#development

u know old people they’re all angry and poisoned by lead

ig it runs in the family

Bro chill later

you can never lose

you either win

or you learn

the only time you lose is when you dont try

Also I always make dumb choices

Even if they end in the worst consequences

Nathan stop typing for a second

Lemme tell u smth

if u keep saying this then you’ll just find yourself in an abyss of despair constantly sad and anxious and you won’t achieve what u want

You just need to keep practicing this shit more and more and you’ll get better at it

There’s some stuff u can do better socially for sure

But you’re not a bad person bro

damn it sounds like you're a human

I spent like 3 weeks on the same thing

no progress

What's the point

and the older you get the worse it gets too

it took napoleon 4 weeks to invade Russia

‼️

Time don’t mean shit

sometimes

but in this case too

for sure

bro I restarted an iOS 8 jb 3x

it’s been like a year

You know the only code I changed is the code that makes the JB button grey out

Nathan

and say Unsupported

not like you’re going to learn everything in one day

It's been 3 weeks

I think you should be the guy who pisses in the shower rather than the guy who gets pissed on in the shower

or so

if you don’t try you don’t succeed

Nathan reminds me of 2016-me

So I think you just need to keep practicing bro

#development message

trying to plug ziVA into some project zero sandbox escape

look at my questions man

without any idea on how to do it

I was dumb as FUCK

But now I practiced more and more

And I’m way better at this shit

Im no coolstar but im not at the same level as I was 2 years ago

I mean I should know more since i first was in this server in 2018

https://github.com/lilpump1/ziVA-Triple_Fetch like what this guy did but he also just put both folders in the same repo and didn't figure out how to do it

See @visual meadow

I didn’t even know how to use git till like late 2021 man

Keep practicing we’ll help you

You just need to be a little less insistent

I Mean atleast he had ideas

And more patient and independent

and me i have no clue where to start in said project

if you don't know where to start, pick something simpler

I had NO CLUE how jailbreaks worked like in the beginning of 2022 btw

bro most devs in my company don’t know how to use git

it’s super annoying

im convinced nobody knows git

they just google it

nah it’s even worse

You had other experience though

to the point they don’t know how to commit

or what a pull request is

yeah because I picked something simpler and did that

the other day a SENIOR DEV asked what an IP was

Yeah TrollStore

what’s that number with dots?

no

I mean

2016 type level simpler

the world was simpler back then too

yeah

I mean I would know

That’s why I’m making the 8 jb

thats when i was firwst on discord

to learn

I can just patch everything there

https://thehackernews.com/2023/08/new-apple-ios-16-exploit-enables.html
I wonder how they even hook it

they must have a ppl bypass and everything

what you mean threat actors have ppl bypasses? no way lol

https://i.seadn.io/gae/TT4QcMO0FNxslpQrrtVm3hxlgKDoZPa8pFdec1i0vTaApZZ_81bWNNmOV-oy2nwKTuTb3qsF3X7o9ALqKpn683pzbJzvR81Q6AaswQ?auto=format&dpr=1&w=1400&fr=1

Wish I had that

I hate apples lockdown bullshit

I just hope apple didn't change anything arm64e related that happens to be in jailbreakd

and

cs wont give src

and

def wont fix it

we need real apple dev mode

therefore

fr

that'll never happen tho

palera1n

they’re using mshookfunction

I mean the device they're using is most likely a arm64e one tho right

or

Funny

How do u know that

could be a X

LTE on atnt, probably arm64 device

so

palera1n

carriers now of days have 5G almost everywhere

hey

hi

https://vimeo.com/854784084/5b1f111960

@visual meadow

MSHookFunction()

Where'd you find

oh

https://www.jamf.com/blog/fake-airplane-mode-a-mobile-tampering-technique-to-maintain-connectivity/

isn't jamf that one MDM service

meo

w

meeow

solution
1, Power off
2, Hardware-based forced reboot
3, Turn on airplane mode
4, Power off

https://tenor.com/view/furry-friday-furry-friday-braixen-pokemon-love-gif-23479407

I'll stay on 14.4 until 16.5 ends and if i dont have the jb done ill update

https://tenor.com/view/boondocks-read-rap-fans-exorcism-uncle-ruckus-gif-23038600

I remember making a 9.3.4-9.3.5 jailbreak for no reason

I need to investigate the current jailbreak around the end of September

my knowledge is clearly outdated

lol my knowledge does not exist

whar

me

ow

lmao

meeow

u made a jb and i made a ass script that half the time doesn't work

works fine for me tho

meeow

I made it because i didn't want it to use python

Even tho people kept telling me to use pyimg4

It was too slow

cimg4

pretty sure my script is the only thing that supports 15+

supports 8

https://tenor.com/view/dfm-wax-appeal-gif-18574175

https://tenor.com/view/spin-chair-spin-spinning-chair-foldable-chair-gif-27635879

https://tenor.com/view/spin-chair-spin-spinning-chair-foldable-chair-gif-27635879

surcropus

This year we had clear good artifacts
sockport2 legacy
This made ios9jb reliable and made 8.x stable jailbreakable.

