Sandboxes

sometimes you gotta let some sand escape the box

@primal perch how do i find offset for class in ida

nvm

we good

i think

wayback time

so true

So i know adobe makes a drag and drop kinda software to make websites like dreamweaver but is there anything else software not web that can do the same thing?

any binary signed with platform-application on ios can spawn binaries right

Just to be sure

give it persona-mgmt

Its gotta be stock binary

?

https://github.com/WhitetailAni/Spartan/blob/main/External/CommandRunner.swift

use that to spawn

Im just saying, can binaries with platform-application spawn

Im trying to brainstorm ideas for trollstore install method

i believe they used to

but not anymore?

unsure

Like I just need a way for something stock on ios that can spawn a bin at a path

Yk

Already tried looking at that when a previous exploit came out

nothing you can use

i mean i thought the first issue is trying to do stuff from a sandboxed app

hi im trying to run this unity ios game on mac with PlayCover, but it crashes when it tries to download the game assets

it tries to load a file that doesn't exist, does that mean my decrypted IPA is fucked up something?

if anyone knows about reversing unity ios games pls help

i mean if it works on ios and not a mac then it's probably doing something that's intended to work on ios only

i haven't tested it on IOS i don't have a jailbroken phone atm

could my IPA be missing files though since I didn't get it directly from my phone

possibly? idk

hmmm ok

thank u

do u know of a way I can pull a decrypted IPA off my non jailbroken iphone?

lol i have no friends

can you dump the app CarX Street for me?

trollstore 🔥

my iphone se doesn't have enough space

oh wait ios is just lying to me

smh

dick

Has to be unsandboxed

To spawn as mobile even

Yea no posix_spawn without unsandboxing

persona-mgmt wont help you either, must be unsandboxed to posix_spawn at all

persona-mgmt is just for spawning them as root

hello everyone, i have a theos project but i want to make it work on Rootless Dopamine. I tried adding THEOS_PACKAGE_SCHEME = rootless and make it but it doesn't work while Rootfull works fine, what is the reason?

What doesn’t work

If you have hard coded paths you need to use ROOT_PATH_NS from rootless.h

Thinking of writing another blog post - how interesting/appreciated would a post on the actual ‘signing’ part of code signing?

Sounds fun

Like it would explain how the entire code signature is structured, how the signature is generated, and then probably how we use it in the CoreTrust bypass.

I mean it would probably be a series of posts but it would be useful to dump all my knowledge anyway

If you're up for it, more documentation is always good lol

I was just thinking documentation on the actual “signing” part would have been so useful for me

Ended up having to read the CMS spec for one part

This means that it would be important for whoever would want to study coretrust next

I think it's wise to do some documentation on that

is that not just things you can do with openssl

Yeah I guess

How do you mean?

I think it would be more of a “how to generate your own valid signature” kinda thing

So yeah, you can use OpenSSL, but it’s more of how to use it

ah alright

cool yeah i think that'll be a nice blog post

Well I’ll try and get the first one done over the next few days at least 😄

Sounds interesting. Send it to me when you’ve got something, I’ll fact check it

Will do 🤣

Also figure out how codesign decides whether or not to scatter so that I can add that to ldid

(I hate codesigning so much)

Also execSeg makes no sense

Me too

Because if I have multiple executable segments, it still gets set to the first one

Unfortunately that’s not relevant enough to the actual signing process

That’s probably an additional barrier

To prevent trickery

@sonic totem i looked into JIT in gamepigeon more, and it turns out that getppid returns 1 when ran on MessagesExtension (where all the actual games are: the app inside imessage), and TrollStoreJitEnabler only runs ptrace me if getppid() != 1

How is it getting the PID of launchd

idk maybe iOS handles the launch of imessage extensions special or smth

idk

yeah cocoatop also says ppid is 1

tf

What??

