We’ve tried symlinks / hardlinks
#development
sonic totem
We tried symlinking /var/mobile/Media/TrollHelper (AFC upload directory) but you can’t execute any binaries in /var apart from /var/containers
frail spade
is there an equivalent for cowabunga lite windows?
sonic totem
We’ve tried messing with the CodeResources file to exclude the main binary from signature checks
We’ve tried sneaking in binaries but they always get set to read-only
Not really sure what else to try
I think step 1 would be figuring out how to get a binary past installd and not have it set to non-executable
sonic totem
is there an equivalent for cowabunga lite windows?
Not sure, sorry. I’d imagine there is but I’m not certain
installd uses lchmod and fchmod to prevent the use of symlinks
lime pivot
even better, preparing Apple Watch for development
(I have never written an Apple Watch app)
lime pivot
installd uses lchmod and fchmod to prevent the use of symlinks
yeah we used that one a long time ago 🙃
unkempt magnet
It doesn't let install system app through usb :/
It seems like only installable through appstore, so maybe I have to find how to hijack that systemapp download url..
sonic totem
Even so, it will still check code signature even if we could
timid furnace
It seems like only installable through appstore, so maybe I have to find how to ...
Already tried
it's pinned
unkempt magnet
then.. I'll wait for release kernel exploit.
sonic totem
I might try some other stuff but I won’t spend hours and hours on it
wind ravine
i still wanna get the dirtycow exploit working
bc even with an install method u still cant hide the home bar
timid furnace
no one has any clues on how to exploit it though unfortunately
wind ravine
it looks reasonable with the steps zhuowei laid out
its just threads mismatching object copying
i tried to look into it but i couldnt figure out how vm_object works
crisp frost
Anyone happen to know why task_for_pid returns KERN_SUCCESS but the task port is -1? This is with TrollStore 2 if that matters
sonic totem
Are your parameters correct?
naive kraken
Anyone happen to know why task_for_pid returns KERN_SUCCESS but the task port is...
because ur not platformized but the port ur trying to get is
or you lack some entitlement
crisp frost
or you lack some entitlement
(the target process is springboard) this also happens with opainject so I doubt it's a entitlement issue however when I was working on a jailbreak with kfd I just simply spawned a dropbear shell ( no platformization ) and then opainject would succeed, the only real difference was that opainject was in the trustcache instead of signed with the ct bug, could that make a difference? ( this is all on arm64 )
naive kraken
(the target process is springboard) this also happens with opainject so I doubt ...
yes that is what makes the difference
crisp frost
yes that is what makes the difference
could that be in some way fixed or worked around with only TS2? Or should I just run kfd -> platformize myself and work from there
naive kraken
could that be in some way fixed or worked around with only TS2? Or should I just...
no that can't be fixed
crisp frost
alright
granite frigate
i tried to look into it but i couldnt figure out how vm_object works
ian beer’s talk on the original MDC bug is pretty interesting
a lot of it flew over my head but at least i now sort of know what a vm_object is
sonic totem
Yeah I sent that to Lemin
Definitely great for learning the basics
I watched it to get a basic idea of the whole VM layer
granite frigate
I watched it to get a basic idea of the whole VM layer
the part where shadowing comes in gets me confused lol
sonic totem
Yeah same for me
Although I watched it like 11pm and I was tired
Might watch it again today
serene hawk
hi, i'm trying to fetch preferences values with cephei, however when trying to fetch values from a third party app i get: "Could not contact preferences IPC server! (Error 1102)" does anyone know a fix for this?
inner yoke
Hi, I have an iPhone 8 with all this shsh2, I want to try the supported arm64 jailbreaks, I can downgrade and test, please let me test 😅
sonic totem
You can’t
sonic totem
Apple has extra mitigations preventing you from downgrading
inner yoke
Apple has extra mitigations preventing you from downgrading
Currently I can downgrade to 15.x without much problem
inner yoke
yes, i can downgrade successfully, i downgraded successfully
inner yoke
yes
sonic totem
When did you do this
velvet path
@sonic totem it's possible for home button checkm8 devices to downgrade to 14.x/15.x but you need to dump activation tickets in advance
velvet path
!t sepbb it's linked on the linked chart somewhere
faint lionBOT
!t sepbb it's linked on the linked chart somewhere
velvet path
Oh wait, isn’t that the OrangeRa1n method?
yes
sonic totem
Oh fair enough, I completely forgot that that existed
ashen birch
Oh wait, isn’t that the OrangeRa1n method?
i mean copying activation tickets over activating in OS is nothing new
they just wrote a guide on how to
inner yoke
on a11 iphone8 can only downgrade, the lowest downgrade is 14.3
You can also downgrade without shsh with downr1n, but it is tethered
faint stag
installd uses lchmod and fchmod to prevent the use of symlinks
file descriptor chmod? yeah that's actually clever
sonic totem
Yeah it first uses lchmod because it doesn’t follow links, and then fchmod to make sure it has a file descriptor
Not necessarily in that order
odd timber
If A11 has PPL then why doesn't an A11 jailbreak require a bypass if checkm8 isn't used?
sonic totem
They also claim something about macOS which is wrong too I think
And some stuff about SEP
odd timber
that
harsh junco
guys how do i compile img4tool
sonic totem
Welcome to the tihmstar dependency ring of hell 😤🔥💯
torn oriole
guys how do i compile img4tool
fucked up libplist
compile latest from limd repo and install
harsh junco
compile latest from limd repo and install
already did that 
torn oriole
already did that <:hm:1158412406167457802>
Did you make clean and autogen img4tool again
faint timber
its pretty simple
there are multiple places a lib can be installed
even if you install the new libplist its highly likely the old copy is installed in a different path
so obviously you are going to use the search feature to find and delete the old one... 
sage kite
package managers generally install in /usr/lib, compiling from source generally install into /usr/local/lib
faint timber
also linux gnu arch dir
harsh junco
also linux gnu arch dir
im compiling it on windows with mingw64
topaz yew
guys how do i compile img4tool
oh u poor baby
faint stag
im compiling it on windows with mingw64
oh yeah i tried that too
got stuck on libgeneral 
i think
twilit jungle
I never understood why people struggled to compile tihmstar's source... like just get his computer and press compile.
