#development

if you don't want to pirate ida (do this) just use ghidra or buy binja student

free is only x64

should have clarified *OS

that's like 3 years and a half of apple dev program

fr

nah

get with the times

what times

talkin about decomp

yeah im also talking about decomp

wheres arm then

imagine decomping arm

*OS
no arm

if ur serious about re

kind of a big problem

you aren't doing arm

based

serious about re = looking to do malware analysis or smth

unless u want look at mobile malware lol

yes i already amended my statement i was talking about the context of darwin platforms

based

binja is great but their arm64 decomp is only like 65% as good in my experience

see im not a mac user i didn't even know what *os was referring to

for the price its a far better performer/$

based

fisher price machines

ida home also gives u access to support which is nice

but if you dont care about wine do just pirate it

i respect binjas model far more too because you buy once you get it on every major OS

My jb has been done here~ It was really fun

nice

Wow

nice work

nice work but change that font

nice - how functional is it by chance (haven't looked too much into it)

would be better if you used comic sans font

https://media.discordapp.net/attachments/688121419980341282/1139608104447791256/capt.gif

https://media.discordapp.net/attachments/688121419980341282/1139608104447791256/capt.gif

https://cdn.discordapp.com/attachments/688124600269144162/1145193609709236304/capt.gif

https://cdn.discordapp.com/attachments/688124600269144162/1145193609709236304/capt.gif

https://media.discordapp.net/attachments/688121419980341282/1139608104447791256/capt.gif

https://media.discordapp.net/attachments/688121419980341282/1139608104447791256/capt.gif

Most of things work but userspace reboot/ldrestart not works.
Only 6s 15.1 works due to hardcoded offsets.

wen eta patchfinder

xd

Sometimes when open sileo, just panic seldomly

So reliability is not guaranteed, NOT recommend for general users

One day, I really hope mineek & serena & hahalosah make perfect jb.. someday will be happen.

fix = dont open sileo

Oh that's really great idea

Thanks!

currently attempting to find ios 16.4.1 iphone 8 plus offsets

We’re just stuck on dynamic tc :(

It just doesn’t work on our devices, mine and Mineek’s

Once we get dynamic tc working everything else is gonna be easy

(If it's not finished yet by mid-September,) I might try it.
i can't really do anything right now...

😯

Did you have to patch dimentio?

No, just needed libjbdrw. That is enough.

Not needed I did all the work for dopamine

However I never fixed kcall

I see

Once I get dynamic tc working we’re gonna be so back

We are in an era where you basically have one jailbroken version per iPhone launch if you are lucky

based

https://cdn.discordapp.com/emojis/1039305974583930890.png?size=48

I never thought abt it like that

Perks of alcohol

Shower thoughts

fr

do u guys say

match-o

or makh-o

or mac-o

makko

.

wtf

nacho

mach-o

that's the food

@unkempt magnet i'm gonna try staticTrustCacheUploadCDHashesFromArray rather than dynamic

if it doesn't work it's prob a krw issue

https://github.com/Cryptiiiic/libjbdrw

offsets are the most frustrating part of this fml

automate finding offsets

troll

lol

how hard would it be to write a patchfinder for kfund

so far i found one offset

this one

Oh it’s only like 40 offsets dw

which one

puniqueid (0x48)

lol

maybe i should try this modified script: https://github.com/tihmstar/libpatchfinder/issues/29#issuecomment-1651805769

it won't find vm_pages and vn_kqfilter but it should find the rest

i am on windows and don't know how to compile libpatchfinder so

I wish I could figure out how to run badRecovery from kfd but I just run into weird issues that make no sense 😭

What is it

@lime pivot @restive ether @primal perch https://x.com/coreserena/status/1695769824599720061

lulz

good one

fugus pac bypass

Ah

Crazy ? I was crazy once

average windows user

We got dynamic tc #782323285294841896 message

old news, mineek showed it here first

We don’t give a FUCK

Also where because I didn’t see it here

#jailbreak message

Whatever I’m too excited

Now the biggest obstacle is out of our way

https://media.discordapp.net/attachments/688121419980341282/1139608104447791256/capt.gif

Thanks @hasty ruin

Now no one can unpin it

only messages sent by capt can be unpinned

Fr

how dare he say that

Congratz!