Is this the same for any iMessage app?

idk lemme check

@sonic totem im getting 1 for legit every app on jb ios

it's same on TS only iOS

BeReal installed via TrollStore?

no appstore

this is how it's supposed to be tho

i mean, i guess so 🤷‍♂️

but yet the jit enabler works from normal apps but not imessage plugins

im so confused

bc ptrace never gets called

yk

it fails on posix_spawnp

because sandbox thinks its forking

which is

weird

@indigo peak https://fxtwitter.com/eveiyneee/status/1736021242690392130?s=61&t=pQzNler4oHrweCRvUcytZQ this doesn't need jit so

nathan eta kid

6s

i thought the only difference between posix_spawnp and posix_spawn is that it searches for the executable before calling posix_spawn

both of them don't work either way

tried both

but ellekit thing might just sidestep all of this entirely

@visual meadow wen eta

i got an insane method to get kernel_task's pid

0

crazy

    return 0;
}```

real

why people making whole ass copies of system apps to just get some janky tweak injection 💀

parentheses are for losers anyway

yeah its weird bro
i once sideloaded springboard app back in ios 15.5b4 days

my phone bootlooped

well springboard was crashing you could say

it was kinda a bootloop i guess

but i had to update

rip

that was when i had an xr

some many people gonna bootloop cuz those devs dont know what they doing

yea im staying away from that lol

whenever i get trollstore on my 14pm tho

pov: me

imma implement screendump into a app

theyre all just swiftui wrappers around spawnRoot

and opainject*

i would rather bootloop then run that shit

fr

people always ask how is swiftui but they never ask why is swiftui

true

yeah why was it made

uikit will always clear

pov trying to hook an ivar in a swift object:

ppid turns to 1 when the parent process is dead

pov hooking a string

other than that, no clue

sandbox says this

some apple dude: "hm, uikit is getting too easy... let's replace it with something that lacks features and is littered in bugs"

its posix_spawn lol

lol are you still doing that goofy (and dangerous) string rebasing in memory

funni

it's perfect now tho

(runtime one)

ya

but still

scary stuff

you guys think i could do some funny stuff with this to get trollstore? 💀💀

now fix the static one 🔫

s0n

Alguien me puede ayudar? Compre carbridge y no se como instalarlo, y en el correo dice que primero tengo que hacer un jailbreak

how desperate are you to get trollstore lol

yes

ptsd iphone xr

trollstore need

¿Qué iPhone estás usando y en qué iOS estás?

iPhone 15 pro Max y 17.2

average google translate user

no puedes usar CarBridge en ese dispositivo

So code slot hashes are correct for an encrypted binary, so what’s the process of running such a binary? Validate encrypted pages -> decrypt binary -> load into memory?

necesitas un jailbreak para usar CarBridge

shut up fiore

Y como hago el jailbreak?

no puedes hacer jailbreak. Tu teléfono es muy nuevo y también tiene una versión actualizada de iOS. no puedes hacer jailbreak a ese dispositivo

No pues entonces no sirvió la compra, gracias por ayudarme

ningún problema

De casualidad sabrás cómo puedo ver youtube en mi coche con este celular?

No lo sé. No creo que sea posible hacer eso sin jailbreak.

Gracias

offsets offsets offsets...

one day ur talking russian

the other ur talking english

and now spanish

he think everything a fucking game

trol

Does it have jit?

If so maybe you could get that one app that one dude made working in it

https://github.com/khanhduytran0/LiveContainer

This ^

I wonder what the parent process of MessagesExtension is

and if it’s possible to keep it alive

like is it “Game Pack”

or is it some service that iMessage uses to spawn MessagesExtension

I think it is actually launchd

the point of the JIT enabler is, you spawn some process and that does ptrace

and ptrace sets debugging flags on both parent and itself

like pkd sends request to launchd and launchd spawns process

that's also how apps are spawned

so if it is launchd, is it still possible to enable JIT

of course

posix_spawn some process, that process does that attach myself thingy with ptrace

both processes get debug flags

hmmmm

I wonder

If the reason why

posix_spawnp doesn’t work

Is because it’s a message extension

and they can’t be launched thay way

yk

or am I just slow

@frank fossil any plans to add TrollStore JIT integration into this?

whats the point for that though?

So that I don’t need to use SideStore

Iirc pages are decrypted when needed

So I don’t understand why resigning an encrypted binary doesn’t work

Like if you install with TrollStore

And bypass installd all together

What’s the issue?

Do you have the fairplay data alongside it

I’m not sure

It’s not a specific binary

Just a general question

Is FairPlay tied to the code signature?

No

Apple binaries are signed by the same certificate and stuff

But in order for decryption to work you need the fairplay data, and that's tied by account

Where is that FairPlay data stored?

Is it just fetched from the App Store when you download the app?

SC_Info

Yes

I believe it is bundled with the ipa

Ohhh right

So what if you preserve the original SC_Info and then re-sign with the bypass?

No clue

try it

Another time 😅

I will, but how do I sandbox app back afterwards? Tried sandbox_init("container") but it resulted in blocked access to app data.

did you try this entitlement?

