Never gonna happen 😦

Idk what to do. DelayOTA to 17 for trollstore and lose JB to futureproof? Idk.

Well TrollStore is almost guaranteed

We know that the new CoreTrust bug is just as powerful as the old one

But there is no install method as of yet for any version non-kfd

Except for checkm8-supported devices

for iOS 17 jb? all of them obviously, what kind of question is that lol

no kernel exploit, no pac bypass, no ppl bypass, no sptm bypass

on 17

I mean there are some exploits that you don't need anymore because you already have them right?

There is a patched PPL bypass

My English is bad, what I meant is what else you need at this point, other than the exploits you already got

on 17.0 - 17.0.3

but that's not usable without a PAC bypass (and a kernel exploit before that obviously)

PPL bypass is the only there's available? Of all those things u mentioned?

Sounds like I'm going to stick to 15.4.1 then, and be happy with Dopamine. Thanks for the reply ❤️

I’m good at ruining things 👌

nothing is available

PPL bypass was patched, and we know what the bug was, but it doesn’t matter as it cannot be exploited without a PAC bypass

Which will also need a kernel exploit anyways

Even if everything is found, there is a time lag due to development before jailbreak is possible.
For 15.4.1...6 months?

sigh atleast im on 16.2

maybe some new dev will drop a pac bypass randomly

or some super secret exploit

lmao

hacker hacks into government pc and leaks all expl01ts they have to the public 😏

im from the 3ds exploit days where someone leaked the encryption keys on to pastebin

hey atleast it was not 4chan

Fugu15 released on Halloween, Dopamine released in March I think? So yes, 5-6 months even after we had all the exploits and a developer jailbreak.

and we dont even have a fugu16 😢

and we just celebrated thanksgiving

@naive kraken are you aware of a issue where the network icon always looks like its searching, but there's no SIM in the device, and jailbreak triggers this but I'm not 100% sure, it's just a guess, I reset my device today and the icon was flat, but after JB it's always looking for some signal even though there's no SIM in my device.

We won’t ever get a Fugu16 now that Linus works at Apple

maybe linus will hate his job and quit

lol

sorry for late response, it's because i'm not exactly sure if my bios is compromised because i believe that somehow i got compromised and i don't know if it jumped to my bios and the way i'll see is by just reflashing externally lol

more likely: police pc gets hacked, leaks all of pegasus

no clue

Hm

Actually I have the same issue on one test device that doesn't have a sim card

but I never connected it to being caused by dopamine

Try to reset the device if you have time, but it's a minor problem, but can cause battery problems since it's trying to look for a network or something

Not really how Mac bios’s word

i do

you can't just flash the fd

you need to add the serial and stuff

Bios can only be “modified” with an Apple signed image tr

external programmer:

So unless Apple private keys leaked I doubt your bios is compromised

intel mba2015 13in (macbookair7,2)

no T2

Doesn’t matter

Still validates the image

Before flashing

SMC validates image?

or like

who vaildates image

Once it’s on the system it doesn’t care

macOS just validates it before deploying the image

i was on linux at time of comprmomise

and /dev/mtd was exposed to userspace

or at least flashrom

Only macOS efi can unlock the rom for flashing

y'all, quick question

what version did apple break support for the old abi? I thought it was iOS 15 but it seems like taurine needs old abi fixes for it to work

Tl;Dr: gets okay from macOS, stashes ok data, stores image to be flashed on next boot, efi validates this “ok data” and then agree’s to flash the system rom

mtd was writable

I'm making an article thing on it rn so thats why

I can assure you it wasn’t

it's mapped into memory lol

spi_nor and mtd modules get autoloaded

It always thinks it’s writable but any I/o going into it go nowhere

Source: I own an MBA7,2

if you're so sure about that go cat /dev/random > /dev/mtd0 and tell me if it's bricked

/j obviously

i wish pc bios had this protection

hmmmm do you think i could desolder the spi bios chip on a pc mobo and intercept the rx pin?

how experienced are you with bga rework

do you have hot air

oh wait its a SOP8 package it looks like

might be doable

what would you do after desoldering it

ok I think its 14.5

immediately solder wires to float it above the surface, and then intercept the rx pin such that i have to do a physical irl action to connect it

either that or vcc to wp

just solder the wire to the pin you want instead of desoldering the entire thing"

yeah but i need to break contact or i'll send vcc to whatever is supposed to be sending voltage to wp

and that thing might not be made for sinking voltage

this will work a lot better in your head than it will irl

not surprising

do you suggest anything else for retrofitting hardware write protection onto a bios chip

actually you can use kapton tape to cover the pad yohu dont want soldered

that should work actually

except it's already soldered on

so unless i go to the factory and sneak kapton tape in there

and intentionally sabotage my own motherboard

yeah like desolder it

and then wick all the solder off the pads

and then you can kapton tape the pads you dont want sopldered, and then solder the rest

if youre sure thats what you need connection wise

yeah but if i legitimately want to update my bios, i would need to go through a lot of effort to enable it again

idk what youre doing

tldr: it is TOO EASY for some userspace process who has escalated to root to just install a firmware backdoor by flashromming, i want to make it much harder

something like the old bios protect jumpers works

if you know you have the right pins then just install this thing called a switch

and pray the added impedance doesnt mess up the signals

what if it fails closed lmao

wdym

also an issue

what if for some reason it stays stuck closed

youre worried the switch will break?