radiant idol
def shift_commands(commands, amount, within, shifts):
for (Command, props) in shifts:
for (_, cmd, _) in commands:
if not isinstance(cmd, Command):
continue
for p in props:
v = getattr(cmd, p)
setattr(cmd, p, shift_within(v, amount, within))
what the hell does this python syntax mean
this is why I hate python
faint stag
i mean you could do the same in other languages. readability here is just up to whoever wrote it
radiant idol
no yeah I know
its just so wordy that at this point its hard to read
I especially dont understand these
faint stag
probably should look at the usage
timid furnace
I especially dont understand these
shifts is an array of two item tuples
(command, props) is unpacking them
radiant idol
the what
timid furnace
have you not used swift
radiant idol
no
timid furnace
ok then just think of it as immutable list
radiant idol
like an NSArray array?
timid furnace
so instead of having to do
for item in list:
# item is a 2 item list
first = item[0]
second = item[1]
if it's always going to be a fixed size, you can unpack it in the for loop
for first, second in list:
# stuff
why not
timid furnace
idk this is pretty simple for me to understand
anyways the second line is the same
_ just means ignore
radiant idol
I mean yeah I get it now but still
timid furnace
so you only want the second item in the tuple (index 1)
hexed knot
that just makes it overcompilcated imo
How
Pythons the best of the simple languages
Pretty good syntax sometimes
timid furnace
_ can be anything actually
ie.
_ is just the convention to indicate "i don't care about this variable"
faint stag
*why*
idek python but yeah that's obviously 4 arrays for types of commands
i decided to just look on github for where shift_commands was used because that helped me understand
faint stag
yeah and someone used that within a project
radiant idol
I see
well I'm trying to port it to C/Obj-C
I just dont really get the syntax of python
I also do not like the weaktypedness of python
radiant idol
yeah
timid furnace
well swift is strongly typed
its just that it guesses most of the time
you provide the type almost the rest of the time
and it just gives up for the rest
radiant idol
objc supremacy
timid furnace
ok but objc is fake typing
timid furnace
yes
faint stag
its just that it guesses most of the time
compiler assumes a lot of things, doesn't it
radiant idol
how do I convert this to objc
no tuples in objc
def shift_within(value, amount, within):
if value < within[0] or value > (within[0] + within[1]):
return value
return value + amount
just an arr?
hm
int shift_within(uint64_t value, uint32_t amount, ? within)
timid furnace
what calls shift_within
radiant idol
```py
def shift_commands(commands, amount, within, shifts):
for (Command, pr...
this
which I also need to convert to C/Obj-C
more in favor of C
radiant idol
so I guess I could just make that one arg into two?
timid furnace
idk up to you
you should probably understand what it's doing rather than doing a straight port
because this won't translate terribly well
radiant idol
yeah true
the documentation is almost nonexistent unfortunately
I think its shifting the load_commands in the header to make space for the new load command for the new segment
I can't understand for the life of me why the guy would choose to do this in python
faint stag
I think its shifting the `load_command`s in the header to make space for the new...
well we know exactly what commands it's supposed to shift, they're listed anyway
it's supposed to shift offsets that can reference the modified segment
updating the header and inserting new commands is done after all this but the macho lib in use here makes that easier ig
radiant idol
hm I see
topaz yew
besides trollstore is there anything else the coretrust bug can do
like what are its capabilities, is what im asking
interesting indeed
ashen birch
so i ru n get tpf0 n have jb ???
topaz yew
real
visual meadow
frank fossil
is this why executable pages die on fork? In vm_map_remap
naive kraken
is this why executable pages die on fork? In `vm_map_remap`
no that problem is much deeper
indigo peak
@hasty ruin @radiant idol have either of you tested trolldecrypt and ran into any issues?
hasty ruin
<@883412614699446283> <@799410351207612426> have either of you tested trolldecry...
i've had it just not do anything after it freezes the UI
cant remember which app it was though
or if i could reproduce it
indigo peak
hm weird
hasty ruin
i've had it just not do anything after it freezes the UI
no alert or anything
hasty ruin
that's it I believe
indigo peak
no missing icons
indigo peak
okay
radiant idol
<@883412614699446283> <@799410351207612426> have either of you tested trolldecry...
i havent
indigo peak
i havent
damn
some people are getting some issues that i havent been able to replicate
cloud yacht
<@883412614699446283> <@799410351207612426> have either of you tested trolldecry...
I did but you ignored me 
cloud yacht
indigo peak
https://discord.com/channels/349243932447604736/688124600269144162/1179998321583...
oh shit
sorry
yeah thats the issue im trying to fix now
cloud yacht
Do you need info?
radiant idol
did i ever show you the WIP rune banner
no
cloud yacht
I've never made a banner for any of my apps
hasty ruin
+ make "Rune" bigger
hm true
cloud yacht
Icons were hard enough
hasty ruin
make the corner radius bigger for the icon
more round?
hasty ruin
cloud yacht
Should change the device screenshot to the page for nexus
hasty ruin
also if you can, use continuous corner radius
does xd support that
radiant idol
does xd support that
not sure
there seems to be some weird artifact with the corner radius
native orbit
how much rune gonna cost
hasty ruin
there seems to be some weird artifact with the corner radius
it was a shitly cropped screenshot
didnt have the icon on my laptop
hasty ruin
Icons were hard enough
https://havoc.app/package/nexus i dont think nexus' was too bad
native orbit
bl
hasty ruin
dont do that
well yeah its not final 
cloud yacht
https://havoc.app/package/nexus i dont think nexus' was too bad
I meant making my own icons was difficult enough, that I didn't want to do a banner
cloud yacht
I just don't have banners
radiant idol
and the screenshots
radiant idol
[fart](https://chariz.com/buy/jade)
imagine not being able to use markdown correctly
cloud yacht
Like what would I do for Eliza or unlocked
hasty ruin
bro has so many iphones!!!!
