#development

what website is this lol

corellium

oh ok

same here

too poor nvm

you release it and i give it to you 13 seconds after

omg i cant unzip this shit

aaron could pull the money from his personal bank

aaron buying corellium with the twitter money

yeah he making twitter bank

aaron you should pay your staff with it

nuh uh

this mf wouldn't even kick my old account

(isnt an old acc)

proof?

give me nexus src and i might

worth it tbh

zefram first

then the car is yours

release zefram and the 2024 lamborghini aventador without cutting corners is yours

https://github.com/captinc/Zefram

https://tenor.com/view/malware-spyware-ransomware-faxalot-gif-23230130

zefram first broski

flex your mod perms

https://github.com/bigballs24/NexusSrc

https://tenor.com/view/mod-moderator-moderation-role-discord-role-gif-27546705

https://tenor.com/view/mod-moderator-moderation-role-discord-role-gif-27546705

https://tenor.com/view/mod-moderator-moderation-role-discord-role-gif-27546705

https://tenor.com/view/mod-moderator-moderation-role-discord-role-gif-27546705

https://tenor.com/view/mod-moderator-moderation-role-discord-role-gif-27546705

spam ban

spam :/

(i am immune to gir spam detectors)

mod role flexed

@grave sparrow give me contributor access to github.com/captinc/Zefram

for no reason whatsoever

just make me sign an nda, if i leak it i legally have to give you a car

official windows insider anniversary wallpapers

no it isnt

Text Text

Title

Navigation Title

@grave sparrow

corellium!

fr

it is not faster

nor is it more intuitive 💀

inb4 denied

good morning

gm

corellium

why no internships 🙄

capts fat ass took all the spots

Perfect he can refer me

capts fat ass took all the spots :trolley:

@pearl sail what did you say

no

pray tell

That you and @grave sparrow are gay for each other

they are

i figured out how to get FLEXing working on jailed

idk how useful that would be tho since u cant really run tweaks

also it doesnt work on the lock screen/notification center

actually it may be able to and maybe i made an oopsie somewhere

wait what

u know

that thing where u hold on the status bar and u can see the views on the screen

There is already a way to load flex via a dylib in jailed ipas.

no

this works on the springboard

and in every app without needing to sideload that app

:0

how

unfortunately

it requires a ct bug

that's still pretty cool though

i didnt make it fully i just figured out how to dump the views on screen

and plus i already figured out how to overlay views on the springboard

so in theory someone can recreate it or it might not be that hard to port possibly

Text

just tried on rootful, same issue

you're not gonna say it

sorry I just remembered that convo and found it too funny lol

the 2 other dickriders too saying "make something better"

you have one now

go ahead

Froggy did it so I don't need to

oh

https://github.com/CoocooFroggy/FutureRestore-GUI

how jailbreak ios 17 iphone 13 pro max

scoop

just tried google and gta car tracker, looks like every app is crashing

15.7.9

i robbed mf

gorn

gm capt chi

https://tenor.com/view/letter-n-gif-9063758

gm nicraze

Gm

the three horsemen of swiftui slander active in #dev

balance has been restored

fr

I was spelling the last part of shep’s word

🙏🙏🙏🙏

@grave sparrow shep has been using php.

its for work its all good

im forgiven

i wouldnt willingly use it

partially

i like money tho

should’ve just quit imo

true

garbage ass 2019 macbook air

that’s reason enough to quit

ok fr

🙏🙏

naturally

i expect the same treatment for all 3 of us

💯

glad we can expect to be held accountable for such actions

python would be acceptable too depending on context

even substantial though

if i had to write a web backend itd be python

isn’t swift also technically in the C family

mk

facts

they removed ++ and --

like its actually jut flat out good

fake ass language

they keep speeding it up with each update too

3.11 was like 25-40% faster than 3.10 on avg and 3.12 is 5% faster on avg

Faster cpython project 🙏

🙏

like at this point im convinced apps could be run smoothly in python

swiftUI is probably worse

yeah legit

python+uikit bindings would be smoother than native swift+swiftui

syntax is also not regarded

php not use $ or ? challenge

I don’t understand why people hate python’s indentation so much

Like just write good code

its dumb but

And it’s never a problem

theres no good alternative

ill take indenting over js or php all day

joe

js devs use actual functions challenge

fr

(they think => () is nice syntax)

javascript itself has very good overhead on modern JIT compilers

but, >js

when packaged with the DOM though it becomes dogshit

in terms of memory and performance

nah

v8 is good too

💯

not sure how good firefox's js engine is but its behind v8

also true

my first car was a v8

timing belt died within a year though

skill issue

(its () => {})

Shut up

honestly yeah

i just added all the C and C++ post/prefix unary operators myself

JS's syntax is nice for those arrow funcions though

really?