Barely

I need to make the binpack from scratch

oldcursus gang

if only zebra worked back then sigh

I'd like to see a new one after fixing some bugs in it in September

8.x?

or latest

latest

8.x has to re-restore my 5s once and it takes time so i want to do it later

I don't have time right now.

:/

Adult life gang

Cydia eraser?

or you’re afraid of hfs compression stuff

I'm going to restore rootfs via SSH

I've done it on 9.0.2 so it should be fine

I need to revisit that later

Since now mounting mnt2 is possible

nice

This is the reason you can’t get shit done

You have 0 motivation

Fuck 16.5 just figure the shit out. Only way you will learn 🤷‍♂️

https://tenor.com/view/flygon-hot-pokemon-pokemon-memes-furry-gif-25673027

oh

oh

Lmfao

https://tenor.com/view/sesame-street-kermit-the-frog-kermit-fapping-watching-frag-porn-gif-16905446

Hey wait

fr

@stray zenith :3

Stfu femboy

bro instantly responded 😭

Get spawn camped

hey, how do sandbox escapes generally work?

I love that I’m still in your pro

*pfp

It warms my heart

Ayo @native dune are you active

Super not important

idk why

Fact to one of my messages real quick

Just do it

Then ping me

Twitter wants me to send you tips

kfd location spoofer where???

sandbox no works

you app be free

fr

just questions.
Why value of self_proc from kcalling has not completed value?

self_proc: 0xfffffff27fb44000
self_proc_kcall: 0x7fb44000

where is 0xfffffff2 ㅠㅠ?

probably because your kcall only returns a 32bit value

Wut is kfd. I’m old now apparently, don’t know this slang

new kernel r/w exploit

up to and including 16.5

kernel read write

When he says up to he means we have no idea for what the earliest version it would work on

People were kinda surprised it worked on 15, then someone implemented into taurine to add 14.4.X support for arm64

And it’s worked on 13

So we have no idea how old it would work for

But main concern and use will be >15 for sure

someone make a kfd nonce setter

tro

Fork around and Find out 😄

idk i will try, we will see what i can do

To use it, i just need to include the substrate header and link to the dylib?

Do i also need to link to substrate?

https://github.com/bazad/memctl
I know there are good functions for calling functions with no arguments, but with arguments you might need something like a JOP chain

Thanks!!

A9 and below you can easily get 64bit retval using shellcode

A10 and up, it is annoying for KTRR and PAN

Ayo call me stupid but no kwritebuf in kfd?

mk so in theory it should be possible. My issue is only device is on 14.4.1. Which i knew before starting this but was under the impression wh1te's kfd fork was the same as the normal for functions.
his had a ton more with hella new offsets that were for ios 14. I cant get these offsets as no one has posted them and i dont have device.

but went strong for an hour making changes

man

why

uh

no comment

why do you send his

fr

To build ellekit, should/could i disable debugging symbols and debug build?

Or will that mess up functIonality

is kcall returning 32 bits address?

No, sometimes 64bit address can be out, but not accurate

Seems like related with zm_fix_addr

https://github.com/Siguza/v0rtex/blob/master/src/v0rtex.m#L1623

You’re using v0rtex’s?

did you try electra’s?

does this work?

No. deprecated

you can just do thread manipulation like fugu15

That's the technology I'm interested in right now...
I don't understand it due to skill issues, but would like to implement it when I have time.

Is this on a higher iOS? Your gonna need to be able to inject entitlements to make relocate me work, if you can’t add the entitlements it won’t work

Can work

kfd is the exploit itself

krw with it is possible and is being done rn

You can also get root and I’m sure you can give yourself entitlements @ runtime

Been out of touch with jb because of school let me go look at this

I thought you’re like 30

Lol bit younger then that

my bad

All g

That’s the convo directly right above u

Why’d you ss and post

I'm not falling for this. fuck you.

@visual meadow hey did you ever hook windowserver

No

i see you've talked about it

oh okay

is this possible w/out no SIP?

i mean i can inject everything else but windowserver seemingly with sip off

im not sure what the problem is

I'm gonna guess that's v intentional

possibly as some sort of anti adware or malware idk

im trying to like extend the compositor, damn this is a shame

isn't this why yabai is cucked? i don't think there's a way around it

i just thought they didnt feel like doing the work but idk

oh that's also possible idk either

maybe i can exploit WindowManager somehow

to do some of what i want

would be version reliant

your objective?

w ellekit?

im not using ellekit

can it hook WindowServer?

i'll gladly use it 😅

i just wanna add some cool effects like borders and shadows and maybe even some animated bits if i get there

oh rip

hm

good luck

WindowServer already spontaneously combusts for me on stock macOS

lmao

i know right

it will just randomly stall and die, and thus the screen is basically dead and I have to reboot

https://cdn.discordapp.com/emojis/940047238212759572.webp?size=48&name=WorksonMyMachine&quality=lossless

doesn't happen to me

yea idk i have no clue how to reliably repro it so

windowserver dies when my monitor goes off sometimes

mfw macos:

it doesn't make sense though

i can't even attach to it in xcode

i can dtruss it

and frida

possibly

How do i use ellekit? I built the github main, linked to the lib, included substrate h and called mshook like normal. However it doesnt hook after installing the tweak using sileo

why would you need to build ellekit to use it?

