iOS 7.1.2 adds stability improvements for iBeacon

now it’s crashing without any tweak injected lmaoo

yea found out abt it from changelogs

Hey guys, did asked a few days ago and never get a response so I’m asking again.

Anyone have problems with Theos on Sonoma 14.1.2?
Tweaks compile without problems and worked fine before too. After they get installed the tweak don’t load (it is installed correctly and includes everything) but it don’t do anything and preferences aren’t showing up too…
Sileo shows that the tweaks are installed…

It’s like installing a tweak without code…

manually installed or used theos's make install cmd?

Already tried both.

Have you check the oslog whether or not the tweak successfully loaded, and if not, the reason?

Not yet. Will try that later.
Its kinda weird tho…

what jailbreak are you using

My test device uses checkra1n, iPhone 7, ios 14.8

Usually I got this problem because a linked fw/libraries is not available, thus failed to load. But you'll know once you check the oslog

Tested on different devices too…

what are you injecting into

SpringBoard

hm

check your .deb files and make sure the files are in the right places

also make sure that you marked preferenceloader as a dependency so that you can ensure it is installed

same with mobilesubstrate

Yeah yesterday I’ve downgraded to Ventura. Working fine again… 😒

Checked .deb… that’s the point. Everything is fine

weird

Did updated my Mac and MacBook. My Mac have been downgraded to Ventura. Now it’s working on that…
On my MacBook which is on Sonoma 14.1.2… it doesn’t work

are the xcode versions the same

might be an xcode issue

Yep, latest

both are 15? hm

that's genuinely puzzling

does the file structure between the deb built from the Mac and the one built from the MacBook look the same?

Yes everything is the same

.deb structure looks normal

In Filza everything is in correct place

No errors or warning if tweaks gets compiled

hm

can you send the two debs? i want to compare the binaries

Yeah, I’m currently not at home. But as soon as I’m free. I‘ll send it. Thanks 🙂

looking for dev with xcode, appium, and JB experience. need some help finishing an app automation. 1k+ budget

1k

that was the old bug

you can use a different app cert for the coretrust bug, but it will require a lot of rework in ChOma

this also won't work as both code dirs need the same team id in order for the bypass to work

will coretrust signing the .app app binary and the dylib with the app store cert make it work

Should do

iBeacons are still used

can anyone help me with this? i re-signed the app i an injecting the dylib into with get-task-allow entitlement. now it says here “systen sandbox blocked mmap()”. is there an entitlement im missing somewhere

dylib cant be in /var iirc

It might be the sandbox rule that prevents execution inside /var? You have to be in /var/containers/Bundle

ohhhh

okay

i think just /var/containers work

yeah you can’t execute stuff in var

ill try that right now

ty guys

yeah thanks that worked ill try something else now

You’re probably right, it’s just that I was looking at sandbox profiles this morning and saw only /var/containers/Bundle, but I probably missed /var/containers.

Here…

The .zip contains two debs (working and not working). It includes PreferenceBundles (DemoPrefs) which should appear in the settings…

Nice!

is it possible to add in get-task-allow to the ents of an app store app using the codesign bug?

@sonic totem

what I was thinking was to just

1. ldid it
2. codesign it
3. profit???????

I tried doing this by running sign -i -a /path/to/.app/ and the app ended up not being able to run

i couldn't even reinstall it from the app store lmao

I mean yeah but it won't launch anymore then

yeah

bummer

You’d need to decrypt it

And then resign

And then install in TrollStore

ahhh but that kind of defeats the point of injecting into the app

alright

Yes

Not possible with an existing code signature as team IDs have to match

for anyone thats interested, heres how to get the team id of an app from its bundle id programmatically:

NSString *getTeamID(NSString *bundleID) {
    LSApplicationProxy *app = [LSApplicationProxy applicationProxyForIdentifier:bundleID];
    NSString *binaryPath = app.canonicalExecutablePath;

    SecStaticCodeRef staticCodeRef = getStaticCodeRef(binaryPath);
    CFDictionaryRef signingInformation = NULL;
    OSStatus result;

    result = SecCodeCopySigningInformation(staticCodeRef, kSecCSSigningInformation, &signingInformation);
    if (result != errSecSuccess) {
        NSLog(@"ERROR: SecCodeCopySigningInformation failed with error: %d", result);
        return NULL;
    }
    CFStringRef teamID = CFDictionaryGetValue(signingInformation, kSecCodeInfoTeamIdentifier);

    return (__bridge NSString *)teamID;
}

(idk if i'm meant to release any of these variables so go easy on me 😭)

"Hey Siri whats the team id of Google Maps"

reading blob + teamOffset

Yeah that's what we do in ChOma lol

Much easier

unless you got version 0x20000

oh my god im a dumbassssssssssssssssssssssssssssssssssssss

FUCK

complains why task for pid doesn't work
forgot to include task-for-pid-allow

entitlements moment fr

based siri

how do i jelbreka my iFone 17pro max ultra HD with a 48mp camera

its imposib

finally got a hacked up daemon that injects dylibs into apps when they "launch" on TS2 working lol

Kewl

Demo ?

s0n

for any app? or just specific ones as of rn bc fastAppPathSign isn’t updated

mfw no springboard

just ts app ofc

so not useful

how do you detect when an app is launched?