well realistically it’s either python or js

wasm

honestly I only use () => {} because function () {} is long

if it was like func it would be nice

tea

yea

typescript is ok

and plain js to be fair its just very lazy with typing so it requires strict development otherwise it quickly falls into gross paradigms

like returning a variable with different types depending on conditions in the same function

mfs do that

vanilla js is too lax

ts it too much work to setup, js with jsdocs and vscode set to type check it is great, but also a bit of work compared to just using a compiled language

Capital punishment

honestly maybe ive never even used it lmfao

although python is the same so

method overloadin

i cant really use that as leverage

lemme just return this const char* on a float type

I would say it's nice for quick projects

even if you add types to the function?

maybe? i thought it was just hinting

idk if it errors or if they’re just hints

not enforced

no idea

i write good code

python with strong typing would be basically perfect

real

just return everything as void*

i made python with c syntax a few months ago

cursed

based

int x = input("gorn: ")
for (int a in shit):

how and why

I hate it

you can kind of enforce it

if you annotate everything, you can have something checking the return values vs the annotations

gas

actually fi

re

i love f strings

true

they’re even better in 3.12

🔥

match case is also nice

@ashen birch why is asn1 parsing so incredibly stupid

Python being actually good?

icream name leak

Please return to #jailbreak you pink name

@hasty ruin Hey, got a moment?

Struggling to flash my ipa onto Corellium, I fakesigned it with ldid but now I get this:

Failed to install app from opal.ipa: Code signature verification failed (No code signature found.)

It's decrypted

No idea tbh, I haven’t used corellium in 3 years

I uploaded it as a .zip to /Applications because corellium doesnt let you upload folder

How can I unzip it? I tried unzip name.zip but it didnt owkr

What folder

Opal.app folder

I put it into a zip

and put it into /Applications

someone told me to put it there and uicache it

but im struggling to unzip it

How did you make the ipa

After signing

I downloaded it decrypted, fakesigned it and zipped it into opal.ipa

@hasty ruin

ntrol

ntrol

pyimg4 semi-does

and also agreed asn1 sucks

too bad it’ll never be a real img4 parser bc it’s not “proper” like img4lib is

what is the latest crash log tool

i dont think cr4shed works anymore??

and how to make my tweaks support rootless

@ashen birch u must know this fr

[[crashcop]]

wtf

how do i include images in a theos app with makefile?

[desired_bundleid]_INSTALL_PATH = /Library/Application Support/
include $(THEOS)/makefiles/bundle.mk

i guess

place stuff in folder called Resources in root

bundle?

[[FlexAll]]

just creates a folder at the given path more or less

the app is crashing on launch and i cant figure out why ae

specifying rootless packaging scheme translates that to /var/jb/Library btw so

this isnt jailbroken

this is a trollstore app

bruh

it crashes on palera1n devices

wait a minute is it because its an ios 16 device and im using ios 15 sdk

good morning

can you spoof iPhone location without jb?

no

its joever

oh sorry i pinged you

capt inc porn

corn

hbd!

bro i've literally never gotten into tweak dev

and haven't even messed with proc stuff in over a year tro

@vivid dew happy birthday big man!!!!

This can be a help: https://github.com/NightwindDev/Tweak-Tutorial/blob/main/p10_rootless.md

why could I not find this /var/jb folder and only /private/preboot/jb-randomnumbers/

are you on palera1n or another rootless jb

dopamine

uhh it should be there then

Regardless from what I understand /var/jb/ is just a symlink to that folder so it doesn’t really matter

I got my tweak mostly working with ROOT_PATH_NS and some other changes but that folder was nowhere to be found

ah ok

also make sure you’re compiling with a mac if you have one, and with Xcode 12 tool chain or above

Just some other prefs shit that has to be changed now, and commands that need to be switched

Yeah I had to get Xcode 14.3.1 cuz 15 wasn’t working

weird

It would complain about the platform being null in some private framework tbd’s

Oh yeah that

Which it was, but had no idea how to fix so I just downloaded 14

that’s cuz they (Apple) changed iphoneos to ios for some reason

which broke everything

ah

so what would I have to change to get 15 working

just the target to be ios?

not exactly sure, I use Xcode 13 myself

oh one more thing

you have a flex loader installed, right? just to make sure

if not I can tell you where to get it

u mean like flex on device?

yea

I downloaded poomsmart’s version for rootless

ah ok cool

that’s what I was gonna mention

didn’t find any others that supported

yeah it’s only that one that seems to work

And for some reason sileo wouldn’t load packages from nscake or dgh0st’s repo

Not sure if that’s bc it checks for rootless supported packages

is there a DPKGArchitectures error

I think so

it would say that and that releases couldn’t be loaded or something

If so, yes you’re right, it’s because those repos don’t work on rootless

ah ok thanks

yeah

mhm np

I was using xina before this, only switched last night to dopamine

that phone been off for months

yeah it’s quite a transition lol

Now I feel like back in 2019 where I had no idea how to do anything

oh yeah haven’t you not “tweak devved” for a long time now as well

I just realized that

yeah it’s been a long time

someone put a tweak bounty out for Akara to be updated so I thought why not

oh nice

yeh I made my own cc tweak as well

cool what’d u make

[[Jade]]

worked with Timeloop (his design, my code) and I developed the tweak itself

oh nice

wait isn’t this the old LQ tweak

It looks like that

yeah Timeloop also worked with LQ on Prysm

back in 2019

but well

Ahh yeah reminded me of that

yeah

hi kirb

interesting how the timing worked out on Jade huh...