could i just solder a mosfet in between

what

what are you doing a mosfet for

and fail closed and let everything through

switch but solid state no?

i dont think you need specifically a mosfet for that

a transistor would work

which type

but if you want physical control use a switch

idk why a transistor is in the equation

thats just a switch you control with an electrical signal

@velvet path figured you'd know this best, but does unc0ver have embedded patches for old ABI? I'm making an article thing about it in my tweak development tutorial and would just like to have all the facts straight

i would use a switch to enable a transistor which hopefully has less impedance than a physical switch

i dont think it would be any better

bruh

do you have any suggestions

try it and pray

other than that

bios chip porobably isnt high sensitivity

compared to something like pcie lane for example

lol

when they zigzag the ram traces so they're equal length

indeed

workin on it

I don't honestly know - I didn't even know 14.5+ needed oldabi until it was learned that Taurine needed it

Interesting

I'm trying to make an informative thing about it

I'm guessing u0 also has an oldabi patch

see Amy thought they did some PAC stuff seeing as the issue you get without the patch is something to do with PAC

but nobody really knows to my knowledge

interesting

but thats only on iOS 14 though, right? I think iOS 15+ needs a much heavier patch compared to iOS 14.5-14.8.1

I love how u0 is so closed source

the thing is 14.x can inject it system-wide with no repercussions (and only 2.2MB memory usage total)

doesnt the oldabi fix need to be applied only to SpringBoard and system apps?

Guys I forgot the password I set for dopamine

appstore apps are arm64 only so no need for new abi

indeed, but there's no downside to doing it systemwide on 14.x iirc

yeah

but why is oldabi so unstable on dopamine

thats what i dont get

it hooks dlopen iirc

that's what was discussed when it was being implemented

I see

so let me be clear in my question

if/when the spinlock panics are fixed in Dopamine, oldabi will be more stable, yeah?

I personally havent had much issue with oldabi but it seems like almost everyone else seems to be having issues

it would solve the main issue that it has at this point, yes

👍

I did notice issues with it installed such as the sharesheets in iOS lagging really badly

but full on panics? not really

@radiant idol here's some further discussion on it I guess

thanks

give me one ppl bypass and ima open. my legs

give me two pac bypasses and ima give u sum 🧠

give me three pacbypasses ima explode fugu16

give me a userspace exploit, i'm going to do absolutely nothing with it (why did you give it to me?)

Share sheet is always laggy

What’s this and can I delete it ?

Is it my iOS version?

But like what is it tho?

It’s in caches

It’s one of those files that just speeds iOS up

You delete it, it’ll probably come back

Like how ?

Do you have it ?

It got bigger

3mb bigger

@radiant idol can u tell me what’s here for u on ur phone /var/root/Library/Caches/com.apple.coresymbolicationd

Like how big the file is

Allegedly on macOS it’s somewhat fine to delete but on iOS it allegedly borks userspace reboots

Are you quite low on storage or smth

ok

405.6 MB

Yea I’m deleting my 7gb one

Thx

yeah fr

remote views not be fucking awful challenge

how do you even find the source of remote views

I've never understood

how to fix this funny tweak

==> Compiling DRYPasscodeSubPreferencesListController.m (arm64)… In file included from DRYPasscodeSubPreferencesListController.m:1: ./DRYPasscodeSubPreferencesListController.h:8:12: error: cannot subclass a class that was declared with the 'objc_subclassing_restricted' attribute @interface DRYAppearanceSettings : HBAppearanceSettings ^ /Users/hg13/Desktop/theos/vendor/lib/iphone/rootless/CepheiPrefs.framework/Headers/CepheiPrefs-Swift.h:339:12: note: class is declared here @interface HBAppearanceSettings : NSObject ^ 1 error generated.

Cephei is weird on rootless

uh

Remove all the CepheiPrefs imports and replace them with this
@import CepheiPrefs;

should work

im trying to compile funny obj-c tweak

ik

but ill try that

that's valid objc

It's the syntax of importing modules

you can also write it like this #import <CepheiPrefs/CepheiPrefs.h>

but yeah

doesnt seem to work, same error spits out

Interesting

you could just remove all the stuff related to HBAppearanceSettings if you want

it's not strictly necessary

yea removing the DBA definition and replacing it with HB seems to work..? now this thing is left (theres more errors after this)

`==> Compiling DRYAppearanceSettings.m (arm64)…
DRYAppearanceSettings.m:3:17: error: method definition for 'init' not found [-Werror,-Wincomplete-implementation]
@implementation HBAppearanceSettings
^
/Users/hg13/Desktop/theos/vendor/lib/iphone/rootless/CepheiPrefs.framework/Headers/CepheiPrefs-Swift.h:419:1: note: method 'init' declared here

• (nonnull instancetype)init OBJC_DESIGNATED_INITIALIZER;
  ^
  DRYAppearanceSettings.m:5:1: error: ivar '_tintColor' which backs the property is not referenced in this property's accessor [-Werror,-Wunused-property-ivar]
• (UIColor *)tintColor {
  ^`

just so you know, you can do
```
this
```

around your discord messages makes it one complete codeblock like

this

ah yea

interesting, I guess you could try just adding the -Wno flags in your makefile (-Wno-incomplete-implementation and -Wno-unused-property-ivar)

see if that works(?)