Thanks goat :)

🧌

offsets are the first thing I did to become a jb dev back in 2016

Damn u old as fuck

it's the first rung on the ladder

sorry

Ic

U hear that @granite frigate

Honestly it’s the most time consuming thing for me

once you got offsets you are closer to becoming a security researcher

Otherwise everything after getting the offset

Is just a run-debug loop and just testing shit

I propose a cool plan for offsets

but I don't have the time or interest

so its up for grabs

What’s up

So arm provides Arm Exploration tools with a map for every instruction, instead of doing manual decoding like tihmstar does you can just parse the xml files and make a fully automatic and accurate disassembler. With that you can utilize it to make a good kpf

Depression

I hate offsets

Same

Well I hate finding them

am i the only one that enjoys it lol

Do u also enjoy doing tests

like school tests?

.

Yes

hell nah

How do you enjoy finding offsets

its like a puzzle

It’s the jb equivalent of a math test u didn’t study for

idk i just enjoy shit like that ig

💀

It's some random number

😭

i still cant find any

gone

"iPhone has disconnected"

Half the time this happens bc my phone’s port is so easily disconnected

wiggles like a newborn

Mf ur using a phone

Everything is some random number

capt is vegan

That comparison was so ass

Lmfao

fr lmao

eating plants is inefficient then

learn photosynthesis bozo

he's not a vegan just a vegan apologist

true!

https://media.discordapp.net/attachments/688121419980341282/1139608104447791256/capt.gif

arguably worse

Unfortunately the only thing that worked rn is re-running the exploit from jbd bc the krw handoff we used didn’t work for this

I don’t think kfund’s works on anything above 15.1+ bc of the checks Apple added

So Mineek and I have to find a getaround or another krw handoff method that would actually work

if it works it works

Does anyone know what architecture the S5 chip is? I'm trying to jailbreak the HomePod Mini for personal use and I can modify the OS no problem. My only problem is there is no form of shell in the OS. I currently am trying to get root via launchd. The only was I can think of to have launchd execute something is through a shellscript. As mentioned earlier, there is no form of shell, so I would need to install my own.

page tables

Once I managed to integrate kfd into Dopamine, I may try adding arm64 support anyways

it's just that it will be a massive hassle to get rid of TrollStore and write a new patchfinder

?

There is nothing in Dopamine that wouldn't work on arm64 except for the patchfinder

I see

only problem is that it relies on being installed with TrollStore

which unfortunately doesn't work on 15.5+

Elaborate?

I'm fairly sure I have elaborated this enough lol

in dms

Ah

You mean that

I see

Not using if switching to that method would make this work though

Bad way of thinking for this imo

ANy ideas?

Couldn't find it anywhere :/

"new" or update the current one?

nvm i read it as "we found a workaround" not need to find one

lol

idk

I'd much rather have a non swift one

damn

and I fear there will be a lot of struct offsets that need to be found for arm64 support

can use tihmware patchfinder

i just realised that rootless lets you have multiple jb setups

bc you can just swap what environment /var/jb points to

crane but with jailbreak setup

I feel like this would be the most annoying

xerub's pf is a good start

no need to reinvent the wheel ig

ah but that requires a Kernel dump ;_;

kcache downloader time

huum but you have the whole kernel mapped into your process

no you don't

at the time the patchfinder needs to run you have nothing

but getting access to the kernelcache file is possible

it needs to run post kexploit pre PAC bypass

fr

new icraze tweak

whst

The worst part of just about anything

Wait you’re lowkey cooking

okay now that's actually kinda cool

right?!

iCraze had a good idea finally

🗿

Bro just got his first ever shower thought

your ideas are just remaking tweaks from a few ios versions ago

😐

SearchDots and OneSettings ain't reborn's

This is a slur for devs

Ok but like

Half of all existing tweaks

are just bringing in features from other versions

Whether older or newer

SearchDots doesn't count, that's apple's idea

(rare)

but there's an App Library option

Creativity is not a score to count in jb tweaks imo

https://cdn.discordapp.com/emojis/841872013336772679.webp?size=48&name=troll~3&quality=lossless

so nexus dont count (kinda)

REAL

has more features than ios 16!

