare you ask for help

😭

bro i spent like an hour staring at it

you're passing the wrong pointer to task_get_vm_map

you're supposed to pass the task of your own process to that

ah

so i'd have to get that ok

nah ur not being spoon fed

spoon feeding is white names needing help to compile it in xcode

for each step

WWWW

i finally got home and got it working

offsets?

and version?

16.6b1

offsets are just the dopamine ones

not xsf1re's vnoderesearch2

@tepid olive https://twitter.com/eveiyneee/status/1685288752321638400?s=61&t=-xLWK6ruY8FP4Dy7az-eGw

Bummer

why do you need to overwrite tccd

what does it do? sorry a bit clueless

https://github.com/verygenericname/ish-tccd/blob/master/Exploit/grant_full_disk_access.m#L143 ?

https://github.com/wh1te4ever/kfd/commit/a4d6e5a4b232765aef02e638e3631f853d336c12

it can allow for granting sandbox escape to an app

Ah

Well he pushed 16 minutes ago

what prevents you from finding a code page of e.g. launchd in kernel memory and overwriting it

@naive kraken I still haven’t figured out that kernel slide bug, I think it’s bc of the 25ull switch

no

also there are like 100 ways of getting the kernel slide

mhm

you can always just find any pointer in the text region and walk the pages back until you find the kernel base magic value

@visual meadow @tepid olive might want to look at this

I asked capt if I could do it a “traditional” way which is something like that, but he said it’s not possible

Nice

it is possible

@naive kraken

…

yeah

but

what you have is something inside the kernels __TEXT, no?

also it doesn't make sense that the pointer you get is unslid

unslid pointers don't exists

capt says it’s not stripping PAC code correctly

WHY WOULD NOT STRIPPING PAC CORRECTLY GIVE YOU AN UNSLID POINTER

Pac is this: 0xACFHAGFF261718

idk ask capt

non pac: 0xFFFFFFF261718

.

you're just masking the weird shit at the beginning out

Just look at the raw pointer then

@naive kraken

#define t1sz_boot (17ull)
#define ptr_mask ((1ull << (64ull - t1sz_boot)) - 1ull)
#define pac_mask (~ptr_mask)
#define unsign_kaddr(kaddr) ((kaddr) | (pac_mask))

unsign_kaddr is supposed to strip pac code right

yes

but

just replace this with something that's known working???

you can literally just do a xpaci in userspace

@naive kraken

just start by logging the signed pointer

why can’t we just have a main fork

and work on that

we have people with rw and people like fiore that broke the exploit

@naive kraken

printf("fd_ofiles_pac: 0x%llx\n", fd_ofiles);
u64 fileproc_kaddr = unsign_kaddr(fd_ofiles) + (kfd->perf.dev.fd * sizeof(u64));
printf("fd_ofiles_stripped: 0x%llx\n", fileproc_kaddr - (kfd->perf.dev.fd * sizeof(u64)));

Jul 29 11:47:58 eyePhone kfd[570] <Notice>: [kfd] fd_ofiles_stripped: 0xffffffdd281ec000
Jul 29 11:47:58 eyePhone kfd[570] <Notice>: [kfd] fo_kqfilter_kaddr: 0xFFFFFFF0232230C0

bro idek what i did

i dont think i changed anything 😭

What phone is that

Didn’t people already succeed

iPhone 13 16.5

now i cant get the kernel slide

^

i got it to exploit

i just wont get kslide right

How the hell is stripped +0x20

wait i just edited

look again

bro that's not just stripped, you're adding shit

i subtracted the added part

Jul 29 11:51:05 eyePhone kfd[583] <Notice>: [kfd] fd_ofiles_pac: 0x4edffedd281cc000
Jul 29 11:51:05 eyePhone kfd[583] <Notice>: [kfd] fd_ofiles_stripped: 0xffffffdd281cc000

printf("fd_ofiles_pac: 0x%llx\n", fd_ofiles);
u64 test = unsign_kaddr(fd_ofiles);
printf("fd_ofiles_stripped: 0x%llx\n", test);

there

second log has a small x but in the log the letters are uppercase

still

oh

nvm

still wrong

what else could i try

sending the right logs for instance

wdym

are those not the right logs??