@severe stream if I’m not mistaken they removed what ur like using in cephie 2.0

im compiling an old tweak for someone soooo

No

HBAppearanceSettings is still in Ceph**ei** 2.0, it's just under a different header file

(it's also written in Swift instead of Objective-C now)

Oh

read it more carefully

seems to actually, now this error. just have to add the -Wobjc flag?

@implementation HBAppearanceSettings
                ^
/Users/hg13/Desktop/theos/sdks/iPhoneOS15.6.sdk/usr/include/objc/NSObject.h:63:1: note: method marked as designated initializer of the class here
- (instancetype)init
^
1 error generated.```

Nah

ah wait

yes

-Wno-designated-initializers

kk

-W means it will throw an error for that warning
-Wno means it'll ignore

mhm yea

error: unknown warning option '-Wno-designated-initializers'; did you mean '-Wno-objc-designated-initializers'? [-Werror,-Wunknown-warning-option]

I probably misspelt it

yea, ill add the objc

use the one it says

Twin

at least I dont misspell every second word

this tweak is a hot-mess to fix and compile

is it Diary?

yep lol

haha

Diary jumpscare

Info regarding the old ABI and ways to not rely on Legacy arm64e Support in your packages:
https://github.com/NightwindDev/Tweak-Tutorial/blob/main/oldabi.md

what is it now, capt

what are you unhappy about

I think he's drunk

probably

Isn't u0 like

The better choice on 11.4.1

I dunno

Cause electra is rlly sucking ass rn

php dev be like

lol u0 was like a 1 second exploit success

it was like instant

#include <jailbreak.h>
install_jailbreak();
enable_untethered();

I somehow haven’t seen issues with it reliability wise

I've seen this now twice and I don't get it. why were people subclassing HBAppearanceSettings

that was never supposed to be the intended usage

anyway it doesn't work any more because you can't subclass a Swift class from ObjC

ahh, not sure why dev subclassed it but either way, compiles fine

you could either just comment out that entire @interface/@implementation and anything that references it entirely if you're just building for yourself, or change the code that inits that class to instead directly init HBAppearanceSettings, and set the values on it with properties

hi guys can someone tell me where the error at this shortcut i try to update weight to notion database from input

https://media.discordapp.net/attachments/644644178562777090/1177995910559576064/CleanShot_2023-11-25_at_16.33.522x.png?ex=6574892f&is=6562142f&hm=3b29e2a3a84ee27fcb03bceb4fe043f5aec8839ef3c4be7b2e50720585e4de4c&=&format=webp&width=1184&height=1138

when i change provided input into a number "10" for example it get updated to the database

but when i run it like this i end up with this error

@primal perch is a full-time shortcuts dev, he can probably help you out

thanks i will wait for his answer

I am too

It could just be a shortcuts bug

That’s what it looks like

is there a way to fix it

Wait

Remove the quotes around the provided input

See if that works

well thank you it works lol

Perfect. When quotes are around a number, the server expects a number, but instead receives a string

Just some notes

Thanks for the note

Np

did anyone ever encounter such issue? Received insecure drawing action <BKSInsecureDrawingAction: 0x280640e80> { handler = none; info = <BSSettings: 0x282de7420> { pidToContextInfoDictionary = { 3036 = { 1929741309 = "{(\n \"VC:StandByViewController\"\n)}"; }; }; }; }

What are you trying to do?

adding a subview on a view controllers view

is that view on the lockscreen by chance

that may be the issue(?)

yeah it is haha

but i dont know why it doesnt work lol

hm

is the view controller also yours

yup

did you override the method you need to override to make it display on the LS

i forgot the name

one sec

- (BOOL)_canShowWhileLocked {
    return true;
}

oh lol theres a method for that? didnt know that because the view controllers view displayed just fine

think its that

ohh alright let me try

this should be in your VC not your view

that really seems to work, thank you!

Great!

The insecure thing was the giveaway

thanks again, the only weird thing is that the added subview only takes up half of the screen. as a measure to fix that i've set translatesAutoresizingMaskIntoConstraintsto NO and set up layout constraints, however now the "insecure drawing action" occurs again

Where are you doing the constraint set up?

What method*

viewDidLoad of the view controller where i add the subview

Hm, should work fine

Does the issue also occur if you just set up a frame rather than using AutoLayout?

so its basically this: ``` StellaView *stellaView = [[StellaView alloc] initWithFrame:self.view.bounds];
stellaView.translatesAutoresizingMaskIntoConstraints = NO;
[self.view addSubview:stellaView];

[NSLayoutConstraint activateConstraints:@[
    [stellaView.widthAnchor constraintEqualToAnchor:self.view.widthAnchor],
    [stellaView.heightAnchor constraintEqualToAnchor:self.view.heightAnchor],
    [stellaView.centerXAnchor constraintEqualToAnchor:self.view.centerXAnchor],
    [stellaView.centerYAnchor constraintEqualToAnchor:self.view.centerYAnchor]
]];```

nope then its only the issue that the view only takes up half of the screen

Very interesting

and you're sure that self.view takes up all of the screen?