So does SearchDots

ios 17 getting close tho

but nexus has more extra features

this is true

nexus on top once again

smh

you'd have to ensure that any jailbreak you support doesn't delete other jb-XXXX folders

back me up here guys

but yea, feasible

the dude in #jailbreak reversing some paid tweak and cloning it bc he doesnt wanna pay $3:

build it into the jb

FreeNexus coming soon!

what

lol

Hm

Hmm

I mean ngl it would be kinda cool if you had a tweak do it

Why a tweak

instead of depending on jailbreak support

What would it even hook

AND it'd move people from palera1n rootful

theoretically you could switch between whole setups

Not even a tweak just an app really

Yeah

A command line tool even

inb4 switching between fakeFS's

*jailbreak setups

need to get swift to 80% at minium fr

I think a cli tool would be best for this

What’s this

Obj-C on top

socket

although currently i don't think there's any overlap between rootless jbs

wtf a good nightwind opinion????

REAL???

Is that the name of your project or is this referring to Unix sockets

maybe palera1n and wh1te4ever's kfund but that's it

project (jailbreak)

Oooo

is everyone just making their own jailbreaks nowadays lol

everything is swift except for 32 pf and the exploit

The 2 people we depended on just left

right

At the same time too

ong

cat

His solution to every issue is to wrap his code in DispatchQueue.main.async {

Anyone know how to fix “building in iOS but linking in .tbd file” when making a packing with theos on Mac?

ignore it

I thought it was an error not a warning

post full line

They got so fcking annoying this year with the Xcode beta and basically just broke all tbds

You have to edit them now

imagine building stuff with new Xcode

fr

Yeah well it’s gonna come haunt your ass soon lol

new Xcode is only good for one thing

simulators

yk the environment switch thing

is it literally just

Uh huh

rename jb-hash folder

then restrap

depends

Why would u need to rest tap

how many source files is to much in xcode u think

restrap

to make a new env

what jailbreak

Dopamine?

dopa

ye

uh

check the var/jb symlink handling

but i think so

it just check for /p/p/jb-* and links it

it’s the best shot tbh, the read prim is too slow

@radiant idol lmao this is still at the top of my search results

lmfaooo

yep

Making all for tweak fb…
==> Preprocessing Sources/fb/Tweak.x.swift…
==> Preprocessing Sources/fb/Tweak.x.swift…
==> Compiling module interface (arm64e)…
==> Compiling module interface (arm64)…
==> Compiling Sources/fb/Tweak.x.swift (arm64e)…
==> Compiling Sources/fb/Tweak.x.swift (arm64)…
==> Compiling Sources/fbC/Tweak.m (arm64e)…
==> Compiling Sources/fbC/Tweak.m (arm64)…
==> Linking tweak fb (arm64)…
ld: warning: building for iOS, but linking in .tbd file (/Users/pain/theos/vendor/lib/iphone/rootless/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator
==> Generating debug symbols for fb…
==> Linking tweak fb (arm64e)…
ld: warning: building for iOS, but linking in .tbd file (/Users/pain/theos/vendor/lib/iphone/rootless/CydiaSubstrate.framework/CydiaSubstrate.tbd) built for iOS Simulator
==> Generating debug symbols for fb…
==> Merging tweak fb…
==> Signing fb…

yea you should be fine

rip tweak

why

where can i find the deb since i dont see it

just rename to oldjb-hash

oh true

packages folder

yea this would work

you should also make a new file when switching

.environment_name

Yo

If you get root

And you’re an application

Does NSHomeDirectory still return the containerized path

could just keep the main setup as jb-hash
then make other setups
jbsetup1-hash
jbsetup2-hash
etc

i mean

you'd still need to store the name separately from the folder name

then the environment selector looks for "jb" in folder name (only stock folders are appleinternal, private, system, usr)

otherwise the name would be lost once you set a setup as the active env

could have a dotfile in environment/procursus/

containing the setup name

yea

or just environment/

doesn't matter too much

Then you wouldn’t need to change the dopamine code itself

And could just make a tool to change the symlink

/var/jb points to pro, so would prob just be nicer to read /var/jb/dotfile to get the name

but yeah

doesnt matter

forgot about that

dopamine regenerates the symlink every time

Oh

does palera1n

you need to rename the folder, you don't want to rely on the "find jb-XXX" code being deterministic

idk

yeah true

i would work under the assumption that yes

ez PR if not

i know the boot manifest hash code is stolen from dopamine because i wrote it

NSHomeDirectory: /var/mobile/Containers/Data/Application/B03B71EF-E825-42F1-9CA9-6199C6B24ED2