where is fd_ofiles_pac

not there in the log

oh shit

fuck

@naive kraken check edit, my bad

hm

I think whatever you're reading there isn't even a kernel pointer

https://github.com/felix-pb/kfd/blob/main/kfd/libkfd/perf.h#L186-L224

if you wanted the code for reference

0xFFFFFFDD281CC000 is the correct unsigned pointer anyways

so surprised pikachu, pac unsigning isn't your issue

most likely one of the struct offsets is wrong

hmm
one of the dynamic or static

no idea

wait

the pointer is right probably

log fo_kqfilter

u64 fo_kqfilter_kaddr = unsign_kaddr(fg_ops) + static_offsetof(fileops, fo_kqfilter);
u64 fo_kqfilter = 0;
kread((u64)(kfd), fo_kqfilter_kaddr, &fo_kqfilter, sizeof(fo_kqfilter));
printf("fo_kqfilter_kaddr: 0x%llX\n", fo_kqfilter_kaddr);
printf("fo_kqfilter: 0x%llX\n", fo_kqfilter);

u64 vn_kqfilter = unsign_kaddr(fo_kqfilter);
printf("vn_kqfilter: 0x%llx\n", vn_kqfilter);

would this be fine for logs?

Jul 29 12:12:00 eyePhone kfd[677] <Notice>: [kfd] fo_kqfilter_kaddr: 0xFFFFFFF0232230C0
Jul 29 12:12:00 eyePhone kfd[677] <Notice>: [kfd] fo_kqfilter: 0x41C103F023849FE8
Jul 29 12:12:00 eyePhone kfd[677] <Notice>: [kfd] vn_kqfilter: 0xfffffff023849fe8

0xfffffff023849fe8 is your text pointer

and it is slid as expected as well

so I don't get what ur problem is

0x1B900000 is that a valid slide

yes

idk what happened

something fixed it?

something broke?

idk

Jul 29 12:16:42 eyePhone kfd[317] <Notice>: [kfd] kernel_slide: 295796736
Jul 29 12:16:42 eyePhone kfd[317] <Notice>: [kfd] gVirtBase: 18446744005328175104
Jul 29 12:16:42 eyePhone kfd[317] <Notice>: [kfd] gPhysBase: 34395848704
Jul 29 12:16:42 eyePhone kfd[317] <Notice>: [kfd] gPhysSize: 3824271360

ok now everything works

@grave sparrow

idk what the fuck was wrong

or what was right?>

but everythings good now?

i think?

How do I compile pongoterm? I've already downloaded the PongoOS source code.

nvm i figured it out

nvm i didn't figure it out

i'm trying to open() files in /var/ and they all return -1, but opening files in /System/ work

does this mean it's only limited to /System/?

/var is sandboxed

aight

i suppose i can try to make a documents folder within the app where it will read the files inside

kfd

@naive kraken MacDirtyCow was able to write to signed executables but this new method can’t :/

Codesigning fails

maybe you can check the differences in a hex editor

see if it corrupts anything

💀?

wdym 💀

dirty cow isn't real

dirty cow isn't real

dirty cow isn't real

dirty cow isn't real

capt's mother:

yeah true, fuck swift

yeah true, fuck swift

fuck swiftUI 10x more tho

facts

at least swift alone didnt lag the OS

https://cdn.discordapp.com/emojis/1075416583893168202.webp?size=48&name=banswift&quality=lossless

https://cdn.discordapp.com/emojis/1075416583893168202.webp?size=48&name=banswift&quality=lossless

https://cdn.discordapp.com/emojis/1075416583893168202.webp?size=48&name=banswift&quality=lossless

https://cdn.discordapp.com/emojis/1075416583893168202.webp?size=48&name=banswift&quality=lossless

https://cdn.discordapp.com/emojis/1075416583893168202.webp?size=48&name=banswift&quality=lossless

https://cdn.discordapp.com/emojis/1075416583893168202.webp?size=48&name=banswift&quality=lossless

https://cdn.discordapp.com/emojis/1075416583893168202.webp?size=48&name=banswift&quality=lossless

https://cdn.discordapp.com/emojis/1075416583893168202.webp?size=48&name=banswift&quality=lossless

https://cdn.discordapp.com/emojis/1075416583893168202.webp?size=48&name=banswift&quality=lossless

smh why didn't it crop properly

most readable code written in c++

i...

get out.

you are not welcome here

troll

I need pongoterm to decrypt SEP firmware keybags on A10.

gm

DAMN

do not hate on objective-c.

any1 wanna help

W nightwind

it has both

good servers only have

sooo

i fixed it; it was a non-optional type, but it was a optinal binding.

if anyone was wondering (noone was), I did this and it works

oh nice

but what would be the difference

Do you have a GitHub link to the project? The person I was talking to would also probably like this

gimme a bit and I can make one

Alright thank you

https://github.com/WilsontheWolf/CustomLockscreenDuration

Thank you!