The latest release was older than the latest commit so i thought its better to build it

nah

latest commit has a lot of problems

you just install ellekit from sileo and write a normal tweak that links against substrate

And to add it as an dependency i do that in controls?

Depends: ellekit

you don't need to depend on ellekit

you depend on substrate

Youre right thank you

meeo

w

meeow

woem

women

meoow

fr

Fight
Forn

https://media.discordapp.net/attachments/688121419980341282/1139608104447791256/capt.gif

list of best developers for awful code

proof

my code is the best

No my code

proved my point

rolex are u a dev

bobalang sucks ass

So yes I am dev

👍

GoHugo.io >>>

I really hate I’m learning assembly just to make a pong game

@grave sparrow how much can I pay you to do it for me

x128 Assembly

Suffer

yeah because it doesn't exist

RISC

armv9be

Arm6.9

Arm64 female (you won’t experience)

good make sure it never does

0xC3-ard

@vivid heath you are a 0xC3ard

Good

Do it

do it in utf-16

Send me the info
I’ll make an alt account so they don’t know it’s me
I’ll send it and ping mod role

mmmm yes a whitename fresh account that knows ret is filtered isn't gonna raise any red flags

Exactly

It’s foolproof

now

shepgoba is the second best developer

https://media.discordapp.net/attachments/933428639620542474/1067152949211574332/caption.gif

it has medic and safemode toggles for a reason

https://media.discordapp.net/attachments/688122301975363591/1077671431875346494/caption.gif

medic mode

Hi why wont my mac machine work after installing this program called "Zefram"

It pink screened

and now

the Apple logo comes up and goes away

and comes up again

Please help

🥹

https://tenor.com/view/roblox-roblox-meme-in-life-you-have-roblox-in-life-you-have-road-blocks-gif-27667601

Terrible response! This is absolutely unacceptable and no way that you should conduct your business.

zefram

more like no ram

i tried hooking windowserver with frida

but it seems ws was immune

ill have to settle for the dock

use ellekit if arm64

ellekitbratus

might write an imap client

just to get a feel for itg

for the task of injecting my dylib?

Yes

ellekit works well

it uses substrate

you can use mshookfunction

hmmm

His ass gave up on taurine

Sad

@native dune idk if it was you but I think you asked what tweak you should make in #jailbreak but could you make a swipe to reply for iMessage like ik ios 17 ? (Just an idea, not a bounty)

Or like Snapchat

@faint timber

I feel you would like this

Can a rootful be done in 15.7.8 ipad air 2 with palera1n? I ask because I need to install Flex 3, and that requires a rootful type installation. I seem to be having problems running the latest palera1n with the -c -f flags. Doesn't seem to create the filesystem no matter if I try to do a --force-revert with or without the -f flag. Wondering if anyone knows.

https://media.discordapp.net/attachments/688121419980341282/1065738393281110016/IMG_4193.gif

whats the use for flex 3? just viewing classes and scuh

i know it has various uses but you may be able to avoid using it

I need to be able to edit Boolean values of a program I run.

do you know the methods?

No I need to examine on the fly and change accordingly. They change with each update to the app.

I’ve been using it for years, with each app update. But I needed to upgrade my iOS to get the supported version with my watch and there’s been a code change, so I need to examine and compare it against my old mod.

It’s aviation related

https://vxtwitter.com/dustinmoris/status/1692482728459936160?s=46&t=Wy_iksqTr9mQXvlzFY_ysg

https://youtu.be/Nrk8sqZfsgI

Wrong

Just wrong

No

It’s jay w tee

https://media.discordapp.net/attachments/1116214969747378296/1124587095101538304/caption.gif

Says who

Me.