Its with system/jbs apps when root is set

so possibly other stuff too

Aight

thats from a userapp with no ents, just root

lemme check loader src

it would be in jbinit iirc

unless first strap install

as im making this on my main device, imma copy my setup to /var/mobile as a backup

you panic surprisingly soon after renaming the boot hash folder

wtf

oh

either the folder name got reverted

or it didnt actually get renamed

it panics so quickly it cannot flush the change to disk

oh yeah true

this is also why I removed the remove jailbreak option while jailbroken

ah

btw what do you think of the idea lmao

how are you gonna switch environments while jailbroken then

keep boot_info.plist in tact

ah

Will MacOS not let me mount/flash a modified OS if the digest has changed?

ping me when we find offsets for arm64 devices

@naive kraken @visual meadow @unkempt magnet I have a suspect on what the issue is with arm64e 14.4+, as well as a potential fix

Nice

Seems like fixed panic in release version(v1.0-dev1). No more panic so far

Haha, I didn’t get pinged but still gonna say that’s good news

why are you using cydia
why are you in #development

lets fix cydia

why are you using cydia
why are you in #development

why are you using cydia
why are you in #development

why are you using cydia
why are you in #development

why are you using cydia
why are you in #development

LETS GOOOOOOO, I LOVE YOU (in a friendly way)

what was the problem

This

Added some proc check in jailbreakd, now it's okay

Nah... it's panic again 😦
Maybe watchdog issue?

If I want to remove a button like YT shorts or a banner, could I use the permflex shortcut “@property bool enabled” in swift or do I have to look at the other methods/properties for something similar?

arm64e fix is validated to not cause regressions on arm64 14.3 and 14.8.1

so only question is if it actually fixes arm64e lol

I am getting this error when I tried to compile a tweak

need ''

lol

yes, that's the problem

what does it need?

I can read but idk why it says that

why would the arch be blank

(mach-o file, but is an incompatible architecture (have 'arm64', need ''))

oh.

==> Warning: Building for iOS 7.0, but the current toolchain can’t produce arm64e binaries for iOS earlier than 14.0. More information: https://theos.dev/docs/arm64e-deployment

I don't need arm64e

you need an older toolchain

I am compiling for iPhone 8 Plus on iOS 15

Bro built his binary for ""

then change the min target from 7 to 15

repo https://github.com/ExcelCoin/RedirectVoWiFiTweak/

how?

he got the secret arch

arm64Pro

TARGET := iphone:clang:latest:7.0

change this

to TARGET := iphone:clang:latest:15.0

with this, I get

how can I disable arm64e?

that's not the issue

no?

ur fakeroot is FUCKED like kim k

reinstall it

how? first time doing anything related to jailbreak development

I just installed theos with the command it gave me

brew uninstall fakeroot, brew install fakeroot

Have 'arm64', need ''

Doesn't that suggest something on the system is at fault

should I force it?

Error: Refusing to uninstall /opt/homebrew/Cellar/fakeroot/1.32.1
because it is required by makepkg, which is currently installed.
You can override this and force removal with:
  brew uninstall --ignore-dependencies fakeroot

Just uninstall both at the same time

(And reinstall both)

idk

Cause it has the arch, but it thinks it needs a diff one

makefile based build systems were a mistake.

On god

Cmake supremacy

same result

can't I just disable arm64e and only compile arm64?

Your host is fucked

Again, Arm64e isn't the issue

hmm

how can I build the thing then?

What kind of Mac do you have

MacBook Pro M1 2020

on Ventura

Hm

Got it. Any idea how I can fix it so it can compile the thing?

what settings?

that should be off already

i don't doubt it

isn't fakeroot used for building some procursus packages anyway

which is the case, so i doubt procursus fakeroot would just be broken lol

so what do I need to do

let's go

@hasty ruin someone unpinned the DispatchQueue message and a whole bunch of other ones

Most of the pins kept are capt’s….

@restive ether who is unpinning

Even the hex subtraction img got unpinned

Maybe its not capt

what

See audit logs

Who is discord mod’ing this channel 💔

.