https://cdn.discordapp.com/emojis/998222439723061298.webp?size=48&name=monkaS~2&quality=lossless

its a secret

let him decide

i wasnt being serious

it’s for ts apps so just hook when you tap the cell lol

you can launch ts apps from SB

i said it in quotes cuz in reality its just a cursed background thread, works good enough for what i need it for tho

ooo

https://cdn.discordapp.com/emojis/965945442561044490.webp?size=48&name=hmmge&quality=lossless

wym

like you hook trollstore to launch opainject when you open the app from there

you just open it like normal and it injects

there is no app either

wait how

does it just run ps aux in the background or something

daemon

"daemon"

fr

more like

bootstrap_* moment fr

ooo

bootstrap_look_up? do apps have a mach server from their bundleid?

oh cool but if it's not their bundle id how are they named

just their process?

i should go check myself

ios

sorry

i need a teacher

I want to learn some hack swift's app(optimized by Xcode) knowledge. Do you have any good suggestions

@grave sparrow is very smart and loves teaching

omw to pester capt about everything

vouch, capt loves swift

The problem I encountered is that the frida hook swift function cannot print variables of string type. I tried to read this value’s memory address of a variable and concatenate it to recover the string, but this method is too cumbersome. Is there any other method or tool to implement it

on iphone7 15+ rootless

Also, the apps that have been launched through the new version of XCode have all undergone strip optimization. What should I do to restore the method and improve the hack app

I think he is just jealous Apple made something good

Apple = good
Anyone else = bad

gm

morning？

It just got dark where I am

waiting........ teachers

f

f

are u writing ur frida code in js or with the c bindings

g

does ghirdra support ios 17 kernel caches

@dense dock happy birthday big man

@dense dock happy birthday big man

i r

info regs 💯

print $eax

wtf im in lldb rn

lldb the only correct choice

gdb more widely supported + capt hates it = its better

mostly the latter

i r

im re

POV capt

lldb also by made llvm group, therefore its the best

capt after using #import in his C project for school and being surprised when he is docked points

me when mshookivar crashes for one swift class but not another for some reason

better then windows

i dont get it

why is it broken

ok but like

why is it working for one class's ivar

but not another

swift moment, it does undefined shit sometimes

smh

I get the ivar name here though - that works

so goofy

there is a problem

it should not be that laggy

atleast arch shouldn’t

(i use arch)

(btw)

🤓

🤓

🤓

gm

in js

do any teachers know how to use debugserver+lldb to debug on rootless devices

Or is there any way to dynamically debug the app on iOS 15+rootless devices（need codesign on ios 15++,can't use ldid testing.. , ok ）

@sonic totem if you put a bundle under plugins iOS will mark its main binary as exec

but installd verifies it

and validation of the main binary fails when i fastPathSign the plugin binary???

Huh that wasn’t the case for me afaik

Pretty sure mine failed

I was using .appex

actually no i think something just broke

i didn't say validation succeeded

I know

I meant pretty sure mine failed on plugins

are you saying the plugins are not marked as exec then

or what

ok

Idk about that part

It probably needs an info plist tho for it to be marked. Besides even if u do get it to install doesn’t pkd have signature validation too, and I don’t think you can sidestep it like springboard can

And if it’s marked as exec what u gonna exec it with lol (if pkd has code sig validation)

idk then

can you use frida to hook the swift function and print string type parameters

idk

probably

what

appex are verified

they are validated by installd yea

i was hoping that maybe they ran some checks only for the main bundle binary instead of for plugins as well

but my signing script has completely imploded so uh

you're good at doing that

try watchOS

16's and 17's installd is really really hardened lol

does ghirdra support ios 17 kernel caches

pro tip: it would help if you didn't end up installing the original unsigned binary

but yea you still run in to the same installd checks issues that you get with the normal executable

a watchOS plugin?

does anyone know why the app switcher doesnt change at all when I delete /var/mobile/Library/FrontBoard/applicationState.db and reboot

backups probably

file size went from 1.5mb -> 782kb

@grave sparrow can i MSHookFunction in a trollstore app, or does that also break codesig

what are you hooking

swift function in getting by MSGindSymbol

yea but where is it

is it in the app itself, is it in a library the app uses, etc

Yeah if it passes validation and is inside a .appex bundle

If it’s not ‘indexed’ as a CFBundleExecutable in an Info.plist file it will be non-executable

i see

i use debugserver +lldb to set a breakpoint on appdelegate with ios15+,but it not break on . Is this an issue with iOS15+or is it a problem with my debugserver or this app being optimized by Xcode？

This is just from my experiences when testing whether I could sneak an executable in

But afaik every file is either set to non-executable or has its code signature checked and is then made executable

“LinkedIn” requires iOS 15, with that message disabling the user interface. Is there a tweak to bypass this. I got XS Max iOS 14.4.2?

find the popView and hook to directly return

With making tweak ?