And I say it’s jot

it's jay w tee

Jay w tee

It’s JSON Web Token

Jay’s on token

Jot

Jason wet toboggan

It's JavaScript Object Notation Web Token

many such cases

Javascript Object Token

xcode 👎

i'd have prob made 20% less progress if we had to debug by building the ipa manually + moving it to device by alt/trollstore + opening antoine/console.app rather than literally just cmd+r in xc

that's why you make automations

yeah bro automate the airdrop

🗿

can ellekit hook c++

it surely can right

had to do that for p1 loader, was fucking awful

airdrop so shit to so it barley works

yes

bro what crack was i cookin

void (*orig_ButtonPressed)(id, SEL, NSInteger);
NSString *function(NSString *function, NSMutableString * __strong *one,  NSMutableString * __strong *two, id s, SEL _cmd, NSInteger buttonID) {
    [*one setString:[displayView accessibilityValueLabel].text];
    [*two setString:function];
    orig_ButtonPressed(s, _cmd, buttonID);
    NSString *ret = [NSString stringWithFormat:@"%@(%@) = %@", function, *one, [displayView accessibilityValueLabel].text];
    [*one setString:[displayView accessibilityValueLabel].text];
    return ret;
}

NSString *power(NSString *power, NSMutableString * __strong *one,  NSMutableString * __strong *two, id s, SEL _cmd, NSInteger buttonID) {
    [*one setString:[displayView accessibilityValueLabel].text];
    [*two setString:getSuper(power)];
    orig_ButtonPressed(s, _cmd, buttonID);
    NSString *ret = [NSString stringWithFormat:@"%@%@ = %@", *one, *two, [displayView accessibilityValueLabel].text];
    [*one setString:[displayView accessibilityValueLabel].text];
    return ret;
}

void operation(NSString *operation, NSMutableString * __strong *one,  NSMutableString * __strong *two, id s, SEL _cmd, NSInteger buttonID) {
    [*one setString:[displayView accessibilityValueLabel].text];
    [*two setString:[NSString stringWithFormat:@" %@ ", operation]];
    orig_ButtonPressed(s, _cmd, buttonID);
}

n

fr

wfr

@plain python do you have the offsets needed to update jbd or nah? Could prob get you them since I’m on 14.4. Just lmk, ill try to help best I can

https://media.discordapp.net/attachments/688121419980341282/1139608104447791256/capt.gif

then do it

What 💀

That’s crazy

I need debug build

Waiting for them to send

When they get the chance

bro why do you need a debug build to check all the offsets 😭

this is like getting a knee surgery to extend your dick

hold on..

First off

Happened to my buddy Eric, it’sa True thing

We dont, I’m offering to get the offsets in case she didn’t have an iOS 14 device so we can get debug

CS I’ll pay $75 if we get that debug build

Man can I have whatever you were on?

just wait, it gets better 😭

Bro the only person on earth to have ever used one of the accessibility APIs

Other than accessibilityFrontmostApp

bro apparently this code has filtered speech in it

they don't

And that’s the exact reason I said that 😭

@steady nest it'd be easier to figure out whats exactly wrong tho

stop making excuses for being a lazy fuck

please

Me

🧛‍♀️

me finally grabbing my mac because I've been procrastinating for a week:

clarity finally done putting up with rjb’s shit

SHUT THE FUCK UP

😦

JK

I had that ready before you even typed it

yeah I could tell 😭

bruh i mean

why the fuck is the shared cache slid on disk

you had that shit sent 2μs after I sent mine

I’d be impressed if you could respond that quick 😭😭

self bot confirmed?????

self bot to respond to all my messages with "SHUT THE FUCK UP"
worth the acc termination imo

Does killing a process as root need entitlements

i have process running as root on 16.1.2 14 pro max

and

unsadnbox with tccd

no

ok

its the dumbest possible way running as root but its root

rm
Error Sending Signal
tccd
grant_full_disk_access returned error: (null)
rm
Error Sending Signal

can't kill 1

can I kill just regular apps

your sandbox won’t allow it

Yeah its stock app sandbox

Like developer cert sandbox

@tepid olive Ok so

like com.apple.app-sandbox.read-write

How would I know what tccd can grant

to a process

Like what other things can I replace inside grant_full_disk_access.m

@visual meadow You can’t fix it

Ok but

what else can i grant

besides com.apple.app-sandbox.read-write

do u know

Reverse engineer sandbox.kext

ok

idk check ida strings for tccd that match “com.apple.”

is com.apple.app-sandbox.read-write supposed to be a string inside said kext

i looked for com.apple.app-sandbox.read-write inside it and there wasn't any matches

mhm

so yeah

check sandbox strings

@tepid olive what about like com.apple.private.security.container-manager

lol

idk what it doe

does

@tepid olive what does this do

looks like it's security things

https://github.com/joeyhoer/starter/blob/3f6fecfdea257b6a2db5228c5d445b742ed86f42/system/security-privacy.sh#L66

related to TCC

com.apple.app-sandbox.read-write
where tf does this come from then]

private shit or deprecated idk

smol question whats tcc

wtf are you trying to do

Transparency, Consent, and Control

i dont know

oh

ah

for once its an actually easy acronym to understand

or the relevant section in iOS

Just seeing what extra stuff I can grant to a app

https://media.discordapp.net/attachments/688121419980341282/1139608104447791256/capt.gif