radiant idol
fr
cloud yacht
Wait
timid furnace
https://havoc.app/package/nexus i dont think nexus' was too bad
how much do you make off of nexus
is it enough to buy development devices
hasty ruin
is it enough to buy development devices
definitely
timid furnace
ok i need tweak ideas
cloud yacht
Nice
radiant idol
ok i need tweak ideas
frcoal
hasty ruin
not right now, though it hasnt been updated in like 6 months
cloud yacht
ok i need tweak ideas
Audio mixer
timid furnace
activator 2
cloud yacht
Honestly activator usage in the shortcuts app
native orbit
make nexus 2
cloud yacht
Nexus for iOS 7
radiant idol
not right now, though it hasnt been updated in like 6 months
why not
just
update
it
hasty ruin
why not
just
update
it
the lockscreen sucks
native orbit
just release it as the exact same as nexus and charge $5 
hasty ruin
i get depressed having to open that fucking directory 
radiant idol
the lockscreen sucks
what
hasty ruin
i hate it
radiant idol
i get depressed having to open that fucking directory <:vexxedtomato:81034185200...
what x2
cloud yacht
ok i need tweak ideas
I have a terrible tweak idea that will not make any money that I was debating making
native orbit
need infiniboard back 
hasty ruin
what
sets label x pos to 0
label has no left padding
you'd think the text would be on the very left right?
WRONG!! it's like 5-10px away from the edge
radiant idol
>sets label x pos to 0
>label has no left padding
you'd think the text would be...
trolled
cloud yacht
im concerned if i even wanna hear it now
Ok so basically take the ringer switch and make it behave like the iPod lock switch. Basically if ringer is locked, turn off screens and don't let it turn back on until it's unlocked
hasty ruin
glad they rewrote it in ios 16
less glad that it's even worse
in terms of user experience too
radiant idol
less glad that it's even worse
LMAO
timid furnace
Ok so basically take the ringer switch and make it behave like the iPod lock swi...
that's not a bad idea
radiant idol
Ok so basically take the ringer switch and make it behave like the iPod lock swi...
interesting
cloud yacht
Honestly just nuke the Lock Screen and then make your own from scratch
radiant idol
Ding source code may help
timid furnace
so basically input lock
cloud yacht
I think someone linked it in another server
hasty ruin
Honestly just nuke the Lock Screen and then make your own from scratch
just stop the screen turning on at all
no need to change LS shit
cloud yacht
Probably more stable than modern ios
hasty ruin
https://media.discordapp.net/attachments/709389160011661344/1162880097854955622/...
modded apple device :/
not intended behaviour
indigo peak
@cloud yacht i think i found a fix :)
cloud yacht
modded apple device :/
It still has the OFW on it
But the OFW is garbage compared to rock box
Rock box even has a manual
indigo peak
@cloud yacht can i dm you a build to test?
cloud yacht
Yeah but I can't test until I get home in about 15-30 minutes
hasty ruin
i love discord cdn
hasty ruin
horts
cloud yacht
https://media.discordapp.net/attachments/709389160011661344/1162880097854955622/...
No this apple device is running normal unmodded apple software
fiery seal
that would stop the Nexus Moment when you pull ur phone out and NEXUS SETTINGS had already appeared while it was in your pocket cause you were touching your phone, the screen happened to turn on at that time, and nexus thought you wanted to mess with settings
visual meadow
Does anyone here know if any daemons, besides these (https://newosxbook.com/ent.jl?ent=com.apple.private.security.storage.AppBundles&osVer=iOS16), can write to app bundles?
hasty ruin
that would stop the Nexus Moment when you pull ur phone out and NEXUS SETTINGS h...
disable whilst locked mf
fiery seal
disable whilst locked mf
oh thanks i didn't know that was an option
hasty ruin
fiery seal
<:frcoal:784338955759517696>
it does say "disable whilst locked", not "disable settings whilst locked"
radiant idol
while*
faint stag
Honestly activator usage in the shortcuts app
i mean i thought that's what powercuts was for
acoustic imp
@hasty ruin why,for nexus settings, didn’t you make it that like pup up and out window thing. Like it opens then makes the window behind it smaller… this thinge
(The music windows thing would be nexus settings and Apple Music app thing is the LS )
frail spade
hmm
i tried overwriting /var/mobile/Library/FrontBoard/applicationState.db with a partial backup to see if it would restore the state of the app switcher
but it doesnt seem to affect it
are there any other places where the app switcher state could be stored?
proven urchin
i love discord cdn
whitename moment
indigo peak
@hasty ruin I’ll merge your pr tm, just fixed some bugs in latest release
frank fossil
I have finally got my very terrible way to fix fork() to run CLI tools
- Enable JIT using
ptrace(PT_ATTACHEXC, forkedPID) - Copy the whole MachO binary to a new memory map, in order to ensure any address-relative instructions continue to function
- Set RX for __TEXT region in the new MachO memory
- In child’s SIGBUS handler, change pc to the new executable region
visual meadow
I have finally got my very terrible way to fix fork() to run CLI tools
- Enable ...
Wow
torn oriole
No but you see it’s better because the kernel didnt do it
unkempt magnet
I have finally got my very terrible way to fix fork() to run CLI tools
- Enable ...
Awesome!
topaz yew
how do i create a platform binary
sonic totem
Give it the platform-application entitlement
naive kraken
I have finally got my very terrible way to fix fork() to run CLI tools
- Enable ...
don't use signals for communicating though, they have side effects and some tools will break due to them
instead use file descriptors like Dopamine
also can't you remap something executable on top of the existing r-- mapping?
frank fossil
also can't you remap something executable on top of the existing r-- mapping?
It always fail with KERN_NO_SPACE
naive kraken
It always fail with `KERN_NO_SPACE`
hm
probably because both the child and the parent are backed by the same memory
harsh junco
what now
topaz yew
Give it the platform-application entitlement
thanks
indigo peak
have you know i fixed the issues
hasty ruin
W
slender glade
I had some fun using some of the camera related AVF apis for this, which were the main purposes of this demo https://github.com/NSAntoine/Shiranui/blob/main/Shiranui/UI/CameraScannerViewController.swift
I also did not realize how much info it could detect lol
radiant idol
I had some fun using some of the camera related AVF apis for this, which were th...