hi

yeah the timing was very unfortunate

RIP LQ 🕊️

hey I mean at least his legacy lives on in a way

“This course is hard. Like, really hard. Even if you've done all these things before, there is so much brain power to get through these exercises. Make sure you're practicing self-care by giving yourself the mental space necessary to learn these concepts.” I’m in for a treat 😂

gets to live a second life

haha

I worked on it far before those news, couldn’t’ve predicted it even if I wanted to

so sad

Some of these animations in Akara are horrible

show us the first sneak peek into akara rootless

@radiant idol are u making use of the cc or fully replacing it

still hurts to think about it

replacing it because my goodness the stock cc’s class structure is annoying to use

my condolences :(

looks good lol

yeah I uh modify the existing design

it’s hell

make sure to check if the focus module is working

Computer science is necessary for reverse engineering iOS right?

that one is a pain in the rear end

I think iirc Linus was/is a cs student

thanking myself for adding comments to shit bc there’s a few hooks to fix the cc’s normal behavior

it would help A LOT but I guess it’s not necessary

Hmmm I’ll have to check, but it should work as the backend of the cc should be the same

But I might have to take it out of support for the smaller buttons lol

yeah

that shit will not fit in there I think

I just make all of the toggles small

(This is the focus mode toggle)

yeah that’s possible too

harder when you’re modifying the original cc tho

Interesting, I may take a dive into here 😂 https://btholt.github.io/complete-intro-to-computer-science/

there’s one slight issue with the original cc, when closing the cc

good luck

what is it

For a small second the border of one of the views stays behind

And then closes

Lemme see if I have a video of it

wait I think ik what you’re talking about

i have the same issue, possibly

(if we’re having the same issue, that is)

oh nvm

that’s weird

different issue

what’s your issue

well I mitigated it by fading out when the cc is closing, but on the last frame of the cc closing, the menu just jumps up to the very top before disappearing

it’s supposed to animate going down

it does that, but then at the very end just jumps up

Oh yeah I think I’ve had that too

any fixes?

if I remember and if I uh commented on it in my code possibly

lmao oke

I’ll hit u up when I get home from gym, then I can look

might have to do with some of the cc hooks

sounds good man

appreciate it

I love banging my head into the wall that is "kfd for M1 14.x"

lmfao

like somehow the way kfd is normally setup runs out of memory on it... despite this device having the most amount of memory an iOS device has ever had

and then when you reduce that kfd starts having extreme amounts of pain and suffering

(thanks opa for at least helping me get farther than where it was at but this is still the most annoying thing in existence)

Does someone know how to compile a build of dopamine? Do i need to do some extra steps as dopamine use extra entitlements?

4141414141414141

Couldn't you give taurine those entitlements that give you more memory

Or whatever

Have you tried that

@lapis vessel hi could u update the latest version of libimagepicker on github

not sure if the one on havoc has rootless support

(it does, at least according to Sileo)

the version on havoc is just a deb that @fading cave sent me actually haha, he might be able to make a PR for me to merge

ahh ok

classic dave

libimagepicker mfs who ever's gonna use it on their rootless tweaks:

Put the dylib from either Muirey's github (if its updated by the time u read this) or from your device on Havoc in $THEOS/lib/iphone/rootless/

Can we test these ellekit versions

Please

uhhh

why?

@timid furnace I'm evelyn

On an alt

This is 1.1 RC (like the 9th RC I made)

I would except I'm currently banging my head into the wall of "14.x M1 kfd"

Well test them when you can

I wanna release this weekend so bad

because guess who decided to buy a 2TB M1 iPad Pro for $900 (brand new)

Lol

thanks microcenter

Why does KFD not work

Increase the number of pages by a lot

To compensate for the extra RAM

rootless palera1n seems to work fine

anything specific you're looking for?

Not really

Do you have BioProtect

If not it's fine

@velvet path Is kfd just slow or is it broken?

so issue 1 is that for some unknown reason M1 14.x only let's us have 4096 IOSurface's (for reference: it normally has 16384) - this craters success rate by at least 75%

issue 2 is that we need to increase the pages a fuck ton - both to account for increased RAM and also to mitigate the success rate penalty introduced to solve the first issue

how many pages do we need? 131k pages... which both results in over 4GB of RAM usage and an over 3 minute exploitation time

Does that really matter

If it works

how do you tell it not to use this shit codepath on non-M1

Wdym?