@grave sparrow , so i said once that i saw someone hook on jailed with more than 6 hooks. He used this library (i think, he only said libevil), it should work. However the orig implementation is broken https://github.com/landonf/libevil_patch

LMAO

capt u ok

based

lightweight

hydrate dont do it

seeing that you say slurs when you are drunk, im gonna time you out for your own good

What does your drunk code look like

the same as his sober code

LOL

Oh he was drunk

I'll probably lift that warm

Might

Even

he's only on 250

Keyword, might

Honestly captinc, i wouldnt let that slide if i were you. You need to show him that youre him

https://github.com/securing/IOSSecuritySuite/commit/6cc3f260b305d6a5500abbe9b4af5dfd3c4540d6 💀 yeah because that's a really great patch

Jailbreak detection is fucking pointless

I still don't get it

"but it lets us write insecure code and delay the consequences!!"

fr

if you have to write jb detection that means

1. You're just forced to

2. Your app is really insecure and the moment someone gets around that detection easily they'll find that out

yeah fr

bro thinks hes so cool with his <haha>

he should play some games with mr jailbreak detection

would that be you

no

https://github.com/securing/IOSSecuritySuite/blob/master/IOSSecuritySuite/JailbreakChecker.swift#L148-L150

bro out of touch

So much effort into something just useless

honestly, waste of time

Average jailbreak detection

thats a whole bunch of nothing

Crazy? I was crazy once. They locked me in a room. A room full of tweak developers. And tweak developers make me crazy

Crazy? I was crazy once. They locked me in a room. A room full of tweak developers. And tweak developers make me crazy

Crazy? I was crazy once. They locked me in a room. A room full of tweak developers. And tweak developers make me crazy

this mf makes me have to carry my id card around because I’m too lazy to fix shadow myself

Crazy? I was crazy once. They locked me in a room. A room full of tweak developers. And tweak developers make me crazy

true, you're not old enough to have to carry it

i wrote bypasses for all apps I need

which is actually zero now ig bc rootless

... my tweak is here in detection list 🥹

my tom?

Happy birthday 🥳

bro's trying to play a game with open sourced checks, he already lost

tysm

    // "cydia://" URL scheme has been removed. Turns out there is app in the official App Store
    // that has the cydia:// URL scheme registered, so it may cause false positive```

ok that's hilarious

gonna release an app in the app store with sileo:// and zbra:// for shits

this is apparently the app https://apps.apple.com/ng/app/realconnect-dhre/id1346538794

Happy birthday @lime pivot!

Hbd adam

thanks friends 🧡

Happy birthday 🎉🎊🥳

Shadow is open source too, and that’s the best detection he could come up with

@lime pivot happy birthday

hbd!

@lime pivot happy birthday!!

@lime pivot Happy Birthday Big Woman!!!

no he’s the crazy guy who’s making a bootstrap that won’t work

Who

i forget his name you’ll probably see him on twitter

it’s called like roothide

it has a dopamine fork

Oh that

@hasty ruin cunt do that again and i’m ruining your life n

?????

after two months(Dopamine publibc released) of research, we have the following patch schemes:

1. all paths are based on the original rootfs, and the /var/jb/ prefix is used to represent jbroot. this scheme has the best compatibility and the least cost.
   but I really don't like /var/jb/, it always reminds me of fixed path jbroot, it's my nightmare, I paid so much to kill it, I don't want people to use it anymore, and I don't want this fixed path to come out of the grave one day in the future. so I have been looking for other solutions.

2. all paths are based on the original rootfs, using other prefixes to represent jbroot (such as /JBROOT/), this scheme is not much different from scheme 1, we also use a prefix path that does not exist at all to represent jbroot, and there are more many compatibility issues, so I quickly gave up on this idea.

3. all paths are based on the original rootfs, use char* jbroot("/jbpath") in the programming code to access jbroot, and use the jbroot-based path to represent jbroot in the config file of the jailbreak program, then we ln -s / jbroot ("/rootfs"), so that we can use the /rootfs/ prefix in the configuration file of the jailbreak program to represent the path access to the original rootfs.
   at first I liked this scheme, it completely killed /var/jb, but soon I realized a huge problem, the constant string path in the config file may simply be passed to another jailbreak program, such as the cmd.conf of a jailbreak program may be written like this:
   /bin/sh /usr/local/xxx.sh
   then it directly executes this string through system(), without caring about every parameter in the command, so it will not call jbroot(/usr/local/xxx.sh) to convert the path.
   the reason for this dilemma is that different modules of a jailbreak program may receive different path-based inputs, sometimes they may receive an input based on the original rootfs path, and sometimes they may receive a jbroot-based path input. this also It caused programming difficulties and confusion. so I also gave up this solution.