Vote to unpin all capts messages

fr

man what the fuck

so

size_t kwritebuf_remote(uint64_t where, const void *p, size_t size){
    size_t remainder = size % 8;
    if (remainder == 0)
        remainder = 8;
    size_t tmpSz = size + (8 - remainder);
    if (size == 0)
        tmpSz = 0;
    
    uint64_t *dstBuf = (uint64_t *)p;
    size_t alignedSize = (size & ~0b111);

    printf("alignedSize: %zu\n", alignedSize);
    
    for (int i = 0; i < alignedSize; i+=8){
        kwrite64(where + i, dstBuf[i/8]);
// read what we wrote to check if writing did indeed work
#if DEBUG
        uint64_t read = kread64(where + i);
        printf("val: %llu, what we wrote: %llu, same: %s\n", dstBuf[i/8], read, dstBuf[i/8] == read ? "yes" : "no");
#endif
    }
    
    if (size > alignedSize) {
        uint64_t val = kread64(where + alignedSize);
        memcpy(&val, ((uint8_t*)p) + alignedSize, size-alignedSize);
        kwrite64(where + alignedSize, val);
        
#if DEBUG
        uint64_t read = kread64(where + alignedSize);
        printf("val: %llu, what we wrote: %llu, same: %s\n", val, read, val == read ? "yes" : "no");
#endif
    }
    
    return size;
}

this is our kwritebuf_remote impl in jbd after handoff

and it just fails at writing

like

after reading the addresses we wrote

they're 0

fml idk what to even do now

maybe evelyn's handoff is just bad

we can't use wh1te4ever's either because that doesn't work on anything above 15.1

it's been PAC'd, but arm64 doesn't have PAC

it should work as is

it does

https://twitter.com/little_34306/status/1696106159118401639?s=61&t=w7e0pCRFpuKjnxXj7QxdiA

fire

@crisp frost

is that it? just offsets?

i thought there were a couple other checks stopping it

nah

literally just pac

lol

we love pac

wow okay

speak for yourself.

nah fuck pac

bipolar?

WHAT

either hahalosah or siguza lied

I think you know which one then

okay lets get this bread @crisp frost

bro

obviously not siguza

damn

bruh

imagine it worked

'IOSurfaceRoot is dead'

mate doesn't know what pac is

this entire time

🗿

i would be so mad at hahal;osah

because I didn't try

because I thought it wouldn't work

😭

@slender glade ok let's do this.

I always said it worked

true

i didn't see it...

@crisp frost we're gonna need some offsets tho

@slender glade lemme add you to the repo mineekJB15v2 you try to implement tihmrw ill make a offsetfinder

ok?

alr

yes the name should be different but 🤷

first jb then UI and name, etc.

#1084320818231787552 message

@slender glade https://github.com/mineek/mineekJB15v2

You don't have access to this link.

let's get this bread

i feel so stupid now

22/07 and 19/08

@steady nest wanna know the best part

I GOT the kernel rw working itself from tihmstar

.

I just didn't bother implementing handoff because right at that time hahalosah told me it wouldn't work

he TRICKED yo ass

lmfao

ok

I don't want to be mean, but didn't we come to the conclusion they don't know that much about jailbreaking

yeah

school starts tomorrow so....

I didn't know haha told mineek

i'll see what i can do

yeah get ur ass off mf i'm already on that xcode

because me, opa, evelyn said it'd work

ev backed out of it

if I saw that explicitely I would've trusted you above hahalosah, but I didn't see it...

said it wouldn't later on on 15.7.1 or whatever

i feel so stupid now

yeah but isn't it patched in 15.7.something

kfd itself?

np but the only patch I know of is pac

it's in the mcbc talk or some talk from that time

well the point is that I know that it works now and that we can try getting it now

when do u come back from school

every day at 15:30 I'm home

normal people time?

3?

that's still a lot of time left in the day

I don't see how https://github.com/34306/kfund/commit/b5016ab62a1c6f072cff39c6f6b788614c4b8f32 would work tho

• they didn't change jbd offsets
• off_ipc_port_ip_kobject = 0x58
  • this is 100% 0x48 on 15.7.1 6s, so i doubt it's back to 0x58 on 15.7.3

who is this

nguyen?

ig ill restore to 15.7.3 and just try it

@native gale is this u mf

yea its him

the libhooker vs substitute vs substrate one?