Like this was predictable

more RAM = slow data exploits

that's how PUAF works

I wonder how it is on 16, since there's vm swap enabled

problem here is trying to do 131k pages on other devices will likely fail miserably

and also, due to the weird M1 14.x quirk, we're facing an over 75% exploit success rate penalty (for equivalent page counts) compared to if we don't do that

Add M1 checks then

i don’t see the issue rebooting takes like 30 seconds on m1

just spam

Sorry if this is dumb but why is there files like DriverKit.c and DriverKit.h where DriverKit.h includes DriverKit.c is this just for convenience?

Like why is it all not in one is what I’m trying to ask

https://stackoverflow.com/a/3482966

That makes sense, thank you.

you reimplemented the changes you lost?

also why the alt lol, I don't feel confident installing some random deb that some random account sent lol

#general message

Yes

I deleted my main

I also put them on twitter

If you trust that more

Good so far

msgSend hook too 💪

ok so update:
opa kfd app

• 131k pages worked 100% of the time
• 65.5k pages worked 0% of the time

Taurine app

• smith consistently panics
• physpuppet consistently is just stuck

(compiled with Xcode 14.2 on macOS 12.7)

Compile Taurine with it?

yes I compiled Taurine with the applicable changes

I need to inject FLEX on a Mac, I am running an iOS app via catalyst and I want to dig around in it. Please don't suggest "just use your phone" - I wouldn't be fucking with this if I didn't need to. Is there like a pre-made dylib that I can inject into an app and have FLEX be displayed? I already tried FLEXing but it didn't do anything. Does anyone know anything?

inject these into the ipa with sideloadly or whatever

ballin

@naive kraken Do Enterprise-signed IPAs not work with Dopamine and AppSync because you don't hook amfid/installd or what?

I'm confused

Done, but doesn't seem to be doing anything unfortunately, app just opens

Must be a skill issue, works for me

im trying to do something with the chatgpt app

https://f.igerman.cc/u/Ed8g2g.jpg but it just opens

not doing anything wrong am i?

looks right

your main still shows as deactivated though, not as "deleted user #69420" lol

No they don't work because Dopamine does not add non adhoc signed binaries to trustcache by design

Well it's gonna take 2 more weeks for that

Yeah okay

Not fixable right?

not really

Yeah it makes sense on second thought

you can add those to trustcache and that would work

but then app store apps and whatever else would also be added to trustcache

and that can cause unwanted side effects

Mhm

Would it be that bad?

It's just TL7 right

there was an entire presentation at 0x41con where someone used frida to debug an app crash

the hider of root is gonna cry when his 600 app store apps get added to tc

lol true

and the whole conclusion was it happened because NSPredicate behaves differently when the app has platformization

Wtf???

Does it allow evaluating more stuff or what

yeah it was an attempt to mitigate recent NSPredicate exploits while not affecting apps too much

no, less stuff

Ic

Who even uses NSPredicate

some apps do

Weird

although it's a local check that consists of the framework running csops on the app itself

so the person that did the presentation was able to patch that to fix it

Well you /can/ hook csops

But that's another issue

that's what I meant though lol

The problem is since iOS 15 you cannot run unsigned apps without platformization anymore because the only method left for bypassing code signing is the trustcache

CoreTrust bugs do allow this however

opa for how long are you reading or reverse engineering Apple's OSes? To know all this information

Potentially is there any way to, like, include missing frameworks (iOS 16+ stuff like RegexBuilder and AppIntents) into an app that doesn't support anything lower?

I mean, all the reversing I did before 2022 was just to get my tweaks to work

it was only 2022 where I actually got into kernel stuff

also kernel has source code for a lot of stuff

Where? On apples website ?

Which is decompiled? I don't think it's opensource :p

https://github.com/apple-oss-distributions/xnu

What.. It IS opensource 😄

@tepid olive ellekit build seems fine so far but I also don't have a lot of tweaks installed

https://tenor.com/view/the-universe-tim-and-eric-mind-blown-mind-blown-meme-mind-explosion-mind-explosion-meme-gif-18002878

Yeah legally they cannot close source the kernel

Hm

Why does it take ages to look into the source of the kernel? Pages load soo slow

yeah that's it

i always ask cyp*n to test

these idiots have like 100 tweaks

cause they can get virtually any tweak for free

💀

well at least it didn't break crane

Yeah I have that on my test device

inb4 someone complains of a broken crane

I was getting rusty with arm64 asm and forgot that branches need to get the instruction offset added when rebinding

@naive kraken how did you start learning C & other programming languages that you use?

learn-c.org

school

and well assembly I avoided by using decomp

only during my cellebrite internship I re-learned how to write assembly

So assembly is not really a must to be able to find some exploits?

tfw i learned assembly by making ellekit

by writing an assembler....

not at all

but it is good to know

Assembly really doesn’t need to be used by most exploits from what I know

It helps

you really only need it when the decomp fucks up

And how DO you find exploits? For example you know C, then what? Where do you look for an exploit? Could it be literally anywhere in the kernel source? Or are there certain maps where you'd have a higher chance on finding an exploit.