4. all paths are based on jbroot. like solution 3, we also use char* jbroot("/jbpath") to access jbroot in programming code, and ln -s / jbroot("/rootfs"). but each of our jailbreak programs only accept a jbroot-based path input, and use jbroot() to convert (or use the shim library to convert automatically), so it seems that all jailbreak programs are running in the jailbreak world (based on jbroot path).
   the only thing that requires special handling is the path interaction between the jailbreak program and the system program (the system program still runs in the original world, based on the rootfs path). the interaction between the jailbreak program and the system program/library is exact, which will not cause confusion. and almost no system program/library will actively call the jailbreak program (pass a rootfs path to the jailbreak program).

through system()

as if @hasty ruin

Holy hell

i don’t remember which concept he ended up going with

Caught his ass in 4k lmfao

though no one of them are full proof

moyai

and they’d require tweak mods

or patching everything

He forked procursus, NewTerm, sileo, zebra, dopamine

Fucking everything

doesn’t really seem reasonable

Remove his dev role

Bro had childhood trauma from /var/jb

yeah he’s beefing with rootless path

fr

😭

Fighting with ghost

@slender glade https://github.com/RootHide/Procursus-roothide

What’s the point

idk he just has this obsession with jailbreak detection

@restive ether iPhone 15 Pro will be able to "connect to the internet" and "browse the web" according to sources familiar with the matter

he’s come to the conclusion that’s why people don’t jailbreak anymore

Just use shadow bro

not good enough

according to him

but in my experience that worked every time i needed it to

i remember someone here saying his thing is pretty easy to bypass

@restive ether

Happy Birthday @lime pivot!!

I mean it’s open source, all you gotta do is go 1 for 1. Shadow used to be able to bypass, to update shadow wouldn’t take much.

So it’s not “easy” but it’s been done and it was open source so

dude literally add 1 commit to troll with the shadow devs

“Lets play a game”

Like shut the fuck up

Haha

Omw to write a 1:1 bypass in Swift

I wonder if shadow worked before that, I’ll try to find an app that uses that

it must have done

he wouldnt have bothered otherwise

Yeah

@naive kraken is there a way to get the bundle id of the the parent cell using alt list?

<dict>
    <key>cell</key>
    <string>PSLinkListCell</string>
    <key>detail</key>
    <string>ATLApplicationListSubcontrollerController</string>
    <key>subcontrollerClass</key>
    <string>AppSettingsController</string>
    <key>label</key>
    <string>APPLICATIONS</string>
    <key>useSearchBar</key>
    <true/>
</dict>

and then in the AppSettingsController somehow access the bundle id of the app's PSLinkListCell?

idk if thats descriptive enough of what i want lol

yes, see the example

[specifier propertyForKey:@"applicationIdentifier"]?

• edit: yes

ty! sorry for the ping 🫠

do I have to do anything special to get a live camera preview in springboard

I've been messing with this for a while but I keep getting a black screen

https://github.com/Odyssey-Team/Taurine/commits/kfd

someone give that a shot

Nice

Did you compile IPA cause I have no Mac access rn. Also want me to try arm64e? Just lmk cause I need to rootFS, on Fugu rn

Kamsahamnida

@visual meadow

I know

@visual meadow

mid

https://tenor.com/view/spin-chair-spin-spinning-chair-foldable-chair-gif-27635879

developers have manage messages perms in this channel

in order to pin stuff

Bro I didn’t even know that, thanks

yeah i typically abuse those perms in order to delete all of capts messages

Will join you in this movement

I deleted one of cameren’s earlier

Hard R is crazy

thanks man

https://tenor.com/view/spin-chair-spin-spinning-chair-foldable-chair-gif-27635879

happy birthyday kirby

Bro used his government name

thanky you shepygoba

@lime pivot happy birthday

tysm

hope you've been well

I have! it's been a while

Rare star appearance

Great to see that

Bro apparently hasn’t seen #taurine

@hasty ruin compile taurine kfd for me bbg

wrong chat

I tried this on a iPhone 7 running 14.8, and I tried it 10 times, all the 10 times it panicked shortly after "Selecting kfd [physpuppet] for iOS 14.0 - 14.8.1" was printed with either a kernel data abort or pmap_remove_pv: unexpected pv head panic messages.

Looking through #taurine I saw this was known already, sorry!

kfd works… on ios 12?

@plain python don't question this, try compiling kfd Taurine with "-Os"

For some reason that fixes some of the unreliability

Ah wait it's opensource so ig anyone can try this

lol

clang optimizations go crazy

I have a bunch of 14 devices and might take a look in a bit

Oh?

I love how much love 14 has been getting

Didn’t think I’d see the dsy

that's how it is by default in Release mode. But most people are compiling it themselves (probably in debug)

patchfinder runs horribly slowly in Debug mode so you'd want it with -Os anyways

does it cache the offsets

no need. It runs basically instantly in Release mode

😯

well the offsets used in the kfd in taurine for 14.x are certainly wrong on some subversions

How can inject dylib into every launched process when develop jailbrwak？
Is there any watchtower to process？
Sorry that noob 🙏

too real

https://github.com/opa334/Presentations/blob/main/0x41con - Modern Jailbreaking Techniques.pdf

i still can't figure out why get_use_count isn't working, this is on iOS 12.5.7

Fixed kfd on A11 14.6 at least

Thanks, launchd hook seems need to watch carefully.

u trying kfd on 12?