<key>com.apple.private.security.storage.AppDataContainers</key>
<true/>

Already added to fix access blocked when unsandboxed, but it results in arbitrary access of other app data

Nice so basically if you can enable jit in an application you can run everything within it. By the same mechanism if you could start another app by checking it with ptrace you could enable jit there as well?

womp^2

@hasty ruin

Developers Developers Developers Developers

Developers Developers Developers Developers

https://tenor.com/view/yae-miko-yae-laugh-yae-guuji-yae-guuji-laugh-gif-22927167

@native dune

Yorn

Yorn

Yorn

@naive kraken hypothetically:
so if ptrace me debugs the child AND the parent process

wouldn’t it theoretically be possible to
make a root helper that calls ptraceme
spawnRoot the ptrace root helper
and then since MessagesExtension is the parent process to ptracerh, it should be debugged

that's what I said

That's also what is being done for apps

oh whoops, my bad

could literally there be a binary thay all it does is run ptrace

it doesn’t need any special checks or anything

just needs get-task-allow and sandbox entitlements

root helper:

int main(int argc, char **argv) {
    ptrace(PT_TRACE_ME, 0, 0, 0);
    return 0;
}

tweak:

%ctor {
  int ret = spawnRoot([[NSBundle mainBundle] pathForResource:@"TrollStoreJitEnabler" ofType:nil], @[], &stdOut, &stdErr);
  NSLog(@"[ptrace] %d", ret);
  NSLog(@"[ptrace] %@", stdOut);
  NSLog(@"[ptrace] %@", stdErr);
}

logs

kernel    Sandbox: MessagesExtension(22433) deny(1) process-fork
MessagesExtension    posix_spawn error 1
MessagesExtension    [ptrace] 1
MessagesExtension    [ptrace] (null)
MessagesExtension    [ptrace] (null)

congradjulate the non swift dev

you're too sandboxed

unless you are snapchat

hes jealous

used to spam fork on unc0ver

froze device

lol wtf

I see y'all aren't actually part of the #antoine squad...

Hello everyone, how to compress binary font file to C format?

I have the TrollStore version 🔥

real

do you actually have zero sales

Yeah

aw

how much is it

1.50

it had like 200 downloads everyday before I made it paid

@thin valley ayo are u here

that shit is ZERO now

YO 😭

What’s up

gm

Gm!

can i get a 5 copies of antoine giveaway

WHAT

You can

Coming up!

that would be awesome thank u

HAH

😭 wtf

thank u both sm

u deserve it

How long?

1 day ig?

Bet

🤝

❤️ 🫂

you didn't update it, the update nag doesn't show up on people's sileo

if you had it before it'd stay free in ur chariz account i think

actually i'm not sure abt that lol

Is there a way I can make these thing pop up ? Like make my own ?

Or does anyone know of a tweak that does this and is open source?

something Kit

starts with a B

lemme find it

K thx

Can like regular apps use it ?

i don't think so

@lime pivot

yeah idk kirb'd know

i assume not since it's not bound to your account

the framework is called BannerKit, and i'm p sure the answer is yes

hm

check your sales again now

I appreciate it sm 🫶

give it a bit i'm sure the sales will start coming soon

fixed btw

Is it a private one ?

And could I find it in cynder.me or what ever

yes

BannerKit

@indigo kraken knows more about it

ok thanks

The platform fees have never been higher.

@primal perch @hasty ruin average rust users be like

this is marked as an error btw

Really?

the java class and mach-o magic bytes are a bit too ✨💁‍♀️💅 __problematic__💅💁‍♀️✨

That's crazy

What problems does it cause

only on the rust code base itself, but yes

💀

rustoids

which process, game pigeon?

I gave MessagesExtension the entitlements to disable sandbox…
I wonder if that’s because it’s inside of iMessage

why does trash take so long to open on macos

macos is in itself trash, it has to retrieve itself from trash first

fr

linux + windows

lol what

that's none of the compiler's business

cringe authoritarian rustc vs chad libertarian clang

how

you sent a photo showing that you are too sandboxed

what other entitlement could i possibly need to fix that

i dunno

so like

if you use that const

or any of those

will it not compile

nah this applies only to the rust codebase itself

so you can't compile cargo or the standard library with those numbers

or anything else in the rust project

not as bad as you think lol

how tf u get errno 34 lol

idk brother

please help

Result too large

i prefer 0xCAFEBABE

all the macho ones kinda hit ngl

isnt cafebabe java classes too

yes

fuck java

yes

so true

java did it first

hm

system dot out dot print line me some money

Okay I can understand that, but it is silly. I was worried that they were trying for enforce this for all codebases