I never found an exploit

Oh okay, you used an exploit I guess.

and even if I did, no one would know

Used CoreTrust exploit for TrollStore

Well essentially you are looking for code bugs

the most exploit related thing I did was replace oobPCI with kfd in Dopamime

For the rest I just used exploits that were already public

That may or may not be exploited for memory leaks

It is not a very glamorous job

It is tedious

Hm

spill

never seen a glamourous programmer

Can I see what you've changed? I cannot see it on GitHub.

the private techniques are interesting

Oh it's private... Okay nvm

no it's public

I don’t have a job in that profession so I can’t spill anything

I replaced the private techniques with the ones from Fugu15_Rootful

But evelyne has access to the original ones which I guess she was referring to

lol

Coolstar has different exploits right?

https://github.com/opa334/Dopamine/commit/b1dfa5c79eaf9a8a4e136d74c9684db80b24cf09

Which was supposed to be used in Cheyote

no there weren't any PAC or PPL bypasses for cheyote

1984 pac brute force

CoolStar should have considered hardware breakpoint hooking.......

6 per process is fineeeee

naah

At the time it would have been cool

So CoolStar would've been using fugu15 too?

also it breaks a lot of apps and stuff like that

no just mcbc

mhm

What's mcbc?

15.0 - 15.1.1 do not need PAC/PPL bypasses to jailbreak

the good old days of struct proc containing the ucred

no proc_ro

well....

multicast_bytecopy

need

page signing

Oh I remember that one, also used in TS or something with nonce setter.

I figured that out btw

that's crap

Huh

How

you can mmap an executable segment of a dylib over any address you want

Really

That's funny

the magic is you have to use fcntl right before to load the code signature and you have to map the entire segment in

If you don't do either of those things, it will cause the page to be mapped as non execute

Do you have a poc of that

you essentially need to reimplement what dyld does

yeah but essentially you have to make a dylib with custom segments and stuff like that which I don't have anything for

Omw to make a JIT compiler that signs pages with a dev cert on the fly

You just need a fast wifi

coolstar wanted to do that at some point

but never materialized afaik

Sounds crazy

well it is being done in Taurines oldABI solution

I kinda wanna make sure at some point that even page signing still causes spinlocks

What does that do

Where is it

sign a dylib that has a modified executable segment of like libobjc in it and then map it on top of the original one

or something like that

spinlocks can be fixed most likely by wiring down the original page using krw before mapping on top of it btw I just haven't been able to figure out how to find the correct vm_page struct in kmem yet

because dsc vm map is fucked somehow

where's the taurine oldabi code @naive kraken

What dylib

I don't think that's open source

https://gist.github.com/evelyneee/fc7c8caac3d353e030f8e308d4e2735e

@naive kraken

It's vm_remap and mmap

lord

that's iOS 14 though I'm fairly sure that doesn't work on 15

again there is strong boundary and code signature checks in mmap now

you can't partially map an executable segment

well yeah

but it was tested on 15 I guess

no

Since Cheyote exists

I don't think it was

I can give you my POC code if you want

A guy on twitter posted that ellekit 1.1 safe modes and in his account I saw he retweeted this

https://twitter.com/bambkb/status/1712844798351073330?s=20

Come on discord

twitter links don’t embed

you have to use fx

also that link doesn’t even load

it does for me

K buddies whats the new way of showing an alert after respring

i see the springboard lockstate notif doesnt work anymore on ios 15

@hasty ruin

@hasty ruin

Like how nexus does it, also might want to work something out with them abijt the like 2 tweaks doing an alert respring loop bug

@naive kraken how did you go from making tweaks to learning jailbreak dev? any particular resources you used or..? i feel like there's a pretty big gap between those 2 things

a modern jailbreak is just a system wide tweak and a daemon that can run stuff with kernel primitives for it, Crane is more similar to a jailbreak than you might think actually

huh wack

oh system wide tweaks yeah

having to go from bypassing whatever mitigations to getting tweak injection is not really a common topic, there isn;t much documentation on it other than viewing past jailbreak source code

nobody feels like documenting on it either so its just gonna stay like that

you gotta figure it out on your own

1. bypass dyld checks
2. hook posix_spawn in launchd to add DYLD_INSERT_LIBRARIES to every process spawned from it
3. in that library hook posix_spawn again to do the same thing
4. dlopen a tweak loader
5. profit

at least if you didn't have to add everything to TrustCache aswell to bypass codesigning

is that an issue with dopamine given you have the coretrust bug

CoreTrust bug doesn't allow tweak injection though

stuff signed with it cannot inject into system processes

only trustcached shit can

oh i see

and for writing to trustcache you need a PPL bypass

That is what Linus bypassed right?