Yes

same error as on 13

I suspect indexedtimestampptr and ReadDisplacement may be wrong

anyone trying kfd on 9

sockportlegacy better

true

ios 12 time_saved better to

might work on ios 11 hm

Are you trying to actually create jailbreak? @unkempt magnet

Well, just for fun

However, I think the development will be limited from September due to the opening of the university.

oh

but cool

I'm hoping to learn to jailbreak these days someday

to get the most up to date theos toolchain where would I go

bakera1n tho

this is just an old-style jailbreak

ahh u want do userland newer stuff

yeah

make ios 13 jb with full bypass

For me
ios 8, kpp bypass based, bootrom exploit based: oldstyle
ios 9, ios 10(yalu1011): insanity style
ios 11-: modern style

*less socket made me learn alot

ios 12 the next adventure

i.e. my knowledge has not been updated since ios 11

legacy better anyways lol

I have no idea how KTRR-Less jailbreak works

they not super complex for 10-11

hmm

hm

less code then bypass method

for me atleast

what part of it doesnt work

You working on nekojb?

kread ---> object_id = 13, object_uaddr = 0x0000000129ffd000, object_size = 256, allocated_id = 16/4096, batch_size = 16
kr: -536870206
iosurface_get_use_count : (iokit/common) invalid argument (0xe00002c2)
[iosurface_get_use_count]: Failure: assertion failed: (kr == KERN_SUCCESS)
[iosurface_get_use_count]: Failure:
file: /Users/ibarahime/Downloads/u0_real_leak/Undecimus/kfd/libkfd/krkw/kread/../IOSurface_shared.h, line: 2452023-08-21 21:19:57.705522+0800

it says it has wrong args

u0_real_leak

idk i just copied the code from weightbufs

this cannot be caused by wrong offets

not wrong offsets

Yeah it’s just IOConnect smth bitching

Trap6 or callmethod I forgot

either port or surface_id is broken?

trap6 for kexecute stuff

just test creating IOSurfaces without running any exploit

ok

For me it's a function for flush_dcache

has mulitple uses

creating surface with fast path with selector 6 works though

I like how it has multiple uses but none of them are related to what the driver was made for

Then call get_use_count on it

aight

ld: framework not found Preferences
clang: error: linker command failed with exit code 1 (use -v to see invocation)

bruh what

$THEOS/sdks is your friend

yeah i just installed the iOS 14 sdk from amy's repo

this is on my mac now

No, Just concentrate for kfund

kfd success on
14.6 arm64
14.3 arm64e

i was using 14.5 on linux and it worked, 14.5 on macos didnt work

so i tried 14 macos

still didnt work

So the launchdhook isn’t for nekojb?

Never heard of that?

how is redacted serena jb going

As good as 3 piece Maruki

mfw doesn't play persona

🤤🤤

Nice

This works as well

weird

Yh im depressed

@naive kraken

ls $THEOS/sdks/iPhoneOS14.5.sdk/System/Library/PrivateFrameworks | grep Preferences.framework  
BridgePreferences.framework
HIDPreferences.framework
IntlPreferences.framework
Preferences.framework
TelephonyPreferences.framework

Preferences.framework exists in my sdk

then you're compiling with another sdk that doesn't have it

ok weird i specified 14.5 instead of latest in my target and it compiled

well

it went away

i just gotta install AltList now

bruh

idk what other SDK it would be using

xcode

considering 14.5 is the ONLY sdk i have in ther

bruh

this is my first time compiling on a mac

i need new abi support

@plain python https://github.com/opa334/kfd switch to this, should fix wrong offsets on 14.5+

oh

💀

Also

14.4 problem resides with libhooker and jbexec

We used anydesk and stuff

Im gonna set up a hackintosh on monterey and use xcode 13

Coolstar thought one bug was fixed in 14.4, it was not

And had it disabled in 14.4+

Now the problem is in lh somewhere

plugged kfd changes into taurine, still panics on exploitation

oh it uses physpuppet by default

maybe only smith works

although weird cause physpuppet is way cleaner

ios 14 just weird who knows

well with smith the exploit once worked for me now but it still paniced later

kernel data abort so probably wrong offset in Taurine itself

is there a method that doesn't panic halfway through the exploit if ur phone isn't cold

damn getPortAddr panics

off_task_itk_space changed to 0x338 in some version between 14.3 and 14.6

ok next thing broken is nonce setter apparently

that was broken well before lol

it didn’t even work when taurine came out for me

broken = panics

oh that’s new

with that commented out I get ERR_REMOUNT

who in the house with IORegistryEntrySetCFProperty(registry, CFSTR("com.apple.System.boot-nonce"), CFSTR(0x11111111111111))

i got the same, seems kfd itself seemed to worked fine

already fixed

yeah with offset fixed and nonce setter commented out I consistently get ERR_REMOUNT now on A11 14.6