SERENA IS BACK
hasty ruin
Nocturne*
blazing warren
I also did not realize how much info it could detect lol
boobies and faces
indigo peak
micro pdf417
fun fact: pdf417 is the barcode type for US drivers licenses
indigo peak
that’s why it’s a fun fact
granite frigate
I had some fun using some of the camera related AVF apis for this, which were th...
is this a public API? i have some ideas for swift student challenge using this
i just realised i was blind
sorry
cloud yacht
That's neat
harsh junco
i dont think so?
indigo peak
bite your apple
tepid olive
What
harsh junco
that helped, thaks
viral osprey
https://tenor.com/view/letter-r-gif-9063762
drifting heron
🙃
frail cedar
How does one spawn a binary on ios 4.3 so that you can read stdout
I'm guessing NSTask?
visual meadow
tepid olive
zenith compass
oh
frail cedar
hoe
young meteor
native dune
brazen timber
native dune
young meteor
zenith compass
brazen timber
blazing warren
zenith compass
i think we should stop
tepid olive
i think we should stop <:hm:1158412406167457802>
White name 
zenith compass
whoa are u being racist to me just because i have white name?!?!!
tepid olive
whoa are u being racist to me just because i have white name?!?!!
Yes
ashen birch
mem+ is the new whitename
next wadi
tepid olive
https://tenor.com/view/letter-n-gif-9063758
frank fossil
@opa334 apparently bold text uses gpu to accelerate so any unsandboxed app without GPU access will crash. Maybe TrollStore should check and add additional iokit entitlements for it
ashen birch
clemmed = genius
turbid fjord
mem ed is like baseline competency for this server
“Baseline” yeah
We have some member ones who can be a bit 
frank fossil
probably because both the child and the parent are backed by the same memory
I tried it in parent process before fork() but it was the same. Also, I’ve tried deallocating it beforehand but any map/remap to the address straight out crashes the process.
naive kraken
I tried it in parent process before fork() but it was the same. Also, I’ve tried...
yeah
I believe the processes share the same page table
So that's why you can't change the area where it was originally mapped
frank fossil
instead use file descriptors like Dopamine
How would I do this? I’d have to relocate everything to the copied region, but things like callbacks are not possible to relocate without signal handling
naive kraken
How would I do this? I’d have to relocate everything to the copied region, but t...
oh
I misunderstood then
frank fossil
@opa334 apparently bold text uses gpu to accelerate so any unsandboxed app witho...
also please check this out
naive kraken
~~also please check this out~~
it's up for apps to figure out
it doesn't happen with stuff that's sandboxed
frank fossil
yeah but, the usual fix would be add some IOKit access to be same as sandboxed app
minor cargo
i just got a 2016 macbook pro. ima install sonoma on it with open core and then learn swift and c++ and c
tepid olive
turbid fjord
blazing warren
tepid olive
papy
blazing warren
blazing warren
🍆 💦🍑
reef remnant
Anyone who can help me with Theos? After updating Xcode and Theos my tweaks don’t appear on my phone. They compile without errors…
tepid olive
cloud yacht
mem ed is like baseline competency for this server
True
minor cargo
“Baseline” yeah
We have some member ones who can be a bit <:intjmentallyhandica...
not me i’m smort
@naive kraken what security research company do you work for?
naive kraken
<@208334999722786816> what security research company do you work for?
Cellebrite
robust radish
Cellebrite
would you recommend the company / is it a decent place to work remote from ?
naive kraken
would you recommend the company / is it a decent place to work remote from ?
yes
If you're interested in a job there, you can DM ih8sn0w or guyru_ on Twitter
robust radish
Nice, thanks. Yeah I saw guyrus tweet the other day and have been considering applying
minor cargo
If you're interested in a job there, you can DM ih8sn0w or guyru_ on Twitter
maybe when i’m 18 i’ll apply.
pearl sail
Cellebrite
Hmm are you allowed to have a public opinion about the current conflict going on?
naive kraken
Hmm are you allowed to have a public opinion about the current conflict going on...
As long as it doesn't involve the killing of your coworkers or the destruction of Israel, I would assume so
pearl sail
Interesting
robust radish
definitely a good interview icebreaker question
unkempt magnet
Cellebrite
How much effort did you need to apply here?
naive kraken
How much effort did you need to apply here?
None, they reached out to me
unkempt magnet
Oh
rigid glen
Anyone here attending 37c3?
naive kraken
Anyone here attending 37c3?
yes
rigid glen
Great, let’s meet!
minor cargo
definitely a good interview icebreaker question
definitely gonna not answer the question
tepid olive
@naive kraken sorry for the mass pings but what experience/skills would I need to apply to a company like cellebrite?
I’m in college studying computer science and cyber security and im decent at programming
Also have some certificates
indigo peak
what’s the odds I get a job from gameseagull 🤣
primal perch
I’m in college studying computer science and cyber security and im decent at pro...
basically that but finish your degree and you will have a good chance
naive kraken
<@208334999722786816> sorry for the mass pings but what experience/skills would ...
publish cool projects or find bugs and get CVEs
https://github.com/opa334/sandbox_extension_generator for reference this is the project that made them consider me
timid furnace
@sonic totem did Security.framework always check all slices
damn
i can't prove it but i think i know the issue
steady nest
i can't prove it but i think i know the issue
tbh I couldn't find the explicit check for number of slices on xnu src
so it doesn't seem like a number of slices problem (maybe...?)
unkempt magnet
https://github.com/opa334/sandbox_extension_generator for reference this is the ...
That might be one of your effort, nice.
timid furnace
tbh I couldn't find the explicit check for number of slices on xnu src
My explanation doesn't reconcile with it being fixed for arm64 in 15.5 and arm64e in 15.7
But
I think on the newer versions security.framework checks all slices instead of skipping the ones with matching subtypes
steady nest
that wouldn't make sense since it's the kernel that's refusing execution
visual meadow
I diffed ios 17.0 vs ios 17.2b4 security and there were no changes
steady nest
it passes installd's checks
think of it in a different way
duplicated slice of the same file
it gets past installd but doesn't execute, why
timid furnace
Does it?