Or using Flexing

If this view is deleted ，but other data is associated with the iOS version number, it will result in many functions not being used, so it's better to upgrade directly

find where show this view's methed ， use the flex can't do it,

Alternatively, you can try to locate the app version value and modify it to the latest version number of the app, testing if the popView disappears. I'm not sure if Flex can do this

you could try using 3DAppVersionSpoofer

why are userdefaults stored in the jailbreak directory when jailbroken?

how to i start to look for kernel vulnerabilities

jb ur phone and install kernelvulnfinder in sileo/zebra

is a good idea

u could try it to test

hmm, so all of the vulnerabilities will be listed?

yes

it reverses the kernel and does general analysis with AI to find vulns

true

pac bypass

ok eluctrabruhus

i mean for trollstore apps

and that makes sense why it worked on palera1n

is there a guide so you can make tweaks?

i have a mac and xcode installed

anything that isn’t a system plist will be redirected to /var/jb

thats annoying

how do i set the userdefault location in swift?

objective c expects it to be in a specific location

where can i find rootless bootstrap code?

bro do rootless jailbreaks even make a rootfs snapshot

shouldn’t be necessary if it’s never being touched right

of course not wtf

ok i thought so just checking lol

@hasty ruin

@primal perch

why would you need to???

just delete “/“

and boom

@grave sparrow

@grave sparrow

happy birthday big man

good night everyone

@grave sparrow

real footage caught on camera from former president Donald J trump

TRUMP

@grave sparrow

how do u get the color of the status bar in objc?

and how can u detect when that is changed without directly hooking onto the function?

most likely a notification is posted by springboard at some point with some name

@naive kraken i was recently banned in the hack different server sorry if my video offended you, but can i be unbanned?

fr

all of the ios geniuses are there but most of the ios tryhard idiots are too

and the ratio is like 1:10

true

@wind ravine do you have a invite link for the cowabunga server ?

Discord.gg /cowabunga is invalid

heck i lost all my boosts

Can I dm you

is there a way to open ipa files in xcode

command + shift + 2

to open the file?

do I know you?

It gets weird. daemon() uses fork() made libsystem_c page read only

that only happens when you do hooks in some library

(which you need to do for forkfix to work properly, I guess)

@hasty ruin can u fix ?

(Mb for any pirate stuff)

What is that app

tweaksettins

[[tweaksettings]]

will take a look

ok thanks

@radiant idol how does bolderreborn respiring in prefs work, bc it works in tweak settings app

just a respring

i think

bc some work and some dont

Idk look yourself

https://github.com/NightwindDev/BoldersReborn/blob/5a537096a4f5939ce39de16e259701b574b3315e/BoldersRebornPrefs/BoldersRebornListControllers.mm#L13

why’s that

Oh I thought it was closed source

works fine and has been working fine for me

My free tweaks are OS

If u lika added that, could I just put ‘respring()’ anywhere and it would work ? Like in js or do you have to do the thing for methods w brackets

Yes

Like respring();

It would work anywhere in the file

why

genuinely curious

mk

i use killall for Xina v1 since sbreload kinda broken there

fair fair but does it really matter in the end

lol ok

oh no yeah I get that

I’m just saying it kinda works fine even if your killall

Though I do not like killall backboardd

that just doesn’t sit right with me

malfunction ware

Swift sucks

It doesn’t even properly bridge to objc

Why do some ivar hooks work while others don’t

Is it even possible to hook those

The object inherits from NSObject though, that’s the amusing part… it should work

The hell???

WHY

if it had a proper backend I would not hate it

But it’s even more hacky than objc

yes

so true

i love it

Just wish block syntax was better

Yes

Ye

Fr

I agree

Objc rules

While you’re here by the way, how do you add a load_command to a MachO? I have been stuck at this for a couple of days now. This is what I used as a reference, but even after trying to convert this piece of code to C I can’t understand what exactly it’s doing. Can you explain

https://alexomara.com/blog/adding-a-segment-to-an-existing-macos-mach-o-binary/ -> appendsection.py

uh oh

Capt is on his rant

Swift hate

did you?

i don’t remember you explaining that

yes but how
the Python code just does this, I can’t seem to understand how to manually do it:

# Update header and insert the segment.
header.header.ncmds += 1
header.header.sizeofcmds += lc.cmdsize

header.commands.insert(linkedit_i, (lc, seg, [sect]))

# Write the new header.
header.write(fo)

Last one bc funnier

Yeah fair

that was necessary on iOS 6 because of a bug where killing SpringBoard would reset your brightness to 0%

In short from what I understand you need to make a new instance of an lc struct and then memcpy it to the mmap

maybe I don’t get it at all but yeah

I see

even then, there were brightness fix tweaks that were definitely a better approach anyway

Yes yes I saw

no self promo

exactly how apple likes it though, so they'll never change it, unfortunately

:(

Oh ok

Didn’t think it was that simple

Lol

I think they realised objc's best feature (dynamic dispatch) is also the most annoying for them, because it creates a massive ecosystem of tweaks on both iOS and macOS

like, it's too easy

🙏

I love the objc runtime

Lol

that actually is a great explanation

average rust user

wait i have this all the time on ios 15, sm times it just sets my brighness to 0% after a respring. is this bad?

well

i think its an autobirghnet bug

bc it only happends when its dark, but i have auto birghness disabled tho

i just programmed a cat

is its code efficient

yes it runs very fast

nice

cross-platform?

is it running on C(at)++?