Uuuhhhh

Idk

You still didn’t answer my dm

Do it rn it’s causing me much distress

fuck the math, fix issue

It was info about xina support

Oh yeah Ofc

@grave sparrow stop unpinning memes smh

I unpinned that because it was out dated

because things changed between Amy’s theos PR and official support

U unpinned it after like 6 hours

I’m talking abt the DispatchQueue one

Shut up

@grave sparrow why did u join 3 days after my bday

Rejoin my bad

😯

I have a ss of ultra from 2018 but his nick has a word that may get me warned

What slurs

mf what slurs

No shame

You literally do this

Yeah you do

discord didn't care until like 2020

icraze ios

literally 1984

Fr someone sent me a video of a child getting blown up in 2018

based

nah jk thats fucked

lmfao

What did he do

FREAK

fr it was a Palestinian child I think

How’s that tweak you made

backupmator

Whatever it was called

backupmaator

lmao

I forgot the name

You broke like 30 people’s setups mf

I don’t think so.

they over compensating in the 2020s for what they didn't do last decade

Lmfao

You did

people had to make tags saying DONT USE THIS MF’S TWEAKS!!!

chad

its on them for running captware tbf

fr

it's like running nexus

no warranty of any kind disclaimer etc

you asked for it

@brazen timber @primal perch @grave sparrow what do y’all get at McDonald’s

mcbitchin

i haven't had fast food in like 6 months

bruh I’m hungry but a big tasty may be too much but I’d still be hungry after a Big Mac

mcdouble and spicy mcchicken

havent been in a long time tho fr

.

bell exists and is better

real

That’s the phone carrier

chooses life
12h screentime discord

curious liberal

Nah that’s the people in #jailbreak not capt

member ultra

idk i think he lost

member one

yeah mem ones are 6-8h / day

🙏

member pro

im still only level 93 despite being the 13th highest here

and i'm a white name

how tf do u get ultra

Level 93

Who invited you here

fr

I’m joking ur cool

u and sacro @granite frigate

i joined it myself

discord user stkc

yo wut

Joe

whats up

What have u been doing lately

touching grass actualy

Bro you were porting kfd to 13 different jailbreaks

the subreddit's sidebar had the discord link

i cba to figure out the stupid offset

im fucking pissed

Which one

Lmfao

kernproc

still too stupid for it

(That’s not an offset)

kaddr

whatever

Or is it? I’m pretty sure it’s not

it’s not

Yeah

Why can’t you get it lol

kfd gives u it

how are mfs still on mojave in 2023

Why what r u using

the patchfinder for it doesn’t work lol

tryna enroll this shit in jamf but i cant cus they are on a 5 year old OS

iosurface one doesn’t at least

so i gotta update it

they just didn't update in 5 years?

lmao

so ok i go and look at patchfinder64

yeah apparentlky

10.14.6

and try to find it in kcache

but im too stupid

FUCK

Did u find it

no

oh

:tro

It’s ok we all have those days

naur its just im bad

at this

:trolley:

@granite frigate you know what you reminded me of

what

one time we were walking in some place in France near some museum

and a bee stung my sister

wow damn you went to france

and her nose became the size of gargamel’s

Yeah when I was like 4

I’ve had someone ask why WhatsApp asks them to update, go to their app store and they have like 100 app updates available because they said they don’t like when things update

a bunch of people don't update their phone apps tbh
im sure if more people did companies would be faster to lock out older versions

and then i wouldn't be able to abuse their mobile apis as easily

90% do

bc it's automatic

if iOS version updates weren't automatic, 70% of people would still be on iOS 14 lol

lool tru

i still know one of my friends on ios 14 because he forgot to update

mfs are crazy

clearly he just wants to use taurine kfd

fr

nah he doesn’t know anything about jb

tihmstar kernel rw handoff is being funny

when mac updates arent default mfs are still on high sierra and mojave

my friend had a like a 128gb macbook that couldn't update because he had multiple installations of fortnite from 2017 on there

it was just chilling on yosemite

I know jamf machines that are in Mojave

*on mojave

Although you should update them anyway Mojave old as fuck

my imac used to be on high sierra

now updated to windows 10

its probably possible but my work said not to bother trying if its <big sur

and i get paid to sit here watching the loading bar so whatever

Does it work on iOS 15.7.x?

I don't actually know, I'm currently on 15.7.1 and it gets stuck here

I guess ill try a older iOS version ( 15.4.1 )

I see

https://twitter.com/Little_34306/status/1696106159118401639?s=20

I'm now confused he got working jb on 15.7.3...

@native gale

@steady nest im actually beyond confused right now, maybe you know more about whether it's 15.2 or 15.7.x?

yes I asked for permission to share the DM

cool but im confused

whether the usage of "iosurfaceclient kern r/w" is patched in 15.2 or 15.7.x

Is it possible to unsandbox a user app without having to install it to /Applications or /var/jb/Applications in rootless?