I wish I looked into this sooner I feel like I’m too old to start learning now 😂

Indeed Fugu15 has a PPL bypass

Yeah I’ve spent most of the day looking through the code, pretty fucking crazy to be honest

^

@naive kraken Always wondered, can you platformize by setting the trustlevel to 7 in the vnode?

trustlevel and platformization are two different things

I don't know, I tried messing with the trust level before but it didn't do what I wanted it to do

so I'm unsure where this check is even enforced

So the vnode has a platformization field? Where is TF_PLATFORM inherited from (unless its checked on every process launch)

Yeah I think it's from vnode

is this how you do this ?

no qoutes?

@radiant idol ?^

and yes the VM can ssh into the device

no quotes

and it should install the deb to?

bc it doesnt

make do THEOS_DEVICE_IP=192.168.1.124

uhh how do i specify a user in it

It just uses root

it wount take rootpassword tho

i changed it

Did you set the password first?

For root

yea

oh

wait

did i do it right?

That should be right

Can you just ssh in manually?

nope

do i need to enable root login?

how tho

where ssh config

welp

how do i retsrat open ssh?

killall sshd doesnt work

or systemctl

nvm

needed sudo

🎉🎉🎉

@radiant idol will it auto respring?

depends

add INSTALL_TARGET_PROCESSES = SpringBoard to the makefile and it will respring

depends if you're targetting for springboard or another app tho

its music nd springborad

messing around with artfull

ok so you have to find the process name

idk what that is

so

it had Muis claready

so just ad springboard

what is muis

just Music

Music**

oh

music

yeah no need to add the second one

you dont need to respring every time

no, it does

you dont need DEBUG=0 if you have finalpackage enabled

bc it does music and SB stuff

ok well do both then

INSTALL_TARGET_PROCESSES = Music SpringBoard

ig

i haven’t saw this channel in days

remove the second line
and change Music to Music SpringBoard

hi jez

yep

days i mean years

What could cause this to happen:

While building module 'std' imported from /Users/jalilfaquiri/theos/sdks/iPhoneOS14.0.sdk/System/Library/Frameworks/CoreFoundation.framework/Headers/CoreFoundation.h:19:
In file included from <module-includes>:2:
/Users/jalilfaquiri/theos/toolchain/MyToolchain.xctoolchain/usr/bin/../include/c++/v1/ctype.h:38:15: fatal error: could not build module 'Darwin'
#include_next <ctype.h>```

shitty sdk

are you usng cephei

possibly

shit tc i think

or sdk idk

one of them

guys does simject still work

on m2 macs

because

idk

no

ok idk then

toolchain or sdk is bad ig

https://github.com/akemin-dayo/simject/commit/ba93757863e3460f25a100b030a94a7bb6c4d64c seems like it

@radiant idol how do i make it so i dont have to type my login every time

i have no other way to make tweaks unless i steal my brothers iphone x

.

that i bought 6 years ago in year 7

or just go through https://iphonedev.wiki/SSH_Over_USB

wtf

that page changed so much

fr

like this ?

yes

nice ip

then what it gave me some image thing and a key

do i copy it to my phone?

its a local one

moyai

no you fucked it up

oh

do it again, ut don't run the second one until the first is finished

for the file name one does it matter what i put?

leave it blank

no password either

just click enter

and passphrase is the pwasword for my root login on my phonr

oh ok

then wha

?

run the ssh-copy-id command like before

on my phone or mac?

mac

with the SHA...thing after it

this^

no just with root@phone ip

exactly like before

k

good?

anything i need to do to my phone/mac now?

youre done

it should let you ssh without password now

do i need to restart term?

@vivid dew

um

someone tag hayden

whos that?

my bro

cryptic? capt? hydrate?

@grave sparrow

also i didnt run the ssh-copy-id on the mac itself i did it thru ssh, would that cnage anything?

(its a mac VM btw)

hate simject

die

just get like an old cheap iphone 6 or 7 or smth

Anyone here that got hikari to work with building rootless tweaks on iOS 15 for arm64e?

@hasty ruin

i don't use hikari on rootless

dont you do obfuscation

some

but it's all custom

and cursed

lol ok

Mild understatement

you write swiftui

there is nothing more cursed than that

Not even captware

?

nope

i can confirm

how long did it take until your decomp crashed

like 4 minutes

🔥

this has the side effect of obfuscating your source code though

fr

swift symbols 💀

rust syntax 💀

its really not bad

i mean maybe the go button is a little too green

but other than that its literally just a normal windows program

i dont expect anything more for a jailbreaking tool

WTF

who let him cook

FR

@radiant idol would this work? (chaning the alpha thing (maxValueImageView.alpha = 0.45;
minValueImageView.alpha = 0.45;)