I don't think it did for me
Even if I pretended to be arm64 Security.framework saw the slice as arm64e
I need to retest while documenting though, I was testing a bunch of things at the same time
steady nest
it did
timid furnace
Which version
steady nest
17
timid furnace
Wtf
timid furnace
I've been using lipo and editing the fat header
steady nest
visual meadow
https://github.com/opa334/ChOma/tree/main/tests/fat_create use this
I was using pwnify from fugu14 and then just editing the subtype to 00 lol
timid furnace
My best guess is that is security.fw trying to parse funny signature
timid furnace
I think that's the general error unfortunately
Yea src wasn't very helpful
primal perch
indigo peak
@hasty ruin how do i merge pull requests on github 💀
i dont use github
oh god dgh0st is typing
twilit jungle
Git merge
indigo peak
either this will be a useful reply
twilit jungle
twilit jungle
timid furnace
ye
timid furnace
np
indigo peak
@twilit jungle this u?
severe stream
ive seen it before
pearl sail
All wise ones have seen the end
All the wise ones do meth
visual meadow
<@213293185449852929> you're right
right about what lol
visual meadow
oh yea i tried on 16.6.1 it does
its weird tho
either way it doesn't run because it has 2 of the same archs in the binary
it does that even if you try to run it on macos
steady nest
<@213293185449852929> you're right
about
tender plaza
Is there a arduino patch for the r4 wifi board, for setting up the usb host library.patch?
pearl sail
not rarer than seeing actual development happening in #development
granite frigate
i was thinking of how i can automate signing a dylib to inject into an app
so you’d have to
- read the .app mach-o binary
- find the team id from it
- fastpathsign your dylib with it
- profit?
timid furnace
Figured out where i fucked up
i didn't account for CTv1 vs CTv2
CTv1 passes security.framework, CTv2 does not
timid furnace
i don't think there's a way to get past installd
On 15.7+, the only way to get past installd is by making your CPU type and subtype exactly equal to a validly signed binary. Otherwise, installd will find the other slice and try to validate it. This is fine for CTv1 (well it depends, if the slice is picked as the one for resource validation it fails, otherwise it skates by fine, I think, haven't really tested), but it chokes on parsing the CTv2 signatures
sonic totem
<@512299379479281666> did Security.framework always check all slices
No
It checked the first one
The idea is that installd will check exactly the same slice as the kernel
Thus they only need to check one slice
sonic totem
so you’d have to
1. read the .app mach-o binary
2. find the team id from it
3. f...
You would have to replace the team ID
But essentially yeah
But fastPathSign does all that anyway
timid furnace
If you make your CPU type and subtype exactly the same though, the kernel will reject it
CPU type/subtype comes into play in 4 cases in the kernel, at least from what I see
- FAT binary is checked for duplicate type/subtype pairs. if there are duplicates, EBADMACHO
- Each arch is graded and the best one is picked
- The mach header's CPU type and subtype are compared to the FAT header. if they are not equal, EBADARCH
- (not really relevant) The arch is graded again, but the capability bits of the subtype is removed. If it's not allowed, EBADARCH
so basically the slice that is selected for execution has to match what it's purported to be in the FAT header
sonic totem
But installd will always pick the same arch when grading now
So you might be right in the sense that there are no FAT bugs anymore
timid furnace
i don't think installd is grading
sonic totem
(In terms of an installd bypass)
timid furnace
from what i understand it's a logic bug
sonic totem
i don't think installd is grading
It chooses the best slice
sonic totem
from what i understand it's a logic bug
This one with three arm64 slices?
It’s intended behaviour
timid furnace
It chooses the best slice
in terms of whether to validate the code signature?
what is installd grading for?
sonic totem
It just chooses the first, best slice to validate. The kernel will choose the same slice as they use the same grading standards. Hence, there is no need to validate any other slice as they will never be run.
sonic totem
It doesn’t if they are the same architecture
timid furnace
if they are the exact same CPU type and subtype, yea
timid furnace
if they are the exact same CPU type and subtype, yea
and this includes capability bits
sonic totem
Yeah they have to be literally identical
sonic totem
Fixing which bug?
timid furnace
I guess the arm64e one
sonic totem
I think it was in internal_NXFindBestFATArch inside libmacho.dylib?
Essentially it just had different logic to the equivalent function in the kernel
So they’d grade FAT slices differently
sonic totem
Wdym
timid furnace
(cleaned it up a bit for better diffing)
Basically, the first check is now for an exact match, rather than an match ignoring caps
this eliminates the scenario where the prior slice has invalid caps but a valid signature (making it acceptable to Security.framework, as it doesn't care about caps), but the secondary slice has valid caps but an invalid (to Security.framework) signature
and then I think it iterates using findArch or something idk. i was having a lot of trouble tracing it through the code
granite frigate
installd bug? what iOS are you diffing between
timid furnace
this was basically the only relevant code i could find that had FAT handling so i figured it was this
timid furnace
installd bug? what iOS are you diffing between
installd calls out to Security.framework
this is a diff between
- iOS 15.5 = Catalina 2022-004 = macOS 11.6.6 = macOS 12.4
- Security-60158.120.9 (macOS 12.4)
- iOS 15.7 = iOS 16.0 = macOS 11.7 = macOS 12.6 = macOS 13.0
- Security-60420.40.34.0.1 (macOS 13.0)
sonic totem
Basically, the first check is now for an exact match, rather than an match ignor...