Also yeah we were talking about the same person haha

Does anyone have or know how i could make a function which makes a popup with a text as argument and 1 button, that continues the program when clicked.

that's easy if you're using appkit

Ok, i will see.

I got this, but idk if it pauses my tweak. If not how do i do that?

static void showAlert(const char* title, const char* message) {
static bool hasShownAlert = false;
if (hasShownAlert) {
return;
}

UIAlertController* alert = [UIAlertController alertControllerWithTitle:[NSString stringWithUTF8String:title] message:[NSString stringWithUTF8String:message] preferredStyle:UIAlertControllerStyleAlert];
UIAlertAction* defaultAction = [UIAlertAction actionWithTitle:NSSENCRYPT("OK") style:UIAlertActionStyleDefault handler:nil];
[alert addAction:defaultAction];

UIViewController* rootViewController = [UIApplication sharedApplication].keyWindow.rootViewController; [rootViewController presentViewController:alert animated:YES completion:nil];

hasShownAlert = true;

}

shit

with MDC maybe it never rechecks the code signature because it’s not aware that writes are occuring

that shouldn't happen with either of the krw techniques neither tbh

true it’s kinda weird

i feel like it may work if you swap it onto another file in /System and then change the v_data pointers

wait

try faulting in the memory first

like mmap, fault in, then change to r/w

how is that done?

by accessing it

you see the virtual memory system tries to be smart and doesn't actually map in the memory until you access it

so the first access of a page will cause a fault, which goes to the kernel, that maps it in and then gracefully returns to userspace again

so you'd want to access each page

@naive kraken but when writing to r/w memory that was executable in iOS the VM system checks the page signing all the time

how though?

if you do it in direct MMIO the vm layer shouldn't notice

but idk

unless they map the memory as read only and handle the faults when writing

does editing this plist to another file location then killing tccd launch whatever is at that file location?

I believe no because the system plists are actually hardcoded in a dylib, files on disk aren't actually used. you would need to modify memory in launchd to achieve that

pretty much to protect against this kind of filesystem attack

https://tenor.com/view/brain-linux-firmware-linux-users-when-proprietary-gif-22937891

fsuntether:

trying to compile heartline for rootless?

make file...

You don't have libkitten installed on your theos install

That's why you hav the error

but i do tho

not for rootless

like its looking in the rootless spot for the library but sense libk is not rootless. nothing is there?

there you go

you understood the error

yaa, but could i just move the rootfull V?

ima try

no

they're not the same

they dont have the same architecture

so i need to recomile it to ...arm64 ?

you need to compile it for rootless

so add the theos package scheme rootless thing to make file?

and recompile

that's a way to do it, yes

alr

or you can just do make <args> THEOS_PACKAGE_SCHEME=rootless

ye

but in your case it doesnt really matter

@radiant idol did i do sm wrong ?

uhh

I think you need to put it in $THEOS/vendor/lib/iphone/rootless @acoustic imp

in the make file?

No

the .dylib file

ohhhhhhhhhhh

got it

it needs to be in tesla3092/vendor/lib/iphone/rootless

🥲

@shell sphinx did u recompile heartlines for rootless?

it clearly tells you what the error is

but idk what to do about it caue the library is (i think) in the right place

I don’t see it

don’t think so, currently updating my mac so i can’t check

im so dumb

libKitten's there, now you need to recompile libpddokdo

isnt lappearancecell a cephie thing?

@radiant idol ?

Yes it is a cephei thing

but cephie comes w theos, so it shoudl already be there right?

I don't know

I don't use Ceph__ei__

cephie

get out.

you are not welcome here

CEPHEI IS THE BEST TWEAK I BELIEVE IN HASHBANG PRODUCTIONS SUPREMACY

Cephei's fine

"Cephie" isn't

Does elib still work? https://github.com/MojoLayersOSS/elib

she alloc on my UIImpactFeedbackGenerator till i [feedback impactOccurred]

call me beef the way i be stroganoff

which style is your UIImpactFeedbackGenerator

UIImpactFeedbackStyleRigid

UIImpactFeedbackStyleHeavy (he takes after his mom)

oh

oh same!

im tempted to run this

it probably wont

actually maybe it will

i was gonna say you probably need dll’s but idk

what's this

not working

💀💀💀💀

wine it is my dude

Can you get malwares by running exe on wine? Could it actually hurt the os or just the windows part that is created by wine?

it should just destroy the wineprefix only but don't count on it

unless you run it as root and it tries to delete Z:/

fermiui

Wine has symlinked access to home dir

Ah

ah yes "extracting" an exe

I know, but it's just the program making up a fake file structure

since it's not actually an archive format

Shut up nerd

what

@tepid olive this fixes the issue

https://twitter.com/dedbeddedbed/status/1685718821217177600?s=61&t=qCrUiDiZF1cXRSCVP6682Q

macos 14b4

trolley

cool

@tacit spade happy birthday manus celes

damn you two share a birthday

@grave sparrow listen to muse right now

Thank youuuuu

And you too!!