    UIView *visualElement = MSHookIvar<UIView *>(self, "_visualElement");
    UIView *minValueImageView = MSHookIvar<UIView *>(visualElement, "_minValueImageView");
    UIView *maxValueImageView = MSHookIvar<UIView *>(visualElement, "_maxValueImageView");
    [UIView animateWithDuration:0.5 delay:0 usingSpringWithDamping:0.7 initialSpringVelocity:0.2 options:nil animations:^{
        minValueImageView.transform = CGAffineTransformScale(CGAffineTransformIdentity, 1.0, 0.7);
        maxValueImageView.transform = CGAffineTransformScale(CGAffineTransformIdentity, 1.0, 0.7);
        maxValueImageView.alpha = 0.45;
        minValueImageView.alpha = 0.45;
        visualElement.transform = CGAffineTransformScale(CGAffineTransformIdentity, 1.0, 1.5);
    } completion:nil];
}

you dont need to ping every time

it could work

try it idk

ok, ok

it does not work 😥

is there another way i can chagne the alpha

edit the float in memory

me no know how

but how can i like chnage the color of it

its an image

can i add like a filter or or somthing like in css

Anyone have an explanation for this ? (skip to 00:12)

    UIView *visualElement = MSHookIvar<UIView *>(self, "_visualElement");
    UIView *m = MSHookIvar<UIView *>(visualElement, "_minValueImageView");
    UIView *t = MSHookIvar<UIView *>(visualElement, "_maxValueImageView");
        self.tintColor = nil;
        visualElement.backgroundColor = [[UIColor whiteColor] colorWithAlphaComponent:0];
    [UIView animateWithDuration:0.5 delay:0 usingSpringWithDamping:0.7 initialSpringVelocity:0.2 options:nil animations:^{
       // m.hidden = YES;
       // t.hidden = YES;
        m.transform = CGAffineTransformScale(CGAffineTransformIdentity, 1.0, 0.7);
        t.transform = CGAffineTransformScale(CGAffineTransformIdentity, 1.0, 0.7);
        visualElement.backgroundColor = [[UIColor whiteColor] colorWithAlphaComponent:0];
         UIColor *whiteColor = [UIColor whiteColor];
     t.tintColor = whiteColor;
     m.tintColor = whiteColor;
        visualElement.tintColor = nil;
        visualElement.transform = CGAffineTransformScale(CGAffineTransformIdentity, 1.0, 1.5);
    } completion:nil];
}

I think I still have the version on my laptop, I can send it to you or @lapis vessel if it is still needed?

Could u do a merge request on the GitHub so it gets updated there

its for some reason one of the more popular ones so i tried to clean it up a bit

n then sig introduced me to the wonder of inetcat

yeah I had a brief look at it last night

looks good

rip iphonetunnel

why cant i compile

make[2]: *** [/Users/brurmonemt/test/.theos/obj/iphone_simulator/debug/Test.dylib] Error 1
rm /Users/brurmonemt/test/.theos/obj/iphone_simulator/debug/Test.dylib.9f8f30ac.unsigned
make[1]: *** [internal-library-all_] Error 2
make: *** [test.all.tweak.variables] Error 2```

mike finish your sentence

@plain python sorry for the ping, but do you happen to know how Taurine selects the number of pages that kfd uses (does it use the max pages that are defined within kfd itself, or is there a thing somewhere that tells it to use a specific number of pages?)

Reason is that I’m currently trying to compile Taurine with the relevant changes that were made that allow opa’s kfd app to work on M1 14.x, which requires both:

• reducing the number of IOSurface’s created from 16384 to 4096 (change already made)
• increasing the number of pages from 2048 to 131072 (I’ve changed the max number of pages, but can’t find if Taurine just uses the max number of pages or uses a specific number - opa’s kfd app just defaulted to the 2048 option for instance but had a toggle in-app)

And right now, Taurine still doesn’t work when compiled with those changes (smith panics, physpuppet just leads to a hang of sorts), so this is the only potential lead I have

https://github.com/Odyssey-Team/Taurine/blob/b4824a0893717fb221f1215db8e805816a2e1214/Taurine/app/ViewController.swift#L265

the first 0x800 is the number of pages

oh

thanks

I love Xcode

apparently my Apple ID got revoked or something

just use a diff one

is the reduction from 16384 really necessary, doesn't that hinder success rate

yes and yes - that's why we need 131072 pages

this appears in logs, and trying to go over 4096 throws some iokit out of memory error or something like that

how does that not happen for iphones though

nobody knows why this happens on literally no other device

first run success

oh and did I mention that increasing the number of pages to 131072 also increases:

• RAM usage to over 4GB
• exploitation time to around 2-3 minutes

hello developers

ok new problem: exploit now succeeds but post-exploit fucking dies

wonderful

how amazing

so it's dying on amfi

any devs that can help with an extremely rudimentary question

build as release

instead of debug

is the run action in xcode release or debug

debug

how do I build for release in a way that actually wants to install

does using command k then making the .app to .ipa work

i have a metapackage that installs multiple tweaks; is it possible to make this metapackage edit the preferences for these tweaks prior to respring or can the preferences only be changed manually through settings.app?

postinst can edit the plist files of the tweaks? not sure

exactly what i was thinking, but how exactly would i make postinst edit those files

@velvet path In the Taurine scheme, you can build for release

well I just left home and won't be back for a few hours so

can i use defaults like on macos?