A14 experience

this how i make a tweak need another to be installed for it to install right?

yes

oh

One day i will buy rune

today

no

Rune developer I curse u with a14 device

when eta more rune panels

A13 supremacy

make this more expensive please

omw

5$

make sure it matches up completely

all it does is chnaged the time/date

so true

ik

i have to ammit, better than aim

nexus >>>>>>>>>>>>>>>>>>>>>>>>>> aim

freak aim

lol

💪

Now to make them actually do sm

hey you actually seem to be progressing in your dev journey

nice

thx, im jus looking at ur tweak pref tutorial and the zane video

but still need to learn objc

for what its worth

I learnt as I went

👍

are there any like simple ish tweaks i could like look at to learn things

or like apps?

open source ofc

uh

lemme see

I have a few on my gh

maybe check out quicksearch

mine are also pretty simple

I guess

k il take a look

any you know of with like making new views ig

and maybe like styling them?

Bolders Reborn and SearchDots both make new views

quicksearch makes a new window

@radiant idol is searchdots supose to suport ipad?

I guess?

it somewhat works

@radiant idol how long did it tke you to make search dots

like a couple days I guess

also question about like positioning, is it like position: absolute in CSS but like absolute from the items around it?

what about prefs, or do you just like copy paste most

it is relative to its superview

most of it yes, from Bolders Reborn

If you write prefs from scratch, you’re psychotic

how do i not write them from scract? can i make like my own template, like the theos pin pl thing like i coudl make my own prefs thing?

copy and paste from another tweak then modify

is it worth learning tweak development now when jailbreak is like half dead

😭

i was interested in doing it when jailbreak was not so dead but now i don't even use one

I mean its always interesting to learn more about how iOS works

good if you wanna learn iOS dev in general

i thought swift was the new thing now so idk

ios is like a never ending cave of cool odd weird things

and knowing objc looks good on a resume

alr

as well as having a few tweaks/apps on ur gothub

https://tenor.com/view/android-apple-wipe-gif-8915661

object oriented programming

I always start from scratch

and you’ve finished two tweaks in like 3 years

Swift is pretty standard and well-adopted at this point

Your resume is better with swift and objective C and C and C++

sadly the best thing for a resume is fucking JavaScript

can somone tell me if this gona work https://github.com/TeslaMan3092/musicBGblur

it will not

yeah

i was initially interested in web dev

then i got into jailbreaking and was wondering if it was worth it

i mean it is fun so i'll do it regardless of worth

litterally me

@radiant idol IT WOKRS !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

PREFS AND ALL!!!!!!!!!!!!!!!!!!

niceeee

💀

I will never learn frontend web development

yeah bc I’m not creative and don’t know what to make

ITS AMAZING

(watch the one w the song pipe down first)

Make a dock transparency tweak 👍

v c a m

one word r/twekbounty

%hook SBDOCKView
-(void)setAlpha:(float)arg1 { %orig(0.0); }
%end

smth like thag

Which one looks better ?

(The blur)

they all look the same to me LOL

ugh fine

I’ll look later

smh

@hasty ruin next nexus update can you make the like thing you hold down on to open nexus settings the time/date instead of the entire lock screen bc it break live wallpapers and its annoying when flex fails to open and nexus opens when u don't want it to

Only issue with that is in case you manage to make the text go off screen

You won’t be able to open it

i love swift

coudl you make it so that the size stay the same but it just stays on screen... like it gets the xy or the date/time and if it (make it go off the screen) just go/move it a much as it can till ti would be off the screen?

like establish the "view port"/screen size. then for the y-top just make it like a minimum of 0 same for x make the minimum 0. then for the maxes just make it like the viepot minus the size

instead you could just make an option to have a like "activate area" that you could chnage the x/y to be in the viewable range

stack pointer

@hasty ruin send me zsign args when you have time because no matter what i do i can't sign anything

codesign always complains about invalid code sig

i've even tried some random unc0ver version and an app store app

cgnb

capt gets no bitches

you're a ret

nah ur a FJCVTZS

need a joe instruction tbh

no

no new instructions

instructions are banned

cmpnlesd gotta be my favorite x86 instruction

What about rjb

Sounds like a good instruction

An instruction that ban gir from entering #development so we can spam slurs

We should add Aaron to that list too so be can’t veto

capt is gay

how did you do that

interesting, don’t know about that

icraze its a A14 skillissue or sm

if i have an app from the appstore that i didnt develop thats crashing bc:

*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[__NSPlaceholderDictionary initWithObjects:forKeys:count:]: attempt to insert nil object from objects[1]'
*** First throw call stack:

can i fix this w a tweak or smth

yea

ok go on

hook the function thats crashing and write it so it doesnt crash

how do i know exactly what function its crashing on

the line after the picture you sent

backtrace

that tells you exactly what functions led up to that point

i got that from consoel log

counsel

@primal perch

Last Exception Backtrace:
0   CoreFoundation                           0x180f07c80 __exceptionPreprocess + 216
1   libobjc.A.dylib                          0x19872dee4 objc_exception_throw + 56
2   CoreFoundation                           0x1810026b4 -[__NSCFString characterAtIndex:].cold.1 + 0
3   CoreFoundation                           0x18100c84c -[__NSPlaceholderDictionary initWithCapacity:].cold.1 + 0
4   CoreFoundation                           0x180ec72a8 -[__NSPlaceholderDictionary initWithObjects:forKeys:count:] + 252
5   CoreFoundation                           0x180ee4904 +[NSDictionary dictionaryWithObjects:forKeys:count:] + 56
6   SFMCSDK                                  0x103ff47e0 +[SFMCKeychainItemWrapper updateKeychainAccessibleAttribute] + 824
7   SFMCSDK                                  0x103ff4490 +[SFMCKeychainItemWrapper setAccessibleAttribute:] + 136
8   Boost                                    0x102c183e4 0x102bb0000 + 426980
9   Boost                                    0x102d8718c 0x102bb0000 + 1929612
10  Boost                                    0x102ced90c 0x102bb0000 + 1300748
11  libdispatch.dylib                        0x180bc7094 _dispatch_call_block_and_release + 24
12  libdispatch.dylib                        0x180bc8094 _dispatch_client_callout + 16
13  libdispatch.dylib                        0x180b74d44 _dispatch_main_queue_drain + 928
14  libdispatch.dylib                        0x180b74994 _dispatch_main_queue_callback_4CF$VARIANT$mp + 36
15  CoreFoundation                           0x180ec3034 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 12
16  CoreFoundation                           0x180e80538 __CFRunLoopRun + 2544
17  CoreFoundation                           0x180e93194 CFRunLoopRunSpecific + 572

%hook NSDictionary

+ (instancetype)dictionaryWithObjects:(id*)objects forKeys:(id*)keys count:(unsigned long long)cnt {
    id  _Nonnull __unsafe_unretained newObjects[cnt];
    id  _Nonnull __unsafe_unretained newkeys[cnt];

    for (int i = 0; i < cnt; i++) {
        if (keys[i] && objects[i]) {
            newObjects[i] = objects[i];
            newkeys[i] = keys[i];
        } else {
            NSLog(@"key or value is nil");
            return [self dictionaryWithObjects:newObjects forKeys:newkeys count:i];
        }
    }
    
    return %orig;
}

%end

all good

no more crash

the fact that you couldn't type out two more letters for the word "count" makes me quite annoyed

https://developer.apple.com/documentation/foundation/nsdictionary/1574184-dictionarywithobjects

apple

WHY

they literally spelt it out correctly after lmao

bx lr

armv7 goated

👀

c⬛nt

vowels are bloat

Does iOS 15.x support iOS 14.x for devices which didn’t get iOS 16?

I feel like there was some SEP/BB compatibility chart somewhere?

se 1 and 6?

!t sepbb

iPhone 7

Ah that’s the one

Thanks!

@wind ravine

Buggos

(Also crashes w tweak injection off)

Also it jus doesn’t work at all 15.1.1

Ope nvm it jus randomly appeared

are dyld closures still around

yes?

Yes

its a swiftui bug

🔥🔥🔥🔥🔥

could some one turn this into a tweak, mainly just the clipboard share functionality? https://invent.kde.org/network/kdeconnect-ios

maybe you could use kayko to like to do cliboard getting on ios

https://github.com/vyolit/Kayoko

@indigo peak ^ ?

u said u need like tweak ideas

https://github.com/1Conan/cumsync

deos this work w ios 15+?

you could try

doesnt work

change this https://github.com/1Conan/cumsync/blob/5f9f27416ab959ded5b9f11aa336dedff38f8e8d/layout/Library/LaunchDaemons/com.1conan.cumsync.plist#L9C13-L9C13

i cant recompile it

wait im dumb

armv6

eh im jus using alr comiled deb

?

huh

whats the difference between this and copylog?

there's also https://github.com/Greg0109/BoardyServer btw

proprietary

load launchdeamon?

you didn’t sign it

i hope you like the name, i named it

What else have u named

Cumsync joe

conan made it because this one is insecure or something, or he was charging money for it? i can’t remember

perhaps it was both

BruhKeys!

Lawd

I'm back with more Mach-O questions :P

So my progress so far:

• I did copy string table into an NSMutableArray from the __TEXT.__cstring section
• I did put /var/jb in front of strings that need it
• I did add new segment/section pair (__PATCH_ROOTLESS.__cstring) at the end of the Mach-O

So far there have been decent resources on the things that I have done. However, now I need to get the xreferences of the strings in __TEXT.__cstring, then somehow "rebase" them to the new ones in __PATCH_ROOTLESS.__cstring. Note: I copied the entirety of the strings into __PATCH_ROOTLESS.__cstring, only modifying the ones that needed to be modified, and then put them in the new section. Is that the correct approach, or should I only copy the ones that need to be patched?

In addition, I have a couple other questions:

• Will __DATA_CONST.__cfstring need to be updated as well, since those point to the various strings in __TEXT.__cstring from what I understand.
• Global const variables go into the symbol table, if I remember correctly, no? If so, those should be patched appropriately as well. How can that be done?