Hmm
I think this might be unbreakable
I don’t see how there could actually be a bug
Because now it’s identical to the kernel’s checks
granite frigate
has the kernel's checks changed between the 2 versions? where is that done normally
sonic totem
Kernel function is called fat_getbestarch_for_cputype or something
timid furnace
my Security.framework theory is also kinda supported by the logs: for example, armv7/arm64/arm64 (where both arm64 are identical)
debug 22:09:26.967025-0500 installd 0x6809157f0 is a fat file with 3 architectures
valid
but it only pulls out two slices
debug 22:09:26.969422-0500 installd 89472 signing bytes in 6 blob(s) from /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.DFZ9lw/extracted/Payload/Runner.app/Runner(arm64)
debug 22:09:27.159755-0500 installd 85416 signing bytes in 6 blob(s) from /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.DFZ9lw/extracted/Payload/Runner.app/Runner(armv7)
but say you have armv7/arm64 with bogus cap/arm64
debug 00:47:19.134438-0500 installd 0x680809f70 is a fat file with 3 architectures
valid again
but it pulls out all 3 slices
debug 00:47:19.136636-0500 installd 89472 signing bytes in 6 blob(s) from /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.bFflSs/extracted/Payload/Runner.app/Runner(arm64)
debug 00:47:19.329511-0500 installd 85416 signing bytes in 6 blob(s) from /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.bFflSs/extracted/Payload/Runner.app/Runner(armv7)
debug 00:47:19.418576-0500 installd 40820 signing bytes in 4 blob(s) from /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.bFflSs/extracted/Payload/Runner.app/Runner(arm64)
default 00:47:19.418947-0500 installd MacOS error: -50
(dies)
sonic totem
How have you got these debug logs
timid furnace
i mean yes, like where specifically? sorry i couldn't find it
bsd/kern/mach_fat.c
bsd/kern/kern_exec.c
bsd/dev/arm/kern_machdep.c
sonic totem
But also interesting
timid furnace
all 3 relevant files
timid furnace
How have you got these debug logs
console
granite frigate
thanks https://cdn.discordapp.com/emojis/1077203069718245467.webp?size=48&name=prayge&quality=lossless
timid furnace
not enabled by default
sonic totem
my Security.framework theory is also kinda supported by the logs: for example, a...
So what’s the difference when it pulls out all three slices
Oh the capabilities
timid furnace
yea
timid furnace
here are my results
logs available on request because i am too lazy to collate them
timid furnace
I think we need to look elsewhere
agreed
timid furnace
i don't think installd is grading
nice little side note: installd does actually grade but it's just to see if you have any runnable slice or not. it uses sysctl to call out to the kernel function. if there's no runnable slice it'll give you the app needs to be updated prompt, the one for 32-bit apps
timid furnace
also because caps doesn't change grading for arm64 you can't use this for TrollHelper on 15.5-15.6.1 on arm64
meaning the first arm64 slice is what will run, and since CTv2 doesn't pass Security.fw it can't be the first slice, so rip
sonic totem
Worth a try anyway, thanks for all your research lol
How much do you know about DDIs?
timid furnace
Worth a try anyway, thanks for all your research lol
Lol it helped me understand it very well
timid furnace
How much do you know about DDIs?
I fiddled with it for a bit back when MDC was a (more popular) thing
I got root exec but gave up on it once i realized i was screwed by the sandbox, but CTv2 changes things
You need MDC in order to use a custom DDI though, so I don't see the point (wrt TrollStore install)
severe stream
also because caps doesn't change grading for arm64 you can't use this for TrollH...
what would this mean?
timid furnace
what would this mean?
Which part
Do you want the general explanation or the more technical one
sonic totem
@timid furnace DMs for a sec?
severe stream
Which part
I mean what can't be used?
timid furnace
Yea
severe stream
The old installd bug with the new CoreTrust bug
owh
velvet path
also because caps doesn't change grading for arm64 you can't use this for TrollH...
could this be used for arm64 14.x (which has CTv1) or no?
timid furnace
I haven't checked but someone said they introduced the arm64v8 grading changes in iOS 15
So for 14 both would have to be arm64, which the kernel will complain about
Idk I'll check the kernel tomorrow
velvet path
alternatively part of me would be wondering if there's a sandbox bug that could be used alongside something like TIMDC
because right now the only way to get TS on arm64 14.x is either:
- sshrd stuff
- jailbreaking
it's mildly amusing given that arm64 15.0-15.4.1 and arm64e 14.x work fine, but not arm64 14.x
timid furnace
need to retry tccd on 14
pretty sure that it persisting was cap
on the other hand unsure if 14 even has the exploitation vector for it
velvet path
does the tccd bug exist on 14.x?
timid furnace
idk
it's not really a bug
it's moreso find and replace something in the binary and congrats you have an all encompassing sandbox token
it's kinda like if you could overwrite amfid's checks and just make them return true. you can't protect against that, it's not really a bug
(you can't though)
velvet path
pretty sure that it persisting was cap
by it persisting, do you mean the tccd change or the tips change or what?
timid furnace
tccd change
velvet path
what issues does it even cause if it persists
timid furnace
what issues does it even cause if it persists
won't work unjailbroken
broken code sig
naive kraken
CTv1 passes security.framework, CTv2 does not
CTv1 does not pass Security.framework
naive kraken
so you’d have to
1. read the .app mach-o binary
2. find the team id from it
3. f...
you can't fastPathSign with anything but GTA Car Tracker currently though
granite frigate
you can't fastPathSign with anything but GTA Car Tracker currently though
oh I assumed i was doing something wrong because it seems like it gets killed when i use a roothelper to spawn it
naive kraken
I haven't checked but someone said they introduced the arm64v8 grading changes i...
The iOS 14 kernel will not run arm64v8 slices, this is why the arm64 install method does not work on iOS 14
granite frigate
you can't fastPathSign with anything but GTA Car Tracker currently though
is there any way to get it working? what's currently hardcoded to make it only work with car tracker
timid furnace
On 15.7+, the only way to get past installd is by making your CPU type and subty...