I tried numerous entitlements but I couldn’t get it working

you just need to read a plist file and call some code from dylib ctor

What plist file?

a) but is it there on arm64
b) explain 6s 15.7.3

sandbox extention, then you call consume from dylib

I don't know shit about entitlements

that 6s 15.7.3 is not real either way, or atleast not from the code in the fork, as there are quite some offsets left unchanged, and some functions are just plain broken (e.g. directly reading ucred and not reading proc_ro -> ucred on 15.2+ )

I'm sorry what does apple adding a new iosurface vtable function got to do with primitives breaking

anyway

this is what getsurfaceclient does

What

we clearly know 1) isn't there on arm64

yeah

and for 2) I'll have to check the actual handoff code

anyway

the technique described in weightbufs should work

how about tihmstar's desc_race_fun_public / odyssey14 leak thingy

yeah that gist is odyssey14 leak

no more vertical home screen for you

in fact i might make it

just to tease you

If you’re talking about com.apple.security.app-sandbox, I believe I already tried that

I'll make an even better point/question now

This is arm64

yes

what about tfp0/hgsp4

what's needed for those

wasn't that like hardcoded in the kernel to deny tfp0 on later iOS

yeah but I remember sig saying it's possible

so I'd expect it to be hgsp4 or similar

and I also know giving a send right to a port is way easier

hum looks like it was from a kpp bypass perspective

hgsp4 has been dead since iOS 14.

https://github.com/Siguza/libkrw

patched in 16.something via PAC

looks like there's a check for a fake UC on 15.3

it's still possible to do with PPL bypass / on arm64

Wasn't that like 16.1

Yeah, arm64 will be possible

Just learn about page tables and do it via pmap->ttep like Dopamine

anyways smith wasn't patched until like 15.7.6 or something

I think we're talking about different "iosurfaceclient kern r/w" techniques here

You mean the weightbufs technique?

yeah but I don't get why you would want these beyond the initial exploit

they're slow af

like even slower than dopamine 1.0.*

they should only be used to construct better primitives tbh

@crisp frost what’s the plan

I believe the correct one was like no-container?

I’m not at home atm so I got this one from apple’s dev site lol

huh I took a look and it doesn't look that hard

pmap_map_in does all the magic

you just need gPhysBase and gPhysSize

Thanks I’ll check that when I get home

really well done opa

hum maybe use pmap->tte instead and gVirtBase no? since there's no phys prim

could also kcall ml_phys_write_data

when restoring from IPSW is the hash of the file checked? When I try to restore from my custom IPSW I get an error. Sorry if this is a non-trivial question.

yes

@crisp frost https://twitter.com/Little_34306/status/1696165807410012261 lol

I don't until something breaks

I'm assuming theres no way to bypass that?

nope

no as in there is not or no as in no, there is?

no

ok

ty

wait then how

without custom software to exploit the vulnerabilities found, how is jailbreaking possible?

Make it then sell it for like $500 so he has to buy it to get it

true

it's actually amazing how funny mobile apis can be

"meh it's running on an iphone, we can just trust all data here"

I love frida

shut the fuck up

oh, okay. One more question, sorry:
Is the USB connection open? Can I bypass Finder's restrictions and just flash it directly?

how

what

You could do it with checkm8

bro 😭

But gl if you are asking these questions

fastest gir reaction

how did you even do that

the bot is just slow

I don't have a checkm8 compatible chip, or else I would've 😂

ok ty

about time

https://github.com/m1stadev/Inferius

yet it responds whenever it sees the words "ios something jailbreak"

If I can flash the IPSW, I can just remove the SEP check files.

Look at the message chain

right?

Oh I replied to the wrong message

Yeah if you don’t have checkm8 you can’t do anything

oh 😭

ig i should do more research

lol

inferius is dead asf

why do you think its archived

I was not telling him to use it

If he is determined enough he can revive it 🙏

fr

fukumean!

and to think im only doing this to improve siri 💀

.

he said wrong chain

oh

my fault paying attention to stuff is lame

Just buy a iPhone 3GS and you can use alloc8

Ez

nah im tryna do it on a honepod 💀

Jaidan is incredibly based

buy oldBootrom

yeah i guess i didnt think ab that

anyways who wanna test python futurerestore

I think the better question is who can

Cryptex moment

lemme rephrase

who wanna test python futurerestore with a device that doesn't support ios 16

!t sepbb

wait a minute why is checkm8 compatible with the t8004 and t8010 but not the t8006

arent they the same family of chip

and older and newer, respectively?