For reference, here is __TEXT.__cstring:

And here is __PATCH_ROOTLESS.__cstring:

So im new with developing for ios and I would like to create an app for trollstore aka an unsandboxed app. Is it possible to get the device to reboot/shutdown without manually pressing the buttons so only with code? Couldnt find a lot on the internet but someone said it may be possible to force a reboot by crashing ios, but maybe there is a better and safer way

To shutdown:

[[NSClassFromString(@"FBSystemService") sharedInstance] shutdownWithOptions:nil];

To reboot:

[[NSClassFromString(@"FBSystemService") sharedInstance] shutdownAndReboot:YES];

Not sure if it will work while not jailbroken, but worth a try

alr, I will try thx

oh

didnt know that

shutdownWithOptions:nil
Options?

Not sure why there are options

i believe that’ll work if unsandboxed

is there any way to debug directly on my testing phone or unsandbox the ios simulator?

Don't think there's a way to do it via the Simulator, but you could just add that in your app and then sideload via TrollStore I guess

yeah I added it and sideloaded it via Trollstore but just nothing happens and im not sure why

thats why it would be great to have a way of debugging

Ah yeah fair

Not sure how else to shutdown/restart though

hm

I know that killall(@"SpringBoard"); is working fine, so maybe some way to kill an important process so it reboots?

Launchd

Is that a great idea? Probably not

I think ios is preventing killing that as it just crashes the app

Probably

I know you at least need to be root

well thats gonna be hard to get with just trollstore and no jb

It shouldn’t be

You can spawn stuff as root

Trollstore does it

hmm

but as u already said it wouldnt be a good idea to actually do this

would it be possible then to execute sudo commands via filza console?

iirc filza trollstore runs everything as root in its terminal lol

oh xD

oh yeah seeing it now

I'm not sure how reboots work, but I do know the settings app can trigger them

Iirc if you install a beta profile, it triggers a reboot

yeah thats what I already said, system apps like settings should and are able to reboot

just no idea how

assistive touch is also able to reboot without any external button presses

now best would be to find out how assistive touch is reboot I think

How can I compile a bash binary for use on a M2 iPad with 16.3.1

As in what compiler should I use

The Xcode compiler

For the iPhone SDK

How can I use the Xcode compiler outside of the Xcode ide

Is there a guide or anything

xcrun -sdk iphoneos clang -arch arm64 -o output_binary input_file.c

i mean, you'd just use clang regardless

xcrun just finds and runs executables within the current developer directory (set with xcode-select) or an environment variable

the actual xcode compiler is xcodebuild (which requires an xcode project)

clang is crazy

how would i optimize 3 parallel arrays in obj c?

i need a few different datatypes tho

i can show my code

this is initializing them, it doesnt need to be mutable after initialization so this is one thing i already know how to optimize
https://github.com/leminlimez/Helium/blob/6a7b4b5be5307bc921a81a4f646d98fbbd28c59a/src/hud/HUDMainApplication.mm#L948

i need to store the blur object, uilabel, and one of the dictionaries inside of the properties

this segment is what needs the most optimization and is what im most worried about
https://github.com/leminlimez/Helium/blob/6a7b4b5be5307bc921a81a4f646d98fbbd28c59a/src/hud/HUDMainApplication.mm#L822

im learning objc so code may be bad

ok so one thing that jumps out to me right off the bat

// TODO: THIS NEEDS OPTIMIZATION (is updated frequently)
NSArray *widgetProps = [self widgetProperties];
for (int i = 0; i < [widgetProps count]; i++) {
    if (![_labelViews objectAtIndex:i] || ![widgetProps objectAtIndex:i])
        break;
    UILabel *labelView = [_labelViews objectAtIndex:i];
    NSDictionary *properties = [widgetProps objectAtIndex:i];
    NSArray *identifiers = [properties objectForKey: @"widgetIDs"] ? [properties objectForKey: @"widgetIDs"] : @[];
    [self updateLabel: labelView identifiers: identifiers];
}

so you have this code

if the object isn't in labelView or if the object isn't in widgetProps, you break out of the loop

yea ik

however, if it is in both, you're then grabbing the value of it again

but they are created in parallel

my fix was if both are null then continue

didnt push that tho

so what you can do is move UILabel *labelView and NSDictionary *properties above your break condition, and then change the break condition to the variables. that way you're not checking for it twice

besides that this looks fine though, how often is this updated?

and how big are the two arrays?

often

it depends on how much the user creates

my guess is for the average user its probably a size of 3

oh

yea there's nothing you can do that will have a tangible benefit

it updates every second by default tho

still. even assuming 50 items, it's going to be pretty fast

but battery impact?

alright

should it be changed to a regular nsarray or is keeping it mutable fine?

you'd have to be checking more items at a way higher rate of refresh in order for it to matter honestly

iirc they're the same internally

actually?

huh

i swear i've gotten a mutable array from NSArray before

but idk

[array mutableCopy]

i only need to edit it on init

so i dont need it to be mutable

i am modifying what the pointer is pointing to tho

no i mean initialized an NSArray and got a mutable one, but idk, probably misremembering

oh

weird

Is that the correct approach, or should I only copy the ones that need to be patched?
idk up to you

Will __DATA_CONST.__cfstring need to be updated as well, since those point to the various strings in __TEXT.__cstring from what I understand.
yes (have fun with pac)
(and objc abi)

oh no

pac

Global const variables go into the symbol table, if I remember correctly, no? If so, those should be patched appropriately as well. How can that be done?
wat? what are you referring to

and should i be doing all those ternaries?