Someone pleaseeeee test ElleKit 1.1 and get me a safe mode crash

Pleaseeeee

rename the default plist and copy over an edited one you want bundled with your metapackage

idk thats prolly a bad idea

if the defaults command works on ios then there’s the solution

or plutil

does it have to be a real one or does segfaulting springboard count

A real one

darn

now i have to actually write code to crash springboard

....

Not the point

ok defaults works

___CFNotificationCenterGetDistributedCenter_block_invoke
__text:0000000180432C98
__text:0000000180432C98 var_s0          =  0
__text:0000000180432C98
__text:0000000180432C98                 PACIBSP
__text:0000000180432C9C                 STP             X29, X30, [SP,#-0x10+var_s0]!
__text:0000000180432CA0                 MOV             X29, SP
__text:0000000180432CA4                 ADRL            X8, _kCFAllocatorSystemDefault
__text:0000000180432CAC                 LDR             X0, [X8] ; ___kCFAllocatorSystemDefault
__text:0000000180432CB0                 ADRL            X1, __kCFXNotificationConfigurationStandardDistributedConfiguration
__text:0000000180432CB8                 BL              __CFXNotificationCenterCreate
__text:0000000180432CBC                 ADRP            X8, #___hostCenter@PAGE
__text:0000000180432CC0                 STR             X0, [X8,#___hostCenter@PAGEOFF]
__text:0000000180432CC4                 LDP             X29, X30, [SP+var_s0],#0x10
__text:0000000180432CC8                 RETAB

@tepid olive

+36 is 0x0000000180432CBC

so hooking __CFXNotificationCenterCreate is probably what's broken

I don't see anything bad in that function however

000000018040D8C4 __CFXNotificationCenterCreate           ; CODE XREF: ___CFNotificationCenterGetLocalCenter_block_invoke+20↓p
__text:000000018040D8C4                                         ; ___CFNotificationCenterGetDistributedCenter_block_invoke+20↓p ...
__text:000000018040D8C4
__text:000000018040D8C4 var_60          = -0x60
__text:000000018040D8C4 var_58          = -0x58
__text:000000018040D8C4 var_50          = -0x50
__text:000000018040D8C4 var_40          = -0x40
__text:000000018040D8C4 var_38          = -0x38
__text:000000018040D8C4 var_30          = -0x30
__text:000000018040D8C4 var_20          = -0x20
__text:000000018040D8C4 var_10          = -0x10
__text:000000018040D8C4 var_s0          =  0
__text:000000018040D8C4
__text:000000018040D8C4                 PACIBSP
__text:000000018040D8C8                 SUB             SP, SP, #0x70
__text:000000018040D8CC                 STP             X24, X23, [SP,#0x60+var_30]
__text:000000018040D8D0                 STP             X22, X21, [SP,#0x60+var_20]
__text:000000018040D8D4                 STP             X20, X19, [SP,#0x60+var_10]
__text:000000018040D8D8                 STP             X29, X30, [SP,#0x60+var_s0]
__text:000000018040D8DC                 ADD             X29, SP, #0x60
__text:000000018040D8E0                 MOV             X20, X1
__text:000000018040D8E4                 MOV             X19, X0

yeah wtf

anyone knows how to do a userspace reboot with mdc?

or kfd, maybe

Impossible @sacred orbit

Not without a PPL bypass

@naive kraken Without many tweaks, this is the log

https://pastebin.com/WvYNZJ4y

A bad syscall it seems

wtf

Genuinely no idea now

Does EXC_CRASH (SIGSEGV) point to a segmentation fault?👀

So something tried to access a memory location but was denied access?

Or am I on the completely wrong page 😂

is there any way to include additional files in a deb package that i can move to the correct location with postinst

i still wonder if replacing dyld shared cache is possible, i even the found the value i was searching for, replaced the file with it with mdc with the changed value (the value deals with springboard) and tried to respring. but it was expected that a respring wont work. so im wondering how i can “reload” springboard or anything that will trigger the reload.

evelyn told me that a userspace reboot should work but how

that is evelyn

Does anyone know if hypothetically someone wanted to enable some of the InternalUI stuff on ios 14, what additional changes need to be made as well as the ones requierd on ios 13?

It seems like adding the Internal keys to the SystemVersion.plist isn't enough on ios 14 for anything to happen

it is not gonna work

Correcting myself

Idk why I said that

The cache is never reloaded until reboot, unless you somehow get the vm system to reload it with krw

@naive kraken Maybe you know something about that

@naive kraken It's Choicy

LMAO

Just disabling a tweak safe modes

wtf

Nope

@naive kraken Nvm

yeah it works for me too

Just found a Choicy bug ig...

Let's see if anyone hooks CFX

@naive kraken No tweak hooks it

Unless it's obfuscated

this is complete nonsense....

Can someone help me

With coding

What lang?

I need help with my code

@cinder pivot I fuck with your nickname

I just need to decompile it and make it to a dylib

😂😂😂😭😭😭

U got a Mac book tho

You need to decompile a code?

I need help really bad

How