^
Idk i didn't look into v1 that much after realizing i was using it instead of v2
blazing warren
tepid olive
Are we expecting a 17.0 kernel exploit from google project zero at all?
granite frigate
i don't think a LPE is a kexploit
sonic totem
There was an exploit in the chain
But they will probably only analyse the actual vulnerability
Highly unlikely that they’ll release a full exploit as there isn’t a need
granite frigate
developing an exploit based off a vulnerability seems so daunting i wish i was good enough to do that
sonic totem
The first time you do it will probably be really difficult
But I guess as you do it more and more it will get easier
granite frigate
there are obviously a lot more things I have to learn before i even get to that point
sonic totem
i don't think a LPE is a kexploit
It would be enough to install TrollStore though I think
Because then you could spawn a binary as root
Oh wait you’d need to unsandbox too I think
granite frigate
Oh wait you’d need to unsandbox too I think
well the coretrust bug works so that wouldn't be an issue?
sonic totem
Yes but you won’t be running in a CoreTrust signed app if you’re installing TrollStore
So who knows
granite frigate
oh, right
sonic totem
The original TrollStore installer did it all with a kernel exploit, but that was when you could get root and unsandbox yourself with just kernel r/w
ivory ginkgo
How do you make jailbreak exploits?
sonic totem
Good question
twilit jungle
timid furnace
does it open tho or is this just 2 of same arch slice thinf
it does not help
timid furnace
i learned more about (the) installd (bug)
that's basically it
the conclusion is that installd is no longer vulnerable to FAT attacks
visual meadow
damn it
ashen birch
what version
ashen birch
you can compile procursus yourself
besides that thats it
had a brainfart meant proc
eternal rain
besides that thats it
thats enough for me i just need some basic binaries like sudo for now
or even neofetch
nothing crazy
ashen birch
does it require any dependencies
build dependencies yeah
honestly i'd say building from linux is ur best bet
if you're building from *OS you have to be bootstrapped with procursus
eternal rain
ok thats good since i got gentoo
eternal rain
thank you
ill try this when i get home
should i compile the toolchain or everything
oh nvm
minor cargo
i wish they updated for macOS
ashen birch
there should be a precompiled one no?
eternal rain
i couldnt find any
minor cargo
i love procursus
ashen birch
i wish they updated for macOS
thats why i kinda stopped using it (i mean i can't really talk, i'm literally a maintainer but)
eternal rain
macos sucks anyways imo
minor cargo
thats why i kinda stopped using it (i mean i can't really talk, i'm literally a ...
is development stopped on it or something?
eternal rain
it’s basically linux with a paywall
granite frigate
hackintosh:
eternal rain
yea that’s fair
ashen birch
is development stopped on it or something?
not officially just it's not a priority for us rn
ashen birch
it’s basically linux with a paywall
its linux but user friendly
minor cargo
not officially just it's not a priority for us rn
okay
minor cargo
its linux but user friendly
exactly
eternal rain
yea without the masochism ig
ashen birch
"but but but linux is user friendly" give a grandma a laptop with ubuntu and a laptop with macos
she'll understand macos more
which wont be saying a lot she prob wont understand either very well but
eternal rain
man my grandma doesn’t even know how to use the settings app
minor cargo
"but but but linux is user friendly" give a grandma a laptop with ubuntu and a l...
i gave my grandma a chromebook
she just uses facebook so it works for her
minor cargo
why spend so much on something that'll be used for so little
exactly
i even turned on the bigger curser to make it easier for her to see
eternal rain
thats nice
my grandma has an old phone too which she uses for only like 4 apps
her phone still runs better than my school computers somehow
minor cargo
her phone still runs better than my school computers somehow
ikr
0.0001 ghz processor
minor cargo
and has like -300 gb of disk space
my main computer has 256gb
so i would kill for 300gb
but i use arch
so it’s okay
eternal rain
arch user spotted
im a gentoo user so basically arch but with a different package manager
i got a friend with windows and has 8 tb of disk space
this dude managed to use it all
my install takes like 60 gb maybe
granite frigate
8tb of homework is crazy
eternal rain
thats what im saying @ebon thistle @ebon thistle @ebon thistle @ebon thistle @ebon thistle
oops accidentally pinged him
keyboard glitched
phone got hacked
minor cargo
im a gentoo user so basically arch but with a different package manager
🤮
i mean
🤑
eternal rain
🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑🤑
i just update while i sleep
and im canadian so i need the extra heat from compiling to heat the house up
minor cargo
💀
eternal rain
sooooo hea
arch is a good distro tho
i used it as my first distro i think
my install was garbage tho im glad i nuked my system and reinstalled it later
eternal rain
i used regular install but it was so bad
then i tried enabling secure boot and i somehow broke my motherboard
minor cargo
i used regular install but it was so bad
then so it again
ebon thistle
thats what im saying <@265873249944993793> <@265873249944993793> <@26587324994...
Hey, do me a favor and go junp off a cliff you cunt
Jump* shit
minor cargo
😆😆😆
eternal rain
Hey, do me a favor and go junp off a cliff you cunt
my bad dawg
minor cargo
has anyone made a poc of CVE 2023-41993? or is anyone even working on it?
sonic totem
Is that the kernel exploit?
minor cargo
oh alright
indigo peak
how do would i sign a dylib with the team id (i ran ./make_cert.sh <TEAM_ID>)
basically: whats the ldid command to sign dylib with p12 cert
naive kraken
ldid -K<path/to/.p12>
indigo peak
ldid -K<path.p12> <pathdylib>?
indigo peak
ldid -K<path/to/.p12>
ldid.cpp(3316): _assert(): flag_S || key.empty()
libc++abi: terminating due to uncaught exception of type char const*
zsh: abort ldid -Kvictim.p12 tweak.dylib```need -s
ldid -Kvictim.p12 -s tweak.dylib
indigo peak
% ldid -Kvictim.p12 -s tweak.dylib
ldid.cpp(3316): _assert(): flag_S || key.empty()
libc++abi: terminating due to uncaught exception of type char const*
zsh: abort ldid -Kvictim.p12 -s tweak.dylib
real
visual meadow
```
% ldid -Kvictim.p12 -s tweak.dylib
ldid.cpp(3316): _assert(): flag_S || key....
what about -S
ldid -Kvictim.p12 -S tweak.dylib
faint timber
Always sign a dylib with S because it’s not supposed to have ents
indigo peak
@naive kraken i generated victim.p12, signed my dylib, put it into the Resources folder of my app, called int ret = spawnRoot(opainject(), @[[NSString stringWithFormat:@"%d", pid], [[NSBundle mainBundle].bundlePath stringByAppendingPathComponent:@"tweak.dylib"]], &output, &error);
and then got a dlopen error saying that the team id doesnt match
not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs)
even tho ik its the right team id for the pid
any ideas?
should I have the app sign the dylib on runtime using the p12 and trollstore ldid and THEN call opainject?
sonic totem
<@208334999722786816> i generated victim.p12, signed my dylib, put it into the R...