const char *const kPreferencesPath = "…" would get saved as a symbol iirc in the symbol table

also my code just stops updating after a while idk why tho

it happens with my old code too, so its not the array problem

i mean i only saw two. if you really cared you could change it to

blah = blah
if (!blah) blah = default

but idk

idk i feel like im not doing something right with the arrays

especially with having them in parallel

symbol table > value in __DATA,__data (variable is not const) or __DATA_CONST,__const (variable is const) > string in __TEXT,__cstring

so many things to keep track of

lol

ok well thanks for all of this. do you happen to know any resources/open source projects that do string rebasing in general? I'd prefer something related to Mach-O but having any sort of base would be nice

nothing off the top of my head

rip

How can I hack it into the makefile for bash

So I can compile bash for iOS

I am using terminal and it needs a shell

probably better to just compile bash from procursus

I have an iPad with trollstore2

So I can’t use the traditional jailbreak tools

no i mean

procursus is the name of a bootstrap yes
but the tools have to be built

https://github.com/ProcursusTeam/Procursus

but since it's also m2 on 16.3.1 you'd have to workaround being unable to fork()
and there's still libiosexec i think

this isn't fun y'know

at some point you'd still need some kind of bootstrap with the proper prefix unless you static link

didn't @frank fossil make a forkfix for TS? im not sure if it works on m2

the fix is very hacky, but should work everywhere

can also the do the dylib method

am I just wasting time?

I have ubuntu on utm hv and performance is good, but I thought it would be fun to try and get things working on ios

@restive ether

cam joint

https://tenor.com/view/let-me-be-clear-uhhh-meme-gif-25693361

so apparently skip-library-validation is unbanned on 16 and 17(?)
does this mean that signing dylibs with it makes it such that team ID doesn't need to be the same?

The team ID still needs to be the same afaik

Just doesn’t need to actually have a signature

But this doesn’t change much

huh ok

thanks for the clarification

i just read what it does on macOS so i assumed it'd be the same on iOS

No afaik the team ID still applies

Idk why they removed the trustcache requirement but if they did it might be because a removable system app now has the entitlement?

And this check prevents you from just replacing a framework of an Apple system app with an arbitrary one

ooo i wonder which lol

after the release of the VR operating system, is there any big brother preparing to develop visionOsapp

@granite frigate apparently skip-library-validation literally does nothing

Like it still validates libraries anyway

what a shame

yeah basically

seo on top

they do have a robots.txt but it only disallows the top level

I'm trying to patch an app but whenever I sideload it, I seem to crash when it tries to call NSFileManager::containerURLForSecurityApplicationGroupIdentifier: with it's groupid. Any idea why that would be happening?

I suppose I should specify that it's likely not that call actually crashing, but instead it's likely using the result of null and assuming it's successful which is erroring elsewhere

you might be interested in this script if you dislike that Google Search Navbar design https://greasyfork.org/en/scripts/470048-google-search-classic-navbar

👍

or just run whoogle

i think i am a ------

will do

the image lmao

like what i sent?

ok well it doesnt lmao

bet

no its mine

https://x.com/R00tkitSMM/status/1734282463541645314?s=20

https://media.discordapp.net/attachments/688124600269144162/1169708354273296424/caption.gif?ex=655662cb&is=6543edcb&hm=e28afc8f6575027decf6ff93755af47d1ff2dec061fead69630c4cc6aef78003&

optool

https://github.com/alexzielenski/optool

shutup bozo.

word

how am i gonna remove the original load command from /Library/Framworks

Wtf is LC_LOAD_UPWARD_DYLIB lmao

why is it not giffing

@grave sparrow now it works

whatcha doin?

gamepigeon hacks on trollstore

lol nice

./script hacks.dylib com.gamerdelights.gamepigeon.ipa

ah yes our beloved sh scripts

Zefram Malware

is this latest game pigeon

also does this have settings in game pigeons too

yes

tweak settings, no

How can I compile or install procursus on a TrollStore device to use with a terminal

I was thinking of somehow compiling it and then dropping it into /var/procursus and then pointing my terminal app to a bash binary from procursus

@indigo peak how do the hacks works? do u have a GP ipa that has teh dyld init then u install that? or ru u install GP form ap store and magically injecting it?

@acoustic imp should answer your question

ah

https://gist.github.com/khanhduytran0/675bba3db59bb7fac3ceaa49f2ef24e1

I did find a way to magically inject it tho 🤭🤭

@marble perch procursus ballin

wait so can u inject into mesages app?

Can’t get bash to run, something about a library used not being in the dyld cache

dylib cant be in that path

You cannot execute binaries inside /var unless they’re in /var/containers

/var/jb has to be a symlink to somewhere where you’re allowed to execute binaries

install it

Wdym

Its just a zip with a precompiled procursus

is libiosexec in there?

Yes /var/containers/jb/usr/lib/libiosexec.1.dylib

I’m not sure how to update the dyld cache to include it

Have you signed it with the CT bypass?

No, I am not sure how to

That’s the problem then

Uhhh someone should have the fastPathSign binary somewhere

@frank fossil

Ldid in TrollStore?