Happy birthday(s)!

am i too small brain again? when i'm trying to run getTask from my swift code which doesn't call kopen() i panic, so do I have to do kopen in the swift file that overwrites as well

idk why I assumed calling kopen in 1 swift file means that every swift file can do the same thing /shrug

Size of over_write data ?

what

it's just copying unalignedcopyswitchrace

In memcpy

ok i figured it out i'm actually braindead

the swift checks if return code is 1

i was returning 0 in my overwrite code.

Did it work

well the console says it works, but my phone says otherwise

no fonts show up

@radiant idol can I ask for a little tweak ? Basically all I need is to increase the time for like the siri activation by the power button. like add 0.5s or 1s to what the one is ? Or could you make like a plst file with a value (the time)so I could edit-the timing. Like it checks the value when spring board loads and sets it every respring.

No clue on how to do that

Does anyone know why my overwrite isn't working? Well it does work, but the font doesn't change afterwards and i'm a bit at a loss of what I should do

I SAW THE FONT SHOW UP THEN REVERT

Where can i learn about sideload/jailbreak detections? And how you find and bypass them.

the liberal store

liberal

libstore.a

#include <jailbreak/bypass.h>

int main() {
  int n_applications;
  struct application *applications = get_device_applications(APPLICATIONS_ALL, &n_applications);

  for (int i = 0; i < n_applications; ++i) {
    load_bypass(applications[i]);
  }

  launch_bypass_worker();

  return 0;
}

just use Apple's jailbreak headers

Is it possible to dual boot iPadOS 17 with iPadOS 14 as the main OS by tethered booting with an iPadOS 17 restore SEP?

I've been trying to do that on an iPad 6th gen but I can't get it to boot the kernel cache.

fr

trolled

is there a way to use wine on ios/build crossover

port toolkit made me think

cause moltenvk exists

i can imagine dxvk <-> mvk <-> crossover/port toolkit would be faster than running a d3d 9 game on utm

you need an x64 emulator for wine

wym

iphone is arm64

ya

oh ur saying because its still x64 instructions

can you get rosetta working on ios

No, you don’t have TSO

can you stick dyld shared cache in a ramdisk

and will it load it

if iboot even accepts that big of a ramdisk

wtf

yuno gasai pfp in 2023

can you boot macos 14 beta on iphone 4

yuno gasai gun

ak47

iOS

0

xnu-0\

111

2

int gibmebarplist(NSString *path) {
    NSInteger type = 2556;
    NSDictionary *dictionary = @{
        @"ArtworkDeviceSubType": @(type)
    };
    
    BOOL success = [dictionary writeToFile:path atomically:YES];
    if (!success) {
        printf("[-] Failed createPlistAtPath.\n");
        return -1;
    }
    
    return 0;
}```

the .txt one is the vnode finder function this is the plist function

it gets ret0 on symlink

but fails to show dynamic island am i doing something wrong

based on (working for me,) ResSet16

@tepid olive thanks for offsets btw

welcome

@tepid olive I’m trying to get dynamic island working, do you know if my code is correct?

Hello i never come in here ... but i was wondering if someone could compile an open source theos project for me

does anyone have a unified dynamic_info.h for every iOS and device

How does an app usually detect files in its .app that usually arent there (for example injected dylibs) ?

check loaded dyld images at runtime

But i think in my case it detects the files rather than running libraries.

Probably just probes for directories, which it normally wouldn't be able to access. But if thanks to a jailbreak it can then it triggers

snapchat or pogo (i forgot) have a super long list of directories that they try accessing when starting

can’t get it working either

working on another technique

well the write fails

i’m gonna have to do something different i guess

ok write works but it doesn’t do anything either

this is all correct though

Just saw your tweet

copy to a temp directory in the app, use propertylistserialization to change the property value, then override the original file with that data

right, right but the plist has a bigger size even though i changed a single int

remove a byte from the device model name

"iPhon 13 Pro"

true, i could do that

or just empty the string

no