yeah i set it to white background color and the whole screen is white then xD

also here, I would not use initWithFrame: if I were you. I'd just do [StellaView new] instead, since we are later using AutoLayout on that view

alright thanks

Doubt that'll make a difference but it's worth a try

i'm not getting that error anymore but i'm also not seeing the view lol

weird

is the view actually added as a subview?

check in FLEX

i can not see it, no

interesting

Capt’s fault

what if you call viewDidLoad manually on the view controller using FLEX

i wish it was lol

always is

icrazy

did you see

I wrote an article about oldabi

are you proud of me

link

pins

oh wait ok, the view is there but its frame is 0, 0

but the view controllers view also has frame of 0,0 now lol

found the issue

the view of the vc had translatesAutoResizingMaskIntoConstraints set to NO. setting that to YES fixed it for now

thanks though @radiant idol

great

what a nerd

shut up icraze

😦

Icraze did u read the crash log I sent about nexus

yeah but it doesnt make sense

when did it happen

like what was the device doing at the time

Nope

It happend at like 4:47 am or sm

Watchdog crashes like 30 min before

Crashed *

https://blog.dfsec.com/ios/2023/11/19/thats-far-out-man/

fuck it python disasm

noooo

i havent touched python in a while

woe

imagine being able to read assembly like its english

u just cheat engine every app and you understand it

oh i don't know any assembly

wait

i have a question

revive AppleReleases

🧌

meh

lets say I make a python script that solves 1 + 1, and I have a OBFUSCATED python script that solves 1 + 1, would they both look the same in assembly?

obfuscate
python
pick one

u cant obfuscate python? :p

no

lets say java then

would the assembly code look different?

obfuscated code vs non obfuscated code

python is an interpreted language

it doesnt compile to assembly

Didn't knew that 😬

yea

it compiles to python bytecode

mhm

and that's what's actually "ran"

i be forgetting with java

cause it still gets "compiled" no?

yeah

yeah i just meant it isn't just straight ran from source code like python is

or maybe it still can be idk

according to the collegeboard MIT is interested in me

i have to start coding again i lowkey forgot how to

😭

oops!

your bad

at code

u suc

i know

thats the whole problem

i look at the source code to luz and i genuinely get lost now

it made so much more sense when i wrote it

oh no

not the luz propoganda again

love it or hate it

it did work

thats all im gonna say

use theos

.

nah im cool

no

i dont use anything

lmfao

br

u

pov me with my unreleased update to calculator history

or legit like

anything I’ve ever written lowkey

realistically only used it to build mac stuff

thats what i made it for

¯_(ツ)_/¯

true

it did it pretty well for what its worth

😜

downloaded this from my zip archive that i have since i deleted it off my computer

have u seen anything i've written

oh my goodness I'm going to have a breakdown

L

why can I not run an .sh script via posix_spawn

this is all @grave sparrow's fault

this is all @grave sparrow's fault

🧌

damn i got the off brand troll

there

me when i stop working on a project for a week (this happens every week)

Always

@sonic totem welcome

lol thank you

you can convert your python to bytecode it’s a real pita

gm

gm

All python you run is converted to bytecode

Why obfuscate python when you can just use a different language

Real question though is why obfuscate

any news?

?news any

guy's banned and stuff starts happening

where news

LMAO

free froyo

we need to rise up and find install method for 16.5.1-16.6.1/17.0

just figure out mdc bug then

good luck

was it you that tried something using DDIs

but even if that works, 17.0 still remains

thats the preferred install method for 15.5-16.5

maybe the mobilestoragemounter thing will work

that one bug

patched in 16.7

how do i get FLEXall to open in simulator

cry

[[FLEXManager sharedManager] showExplorer];

@hasty ruin fix

ld: framework not found Preferences

when i target simulator

dont tell him

hes gonna get rich

by the stupid vcam tweaks

uh oh

he saw my messages

Link it

hide

hit the ld

link what

Preferences

CVE-2023-41992 certainly

Does Flex need to link against preferences though?

its not flex

different thing

my own tweak

with prefs

but i cant compile for simlator

bc of the preferences

TARGET = simulator:clang:14.5:12.0
ARCHS = arm64

# ...

_PRIVATE_FRAMEWORKS = Preferences

Maybe theos requires a differemt variable for linking with simulator?

Man I haven't used theos in ages

Haven't done iOS development in a minute 😔

you'll need to build an SDK with private frameworks

using the scripts on https://github.com/theos/sdks

project zero will release soon its ok

yea but fuck that

and also doesn’t that start to become files that have to be used with specific versions of python

yes

thinking about adding RCS support to imessage. Has anyone here messed around with custom IMService s

that and getting telephony stuff like the SMS identifier are the only parts that are dicey as far as making it impossible

there is an open source implementation of RCS (in java 🤢, but still) online, but it's for android, and uses google's APIs for low level telephony stuff

ios doesn't have a native java runtime

yeah ik

not planning to use it directly

you'd probably just want to reimplement RCS in objc or swift whatever strikes your fancy

thats the plan

if "a very uncohesive set of ideas in my head" qualifies as a plan

Make the bubbles red or something idk

lol

RGB text bubble

I mean, if you're up for it, technically nothing is impossible

enjoy your RE of coretelephony and associated framework

Real

I haven't looked at coretelephony

limneos site probably has headers

thats how all my projects happen so it definitely does

assumed it was the hard part

which it seems to be lmao

there's also another site which has relevant C funcs for frameworks

Few people mess with this sort of stuff

one moment let me get the link

https://brightbitlabs.com/ios/

yeh i remember that

this has C funcs for frameworks, something that neither Limneos nor Cynder's sites have

i remember my old days of looking at headers

it's handy

yeah

nice

imo this seems like a fun project if you're really interested in it

I am, I haven't really done tweak dev

but I've done tons of reading/watching ios reversing stuff

because its interesting

I have a tweak development tutorial if you're interested, it's kinda basic, looking at the level you're on, but it may get the job done