Hello fake dev

try fastPathSign command

Where would that be located

/var/jb/usr/local/bin

Isn’t /var/jb/bin that what I am trying to sign

Well it executes

fastPathSign /path/to/macho

They don’t have the fastPathSign binary I don’t think

Was wondering if you had a copy

Oh nevermind

What was the command you ran?

/var/containers/jb/usr/local/bin/fastPathSign /var/containers/jb/bin/bash

Add -r at the end

/var/containers/jb != /var/jb

It’s their symlink

Yep

I have it symlinked

Also you’ll need to run the bypass on libiosexec

Ok so just run it on the dylib

Yes

Doesn’t seem to fix it

It’s still complaining about it not being in dyld cache

What’s the @rpath for your binary

Whether or not it’s actually in dyld cache doesn’t matter

It’s impossible for it to actually be in it

procursus ballin

Ok I symlinked /var/jb to /var/containers/jb

Getting a address boundary error

I think I am halfway there

Now I need to get an on device compiler

THEOS!

i mean

https://github.com/kabiroberai/theos-jailed

its 7yr old but u could update it

been doing it by hand for years

alss an un sambed dev has a v of theos that works on xina/dopa so i would asume it would work on TS@(what ever this is) after you sign and do what ever to everything

user is the "(super user comand)"

@radiant idol i have a tweak idea. its like a walpaper tweak, but i wana know if you think it would be more or less do able for me... so its a wallpaper for LS/HS tweak, where you pick an image. Then on your LS its the regular image then as you swipe up to unlock it zooms in and blurs. With like an amination... like you moving/swiping the homebar/NC up is a time line of the animation... Like ios 16

also i could make it be a video then the like scroll/swipe up of the NC/LS is like you scrubing the video

so u could make a ios16 like ls effect

It’s certainly possible

But I couldn’t tell you the difficulty

I personally would need to do some research before trying to make that

oh ok

so deffff not a teslaman project

Striving for grand tweak ideas does eventually help you out in the end… if you have dedication

@radiant idol the iOS wallpaper stuff is very crazy

Iv only changed like 3 views

Like why are the two HS images

Lmaooooo

iOS is actually so interesting

Like how does it do this

So many like moving parts

Like how does this animation work, how does it still work after I broke sm

Can u like get the source code for it kinda

Like see anything ?

unless you reverse engineer it

Like what can I get from the header files from cinder site

no

Oh

only the methods that you could hook

Can I see the like code in the methods ?

No

And you don’t ever be able to get access to the original source code. However if you learn reverse engineering, you’ll be able to approximate the original source code given a decompiled version of the SpringBoard binary

List of things to learn… how to spell, objc, reverse engineering, iOS magic

First one is the most important

You seem to be getting better at it though

im sure there are plenty of oss wallpaper tweaks

probably can look at what they hook

I was also googling how iOS 16 does their wallpapers

found a useful reddit post https://www.reddit.com/r/iOSBeta/s/IGUS1pL9Ey

essentially it’s just a CAML file that tells different pngs where to go

CAMLs is also used in control center and face id padlock animation

Ah beloved CAML files

i was researching into them when i was trying to theme my cc without Snowboard and just file replacement

it’s a real pita

yep

I do know a dev that has a fully working control center theme tweak, he just hasn’t had the time to completely polish it out and release yet

ooo

is it the one with lottie animations

RuntimeOverflow, if you’ve heard of him

Yes

yeah

i have a deb of it

Ah ok

the last resource i found on camls was from a medium post in 2017

or something

maybe you can ask runtimeoverflow @acoustic imp idk

he’s kinda busy atm I think (RO I mean)

oh alright

and by “atm” I mean in the long term

@radiant idol that new like sep bypass downgrade thing. I have an A10 iPad 7th gen on 16.6.1 and I have blobs for iOS 15. Could I update to iOS 17 and like mess around w flex to see how wlaps are done on iOS 17 then downgrade back to 16.6.1 or iOS 15 ?

Not sure

Never used

oh the owner's not in the server

you can just dm him on twitter though

Is anyone else here interested in working on getting a toolchain for TrollStore devices

Because you can’t use the usual jailbreak stuff

https://procursus.social/@khanhduy032/111527040741069818

Did see this but I can’t get the included sileo to work

Nvm I got sileo to open by opening it from TrollStore rather than Home Screen

intresting

I can’t add procursus repo

It's probably trying to figure out what kind of bootstrap you're using and failing

yeah it's a custom build of procursus dropped in /var/containers/jb and symlinked to /var/jb

https://apt.procurs.us/dists/iphoneos-arm64-rootless/1800/

I think I need this

Inspect the Sileo source and see how it determines what to do

Figure out what breaks

That's my advice

My guess is that it's trying to figure out what jb you're using

so it can change some behavior accordingly

works on my machine

i just grabbed 1900

signed everything recursively with some bash script

profit

it recognises my device as palera1n rootless tho

that makes sense

1900 does not existr

huh

what do those numbers mean?

it’s the corefoundation version

I mean https://apt.procurs.us/dists/1900/ exisits

1900 is rootless only

1500 = 12.x
1600 = 13.x
1700 = 14.x
1800 = 15.x
1900 = 16.x
2000 = 17.x (note: 17.x does the wonderful thing of bumping cfver by 100 every major update)

how can I point sileo to 1900

this

Apt is getting stuck, left it for 5 mins