Are you using the new CoreTrust bypass?
You need to sign the app and dylib beforehand using the bypass
Just install it using TrollStore
You might have to pre-sign the dylib, idk how ldid will work if it’s not in the standard path, but fastPathSign2 should work once ldid has pseudo-signed it
naive kraken
<@208334999722786816> i generated victim.p12, signed my dylib, put it into the R...
no clue
indigo peak
Are you using the new CoreTrust bypass?
yeah I’m on ts2
indigo peak
You need to sign the app and dylib beforehand using the bypass
I was trying to inject a dylib into an AppStore app using opainject, so like I said before, I signed the dylib with the proper team id BEFORE I put it in resources, and then I packaged the app and tried running opainject, and it said the team ids dont match
indigo peak
you can't use a custom certificate
wdym why not
indigo peak
use the one in the trollstore repo
and wasn’t the victim.p12 on the ts repo made with the script I made mine with?
steady nest
because the cms blob is designed specifically for the certificate in the repo
indigo peak
so then how is opainject gonna work if you can’t specify a teamid for the dylib
granite frigate
am i tripping
steady nest
what does the teamid have to do with the certificate lol
indigo peak
what does the teamid have to do with the certificate lol
I remember opa said like a year ago thay you have to sign the target dylib with the same team id as the target application is signed with in order for opainject to work
indigo peak
adhoc sign the app with alfie's fork of ldid
on device, or before packing the ipa
steady nest
before ct_bypass
indigo peak
before ct_bypass
so it has to be done on device?
steady nest
restive ether
https://github.com/alfiecg24/ldid
he should’ve up streamed this
visual meadow
you dont macintosh
indigo peak
im on mac
indigo peak
m2
visual meadow
indigo peak
Symbol not found: _ASN1_OCTET_STRING_free
Referenced from: <5AFB45A8-1FC3-3D52-BE6D-1CF7DC8A4F3A> /Users/fiore/Downloads/ldid (built for macOS 14.0 which is newer than running OS)
Expected in: <no uuid> unknown
zsh: abort ./ldid
real
visual meadow
what macos r u on
hasty ruin
Ventura lol
indigo peak
install procursus idk
how
faint stag
That OpenSSL should not be needed it is nothing special
yeah i'm trying to compile and i can't get it to use libcrypto
from procursus that is
lol
pearl sail
indigo peak
a func/meth like this isnt hookable right
__int64 static L10n.Payment.balanceMeals.getter()
{
return static L10n.welcomeExplore.getter(
&one-time initialization token for balanceMeals,
&static L10n.Payment.balanceMeals,
&unk_64488,
one-time initialization function for balanceMeals);
}
its ida disassembly
im assuming its swift
urban moon
One way is using libundirect I guess
primal perch
a func/meth like this isnt hookable right
```objc
__int64 static L10n.Payment.ba...
meth
you can easily hook it assuming its not blocked out by some protection like KTRR or KPP
its just not gonna be easy cus it doesnt look like objc runtime
indigo peak
you can easily hook it assuming its not blocked out by some protection like KTRR...
its in an apps framework directory
so id imagine its not protected lol
primal perch
yeah
everything is hookable
you might have to handspin assembly so good luck but its doable
primal perch
yea
you just have to MSHookFunction the right address
if it works symbolically great
if not, its mapped in the processes memory so find the images runtime base address using dyld functions then add the static image offset using IDA/hex edtior
indigo peak
hmmm
okay
is that it? MSHookFunction only option?
bc it would be nicer for trollstore
but
yeah
native orbit
static patching <:gigachad:994131404835258540>
until an update gets released 
primal perch
tepid olive
<:trol:831188670848565289>
indigo peak
@grave sparrow what would i even use for the symbol name
void MSHookFunction(void *symbol, void *replace, void **result);
twilit jungle
Not a name
indigo peak
__int64 static L10n.Payment.balanceMeals.getter
do i include the __int64 & static?
or is it just L10n.Payment.balanceMeals.getter
native orbit
the address
indigo peak
_$s14NovusSharedKit4L10nO7PaymentO12balanceMealsSSvgZ
so that
oh yeah
i remember doing this before
didnt succeed
but i remember doing it lmao
native orbit
swift symbol moment
indigo peak
@grave sparrow what image do i use for MSFindSymbol
do i hardcode the path to the framework binary?
tepid olive
Troll decrypt my favorite
indigo peak
W
primal perch
forn
indigo peak
@grave sparrow ok i used NULL and i found the symbol, i found the address, but idk how to define the replacement function
cloud yacht
literal 0 runtime overhead
any code I write has runtime overhead
indigo peak
@grave sparrow
#include <substrate.h>
#include <Foundation/Foundation.h>
typedef long long __int64;
// __int64 static L10n.Payment.balanceMeals.getter
static __int64 (*balanceMeals_getter)(void *self, void *_cmd) = NULL;
static __int64 balanceMeals_getter_hook(void *self, void *_cmd) {
__int64 result = balanceMeals_getter(self, _cmd);
NSLog(@"[boost] balanceMeals_getter_hook: %lld", result);
return result;
}
%ctor {
void *balanceMeals = MSFindSymbol(NULL, "_$s14NovusSharedKit4L10nO7PaymentO12balanceMealsSSvgZ");
NSLog(@"[boost] balanceMeals: %p", balanceMeals);
if (!balanceMeals) {
NSLog(@"[boost] balanceMeals not found");
return;
}
MSHookFunction(balanceMeals, (void *)balanceMeals_getter_hook, (void **)&balanceMeals_getter);
}
it crashes :c
indigo peak
it crash with no mshook as well
primal perch
womp womp
ashen birch
bro the fuck is this https://developer.apple.com/ibeacon/
radiant idol
bro the fuck is this https://developer.apple.com/ibeacon/
the screenshots in the manuals are from like
iOS 10 lol
faint timber
2014 is not iOS 10
faint stag
apple was using bluetooth low energy all the way back then
wild