@fallen pond what languages do you know

mostly rust, c, a bit of swift and objc

noice

if I do this, I'll probably implement RCS in rust and use objc where necessary to delegate between it and ios

sounds overkill to me

but 🤷‍♂️

if you're more comfortable with Rust then yeah I guess that may make sense

well i mean then theoretically you could use the rcs anywhere no?

yeah that would be another advantage

if you made it in rust

that is

if I abstract away the calls to internal telephony stuff

oh well yeah

then yeah it coul be useful as a reference/ for people on other OSes

ok good point

well good luck lol

thanks lol

yeah fr

update us on any findings

I'm curious now

lol

I need to read up on RCS because I want to know exactly what I need from telephony internals

that and mess with IMServices

Looks like some parts of CoreTelephony are public

https://developer.apple.com/documentation/coretelephony?language=objc

hmm, iiuc RCS mostly uses telephony stuff for authentication and is mostly IP based

I could be very wrong though lol

I need to do more than skim the spec

Oh my god
https://github.com/android-rcs/rcsjta/tree/master

why does this have to be the only open source implementation of rcs on the internet lol

(from the design powerpoint in the repo )

Lmaooo

i tried running both .sh and .py and neither worked

fiore@fiore-mac ~ % ./create_patched_sdk.sh true
Failed to find sdk for simulator runtime

python3 create_patched_sdk.py                
No SDKs were successfully created from DeviceSupport binaries. Falling back to Simulator Binaries
fiore@fiore-mac ~ %

and then if i add the --use-simulator arg, nothing gets outputted, and it just hangs for a couple sec and then finishes w no output

hm

I think it's probably not updated for Xcode 15 making the iOS simulator a separate download

simulator runtime no longer inside Xcode.app

To all my fellow developers: IDA Pro 8.3 (Windows again) has leaked

Do not pirate it and do not search IDA Pro 8.3 leak on google

link

old news smh

I have not had it for like 30 hours already

yet you didn't share

do i need a sandbox extension every time i wanna spawn a new process in launchd, or can i reuse them

I did

you’re just not in the gc

fake friend

we're using facebook for the ct bypass

Thank you I didn't search and download it

We need Zuckerberg's permission, let me drop him a DM

No ARM 😔

Well at least objc_msgSend ‘wrappers’ are properly labeled now

It was so painful reversing YT binaries for months lol

Thank you for the not information

Did decompilers leak

only x86

you're probably have to use old decomps

Hmm

Well not terrible

weird, i dont even have xcode 15: Version 14.3.1 (14E300c)

ok so it made me a 16.4 sdk

and its still saying Preferences cant be linked

even when i specify the sdk version in the makefile

and preferences is in the sdk

in private frameworks

@grave sparrow is sandbox_extension_issue_file what im looking for

its just giving null

is there any good way to view dlls except ilspy

on mac

@lapis vessel Don't mean to bug, but any updates on this? Totally fine if you want to keep it private, but a lot of people would enjoy it on newer versions

@lapis vessel yea pls open source

sandbox = suicide

any news?

any news?

Fake news

any MobileStorageMounter fuckery?

fastpathsign3 omgg

@radiant idol sorry I haven't decided yet

ah alright, thanks

would be really nice though, people loved it

we can't make threads here right

Don't think so, no

ah, sad

I'm going to dig into IMService and i wanted somewhere to rant about it that wouldn't spam this chanel

nah go ahead, this is the place for that lol

¿news any?

why did apple have to invent sandbox extensions

i hate this shit

security

i have to be using the wrong function or using it improperly or something

i want ios 18 to allow custom web engines

email tim

and ask

ok

tcook@apple.com right

Gets your Apple ID banned

that has to be false

ask tim

damn...

so its probably the directory then

i think thats it

thanks

once again

That’s my email

@grave sparrow don’t fall

Just get the no sandbox entitlement

Ok I'll send support emails for nexus there

changing my name to Richard Etard

maybe i can fake the entitlement

?

ima try it

@hasty ruin @grave sparrow does windows ida work well under wine

yeah

do you use crossover, gptk, or just plain wine

plain wine i think

i dont use it

i've just heard it works fine

hm

alright

im getting tempted because remoting into my desktop gets annoying sometimes

details

jus make/use a VM tiny10/tiny11?

how would I detect a change in the boolean isShowingHomescreen from Springboard-Class.h

not 100% sure. looking for the boolean name in the header file doesnt return any other methods

is there a better way to see if it does?