Selecting kfd [smith] for iOS 14.0 - 14.8.1
"IOSurface_id_write=10"
"context_write_port_addr=0xffffffe19cd2fe58"
"context_read_port_addr=0xffffffe19d1e3b10"
"ip_context_offset=0x0000000000000090"
"ret.context_write_context_addr=0xffffffe19cd2fee8"
"surface_port_addr=0xffffffe19d027db0"
"surface_kobject_addr=0xffffffe4cca34670"
"surface_clients_array=0xffffffe4cc9f8000"
"_context_write_context_addr=0xffffffe19cd2fee8"
done!
isKernRwReady: 1
Successfully exploited kernel!
Starting Electra...
Found kernproc
May have found allproc...
found our pid
found amfid
found cfprefsd
found launchd
found kernel proc
Found kernel base 0xfffffff018554000
kernel slide is at 0x0000000011550000
our proc is at 0xffffffe19a7ee1c0
kern proc is at 0xfffffff01a7a7a98
our uid is 0
Entitlement is not safe. Skipping com.apple.private.signing-identifier
Found an entitlement! task_for_pid-allow
Failed to get the region: 0x00000001ce70e4bf
Got amfid task port:  30479
found vnode:  launchd
found vnode (should be sbin):  sbin
found vnode (should be root):  System
vnode flags: 0x84801
com.apple.os.update-AE7C5674E9654D7594A090D50589303FDFF792AF7086FD9700A4F6C707CCD4619E12311E1D616AFF94B94F6299759D39@/dev/disk0s1s1
Entitlement is not safe. Skipping com.apple.private.signing-identifier
Found an entitlement! com.apple.private.security.disk-device-access
Found an entitlement! com.apple.private.vfs.snapshot
Found an entitlement! com.apple.private.apfs.revert-to-snapshot
System Snapshot:  com.apple.os.update-AE7C5674E9654D7594A090D50589303FDFF792AF7086FD9700A4F6C707CCD4619E12311E1D616AFF94B94F6299759D39
found dev flags:  1
mount: -1 1
mount completed with status  -1
Reset creds

@plain python

rootvnode offset wrong? found vnode (should be root): System

hmmm

probably

I mean the parent struct offset must work

but why is sbin->parent=System???

is /System/sbin a thing on newer iOS 14 versions?

No

System, afaik, is the name of /dev/disk0s1s1

And sbin, is well, /sbin

@naive kraken

yeah seems to be right

I just need to figure out the stuff with libhooker

Wheres that stg 2 dylib come from

pspawn_payload-stg2.dylib

Thats the crash

@naive kraken do u know where the dylib comes from

from binpack....

it new version of https://github.com/coolstar/electra/blob/master/basebinaries/pspawn_payload/pspawn_payload.m

part of basebins

Yeah I knowbm

I want to rebuild from src

Idk why its even crashing

prob closed src

Anyone know

bruh

this crash is really bad

Mine or yours

yours

lol how

the hook isn't working

damn

Could it be outdated lh thing or

libhooker not working?

Whatever I'll just setup a hackintosh later today

And then hope cs is on again

stg2 source?

If so damn thats crazy but idk how that helps if im not getting the src either way

it highly depends on what it is that was attempted to be hooked

jbexec source

what is jbexec

That's fixed I'm pretty sure

were basebins changed

There was a hardcoded 14.4 thing, that cs thought that was fixed in 14.4

No, not publicly at least

Like, disabled bug workaround

That cs thought was fixed in 14.4

could try these for VnodeOffsets in offsets.swift, cant ensure they are correct, was just in a massive text file of offsets i have lol

    public struct VnodeOffsets {
        let ncchildren = UInt64(0x28)
        let flag = UInt64(0x4c)
        let usecount = UInt64(0x58)
        let type = UInt64(0x68)
        let id = UInt64(0x6c)
        let ubcinfo = UInt64(0x70)
        let specinfo = UInt64(0x70)
        let name = UInt64(0xb0)
        let parent = UInt64(0xb8)
        let mount = UInt64(0xd0)
        let data = UInt64(0xd8)
    }
    let vnode = VnodeOffsets()

nah I know parent is right

and that's 0xc0

was labeled as: "xnu 7k?" lol

idk where it from

just checked in https://github.com/apple-oss-distributions/xnu/blob/bb611c8fecc755a0d8e56e2fa51513527c5b7a0e/bsd/sys/vnode_internal.h, the ones in taurine are correct for 14.5+

Will do

That’s the name of the apfs volume