searching for the method setisShowing doesnt give any results either

https://developer.limneos.net/?ios=14.4&framework=SpringBoard&header=SpringBoard-Class.h

thats the only one I know about 😆

i use crossover-wine and wineskin

it might just be called "SpringBoard"

its alright

sucks to be you ig

you are so poop

https://headers.cynder.me/index.php?sdk=ios/15.4&fw=PrivateFrameworks/SpringBoard.framework&file=Headers/SpringBoard.h

here it is

lmao

ah

wait

its just a compilation of the rest of the headers

mb

no idea how I got to springboard-class there

what does that mean

damn

thank you

so uh i decided that uh

i would nuke secinit

i want it to be readable for all processes on macos

yeah...

and your generating the extension in launchd?

and consuming it through an environment variable of some sort?

well the parent one yeah

okay

ive bootlooped my mac like 4 times trying to do the extension shit

im like wtf

I deleted libz.dylib on my mac and still managed to save it

backups important

I have a linux server hosting smb

this happened years ago on vacation I forget why I accidently deleted it

this was sierra/hs not in shared cache

1. rm -rf /usr/local/bin/ammonia
2. reboot
3. done

make an uninstaller

its so beautiful to see my tweak loaded everywhere

you make a whole fucking kext?

ahhh

@grave sparrow why you making an uninstall md that nobody gonna read

@deep wolf you can probably just hook methods on the home screen view controller btw

to know whenever it's shown/unshown

it's a joke about how you never actually get the chance to remove it

@grave sparrow you think it’s possible to make a kext that patches kernel on the go instead of installing a custom one

what

you understand that means you still have to add a kext to the kc

gm

I meant like user kext idk anymore

IM BLACK

Crazy

i wanna change my race, how can i do that

Neevermind I’mmoron

Ok

Does adding a section at the end of a MachO file not invalidate its codesign?
This suggests that it does https://alexomara.com/blog/adding-a-segment-to-an-existing-macos-mach-o-binary/

Or would this not even matter in a jailbreak tweak context? Say a tweak .dylib is patched via this method, what would happen then?

https://media.discordapp.net/attachments/688124600269144162/1169708354273296424/caption.gif?width=886&height=846

https://media.discordapp.net/attachments/688124600269144162/1169708354273296424/caption.gif?width=886&height=846

https://media.discordapp.net/attachments/688124600269144162/1169708354273296424/caption.gif?ex=655662cb&is=6543edcb&hm=e28afc8f6575027decf6ff93755af47d1ff2dec061fead69630c4cc6aef78003&

what if you rebase the strings refs and make them point to the new ones in that new section

hm

so then how would opa’s method of patching rootful debs for rootless work then?

right

so you can just resign the macho file and then it should just run like a normal bin?

Ah ok

So that’s not much of an issue then

the issue is actually getting the thing to work lol

ohh I see

through install_name_tool, yeah?

I see

Black

What I’m interested in is the fact that I heard that you can’t modify the size of a bin without corruption, seems like that’s not entirely true?

[ Mach-O header]
[ Some free space ]
[ First instruction of the program]

Right

ok yeah that was my next question

can you determine the size of that free space somehow?

https://tenor.com/view/nerd-alert-bumper-adam-devine-pitch-perfect-lame-gif-17474980

https://cdn.discordapp.com/attachments/1028169138461483008/1178481887849746482/uLMui5N.png?ex=65764dc9&is=6563d8c9&hm=ef93900e26d57e6b21df7f28ed9f706ce904f7f565e64074517484984388e347&

https://media.discordapp.net/attachments/688124600269144162/1169651886123646986/caption.gif?ex=65562e34&is=6543b934&hm=341bcc06de8e6374eda8e37ce14f04f66d3da18fa7043595edf061199ad2427e&

8. shut up capt

https://media.discordapp.net/attachments/688124600269144162/1169651886123646986/caption.gif?ex=65562e34&is=6543b934&hm=341bcc06de8e6374eda8e37ce14f04f66d3da18fa7043595edf061199ad2427e&

we need shutup icraze

and shut up shep

to balance the trio

Society if capt released zefram

yeah true

I have been overloaded with info but thank you, interesting

capt is the go-to man for nerd shit

and bad driving

what are you on about

how could anyone in r/jailbreak have sex

oh

fr

any news?

yeah

@grave sparrow has a working beta of trollstore 2 for 17.0

real

found architecture 'arm64e.old', required architecture 'arm64e'

anyone seeing this with latest xcode when trying to compile for old ABI?

no

https://reddit.com/r/jailbreak/comments/184yxa3/app_can_convert_swift_codes_to_ipa_on_ios/ AI is here to save the world

i hope someone puts him out of his misery

What if the person posting this... is AI

smartest chatgpt user

AI just replaced compilers holy shit

fr

Swift too

Did he... use swift... to compile swift...???

infinite compilation

Anyone know why this piece of shit crashes almost every day

Thread 2 name: Dispatch queue: NSManagedObjectContext 0x9f482db50
Thread 2 Crashed:
0 CoreFoundation 0x1c3aa985c CFDataGetBytePtr + 8
1 ProtectedCloudStorage 0x1e5b759b8 PCSPublicIdentityCreateWithPublicKeyInfo + 52
2 Transparency 0x23863baec -[KTAccountPublicID initWithPublicKeyInfo:error:] + 96
3 Transparency 0x23863c2d0 +[KTAccountPublicID ktAccountPublicIDWithPublicKeyInfo:error:] + 60
4 transparencyd 0x10296041c 0x102880000 + 918556
5 transparencyd 0x10295e9fc 0x102880000 + 911868
6 CoreData 0x1cb188b6c developerSubmittedBlockToNSManagedObjectContextPerform + 156
7 CoreData 0x1cb188650 -[NSManagedObjectContext performBlockAndWait:] + 208

zefram

not sure if this is correct place but can someone explain how background processes work on ios?
i suppose when i allow notifications for an app it registers some kind of service which always runs in background. Or does it run no matter if I enabled notifications for an app?

also, what is "background app refresh" exactly, and how it's different from notifications background service

would this be possible on iOS though? I was thinking about that issue

codesign is macOS only, afaik… no?

so sign it with ldid

or zsign

whatever

ldid -s <binary>

oh ok

the one on procursus works on windows even if you wanna go that far

that has the same effect?

ldid I mean

yeah

ah

ok

thanks

You can codesign on iOS

Code for it is in dopamine

#1084320818231787552 message

.

Thanks. ldid -s should do the trick as well though, right?

uh idk what the -a arg is

https://tenor.com/view/snoop-dogg-dancing-fun-funny-dance-dance-moves-gif-14258762652436410765

I meant -s

mb

@naive kraken are you going to work on a fix for m2 ipads

for ts installation

I do not have an M2 iPad

yea that should work

but many people are looking into options for installation now

im willing to test if you have any idea to how to fix it

unfornaute there is a new mdc bug patched in 17.0.2 just no poc

theoretically could that be used for installation on arm64e

there is kfd for 16.5 and lower

and mdc for 16.1.2

and lower

i need mickey to dm me on twitter bro

im on 17.0 on arm64e

Ladies and gentlemen, news

im on 16.5 arm64e and cant install trollstore because of KFD

I have trollstore but am debating upgrading to 17.0

do it fr

do you know of any install methods? nathan said something about ddi i dont know if thats broken on 17.0

longer app support fr

Haven't looked into it. It was released like 10 minutes ago

Oh KFD doesn't support 17.0

yeah

Iphone 11promax ios 16.4 cant install trollstore??

➡️ GO TO #nathanlr FOR TROLLSTORE SUPPORT ⬅️

@lime pivot so when i run python3 create_patched_sdk.py --use-simulator it generates iPhoneOS16.4.sdk in $THEOS/sdks, so then i rename it to be iPhoneSimulator16.4.sdk and then when i run make, it shows this

==> Copying resource directories into the bundle wrapper…
==> Linking bundle tweakprefs (arm64)…
ld: building for iOS Simulator, but linking in .tbd built for iOS, file '/Users/fiore/theos/sdks/iPhoneSimulator16.4.sdk/usr/lib/libobjc.tbd' for architecture arm64```

@velvet path about the dopamine not being able to install on TS2 did u make sure that the ipa was stored “on my iPhone”. I remember being an issue with thing not installing on TS1 with that

it’s a very known issue at this point

try KFDopamine

Did u read my mesage ?

it's an issue with one of dopamine's executables

ah

we've found the issue

It’s like not getting signed or sm ?

(has to do with oobPCI, causing the CT bypass to just die)

👍

5€ if someone can fix KFD for M2 Ipads

@shut stag just make a role for opa releases

just ping for any opa update 🤣🤣

so whens trollstore 3 coming out?

Anyone still developing

Didn't think so

🙏

im developing but not well

is (id)_accessibilityTopDisplay; something I can read a state from using a notification or does the (id) mean it isnt a method that can do it and just an object?

It's a method

The return type is id

But more likely there's an actual return type and we don't know it

^

You can log it pretty easily as well

Yeah just hooking it and logging %orig will help

It'll show the actual type at runtime if you use NSLog

%hook // <whatever the class is>

- (id)_accessibilityTopDisplay {
    id orig = %orig;

    NSLog(@"%@", NSStringFromClass([orig class]);

    return orig;
}

%end

Yeah that, it's a perfect example

okay sweet. so next question I can't seem to find a straight answer on; how do I view the NSLog stuff? right now im using custom banners to debug because I can't figure that out lol. Im assuming I need to do something with SSH and my pc?

Are you on Windows or macOS?

windows

Ahh

should I get the hackintosh working again lol

So on macOS there's Console.app, but you can do it on windows

If you really want to do this fast tho, just show the NSStringFromClass in the banner 💀

But the correct way is to use idevicesyslog

And then you can do something like idevicesyslog | grep "[bruh]" and then put [bruh] in your logs

Assuming you are on WSL

yeah i'll probably do that instead 😆

okay I think i get what you mean, doesnt sound bad

It'll be with libimobiledevice

Though I think you need to run that on windows, because WSL doesn't do USB stuff

But idevicesyslog.exe has a --match parameter which does the same thing as grep

ahh ok yeah just download the exe and use it with cmd

Should be, make sure the device is trusted and everything

ok cool thank you

yeah just do idevicesyslog -m whatever

anyone here have a good idea of why that recent mobilesotragemounter patch only changed /var/run/mobile_image_mounter to a system container

thats all it did

patched in 16.7

although i have no idea what that would patch

how do i get objection on a rootless jb?

what

for frida

oh nvm I have no experience with that

i want to dump some processes

wait im stupid

@torn oriole

Kind of a stupid question but what exactly is a load_command in MachO? I've been reading up on the file structure and whatnot, I just have not completely understood what exactly it is

They can be various things

Generally they describe where to find XYZ in the binary

Or describe a property of the binary

so there's no one clear definition for it, I'm guessing?

an array of information

ah

that makes a bit more sense

thanks

Each type of load command is different

An important one for jailbreaking is LC_LOAD_DYLIB which instructs to load a dynamic library. Tweaks ultimately are compiled into dynamic libraries with constructors that hook methods

Right

in this binary:

• LC_SEGMENT_64: information about the binary's segments
• LC_DYLD_INFO_ONLY: haha some funny stuff don't worry about it you will reconsider your life choices if you investigate this
• LC_SYMTAB: the location of the symbol table and string table for the symbols
• LC_DSYMTAB: dynamic symbols
• LC_RPATH: paths to consider when looking for a dependency that is prefixed with @rpath
• LC_LOAD_DYLINKER: the dynamic linker to use (basically always dyld)
• LC_UUID: UUID to identify this binary
• LC_BUILD_VERSION: target platform, minimum OS version, and the SDK used for building

there are lots more

that exist

oh okay, I see. so load_command by itself doesn't really have a specific definition, but its various "child" types have various uses in the context of the binary?

not sure if that makes sense :P

If you haven't yet, play around with otool

yeah I'm planning on it

think of load_command as NSObject

ok yeah that's what I was thinking

that clears it up, thanks

The struct load_command itself only has a type and size since each type of load command has different structure/information

dylib:
LC_SEGMENT_64: a segment in the mach-o
LC_ID_DYLIB: the path of the dylib mach-o itself
LC_DYLD_EXPORTS_TRIE: exports tree
LC_SYMTAB: symbols table
LC_DYSYMTAB: dynamic symbols table
LC_UUID: unique identifier for the mach-o
LC_BUILD_VERSION: usually minos and sdk version along with what platform: iOS, macOS, watchOS, bridgeOS, tvOS, or SEPOS
LC_SOURCE_VERSION: source code version? probably
LC_LOAD_DYLIB: this is how the dynamic linker, dyld loads dylibs and links their symbols into memory for the mach-o to use
LC_FUNCTION_STARTS: where the TEXT or code starts
LC_DATA_IN_CODE: embedded data in the code

note there are probably more load commands in here, I think the hex fiend template just died on something

Thanks! that's helpful

lol I see

but yeah - trying to dive into some low level stuff

Also check out optool

thanks all, that makes a lot more sense now

o, what's that?

It's a tool that you can use to edit load commands of a Mach-O binary

Edit/add/delete

oh interesting

nothing is more low level than the stuff I do

You can poke around the source code too

Are you wiring transistors?

vtool, jtool2, otool, and optool are the best for this stuff

SEPROM RE

Uhhh what is that?

SEP reverse engineering?

the sep firmware that's fused into the silicon aka SEPROM

Ah fair enough sick

try bind mount on iOS 16 but failed with unknown special file or file system. any ideas 👀

Just went through some of the replies to opa’s tweets (or x’s?) and damn wtf is wrong with some people 😂😂

https://tenor.com/view/letter-r-gif-9063762

https://tenor.com/view/dead-chat-dead-chat-xd-kaka-v420-lmao-gif-21778819

sir what does this mean

It means dead chat post E

Which is what i did

No one spoke in 28 mins

Hence

Dead chat post E

i wonder if its possible to make opainject work with trollstore

process might be killed because of the CS_KILL flag.

did u try it?

Works if process has get-task-allow

check dms

what's the file path of the Tips app on iOS?

/var/containers/Bundle/Application/$TIPS-UUID/

I'm assuming i can't just copy paste this

how do you find the uuid of your tips app

I believe it’s randomised

You just have to check them all

Bummer aight then

Can’t Misaka do this?

1. i don't want to install misaka just for trollstore
2. i'm bored

i know yall are probably working on a standalone installer but it's for fun anyway

We aren’t working on an installer

I can say that much

A standalone installer may arrive from Misaka team or something

But the main TrollStore team aren’t making one

@naive kraken can i somehow reload springboard with trollstore entitlements after changing dyld shared cache

bruh how would you change dsc

Probably TS + kernel r/w on arm64 or something?

well the file with the value is in preboot does that work

i haven't been following kfd stuff when it was new but what is the deal with kfd on m1/m2?

t1sz should be 26 instead of 17/25

ok, then maybe opainject a tweak into springboard?

but that propably wont work

bruh

nevermind im dumb

that's an easy way to bootloop if your change gets flushed to disk

you cannot inject anything anywhere

due to trust levels and shit

https://fxtwitter.com/wh1te4ever/status/1729504466796200134?t=DyotnAy5FbYIDX0kjgtm7g&s=19

Seems I broke permission of some directory, anyone knows what directory to repair?

I found “TrollStore broke it” in Reddit, is it real?

what are you trying to do

there is no way to fix this other than resetting the device and restoring a backup

Can I restore from Finder backup?

idk I was never able to reproduce it (or figure out what the actual underlying error for the bug is)

so afaik this is user error

yes

Resetting all settings should work, did the trick for me when I messed up permissions on a /var folder

I think I broke it by trying to sideload com.apple.tips

Not wipe, just reset

Thanks

I’ll try later