I can't understand that

babe is gendered so we can't have it any of the code bases guys

java got the worsts prints fr

true

meanwhile apple just wants to get along

@visual meadow i just tried to access a file in /var/mobile/Documents/ and it wouldn't work

cafe babes unite!

error: Error Domain=NSCocoaErrorDomain Code=257 "The file “Tokens.log” couldn’t be opened because you don’t have permission to view it." UserInfo={NSFilePath=/var/mobile/Documents/Tokens.log, NSUnderlyingError=0x282aca5b0 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}}

Classic Tokens.log

pov endianness

point being im still sandboxed

yes

idkm

#

petition to remove dev role from all swiftui users

C#

+1

maybe its because of blastdoor shit????

all swift users*

hey now

+1

you dont count

real

you literally added raw pointers to swift

gonna remove dev role from coolstar 💀

wtf based???

swift assembler

are you guys still doing this

you use cwift

yes

yes we are

kwift

cwiftKit fr

It’s almost 2024 bro 😭

objc >>>

what the FUCK is that syntax tho

Still blows my mind that this is now actually valid c++

serena

this is swift

that is

lmao

not

valid c++

.

that pure swift

This is not swift

almost 2024 and doesnt know what c++ is

that is swift

you can use func in c++ now headass

oh I didn’t see the var keyword

my b in re

makes the most sense

you cannot use ->
or var it's auto

or do cringe: type

func main() -> Int {
    var joe: Int = 420;
    printf("joe: %d\n", joe);
    joe++;

    printf("joe: %d\n", *(&&joe));
    return 0;
}

swift

You can’t use printf in swift tho it gives you an error abt va functions

&& is that place is not valid c++

it is swift

you can with asm

I read the first 2 lines

and the last

don’t blame me blud.

variadic haxx

swift trying to not make everything into pure crap challenge

because && = rvalue reference

Did they fix the c va bridge thing then

looks like it

no

Yeah whatever shut your dumbass up

oh

L

LMAO

va bridge will forever be broken

you have to generate asm code at runtime for it

swift is built on bridges
swift is a bridge

map it

and call it

swift will forever be broken

statur seems like he enjoys assembly

🤢

its wonderful

better than sw*ft

imagine not enjoying assembly

anything except for rust is better than sw*ft

if its so wonderful why is someone avoiding macho

trol

not a hard bar to cross

true

nah im kidding

stock swift mids

sorry the compiler doesn't understand what is:

better than sw*&ft;

a type cannot have a space in its name

cmon icraze

after all this time

you should know this by now

three edits

shtu up

shut

shtu

youre literally british

as i have stated many times

gottem

wtf couch emoji new

🛋️

youre a couch

🛋️

take that

reminder

exposed

call me the

@torn oriole nightwind is ABUSING PERMS

stop spamming logs icraze

call me a couch the way yo mamma sit on me

Racist

its not nice

so true

<@&558709886397972481> add this please

thanks x

imagine if apple just blocked objc from working after swift dropped

end of apple

ong

jailbreak the compiler

to allow objc

compile by hand

write the asm by hand

what if they remove the runtime

hm

fish one out of an old device and reverse enginner it

reverse engineer the entire objc runtime

https://github.com/opensource-apple/objc4

just write a new lang

what happened to objc 1 2 and 3

some american ate them

with proper block syntax

oh

the swift virus is present even in here

https://github.com/opensource-apple/objc4/blob/cd5e62a5597ea7a31dccef089317abb3a661c154/runtime/objc-runtime-new.h#L1232

JavaScript

js is fine

if you do things "properly"

I don't

But I have fun

So that's fun

real

Can they even do that?

Isn’t swift a bastardized version of objc?

Anyways I want to get back in to iOS development - there’s just one problem

I have literally no idea what to do

Like no idea, as in you don't have any idea of what to make, or your not sure where to start?

No idea what to make

will you give them Zefram source

infiniboard

ok

zefram malware

owe you what

why do you want it so bad

cuz its god tier

with kfd you can only overwrite files in var right

truly false

anything capt wants

is horrible

you should know this by now

You are a strange creature

does anyone here know a alternative to MSHookMemory that doesn't need jit

i dont think there is one

death

surely there is 😭

what you trying to even hook

its the extend lines thing in 8 ball

im trying to find a way to yk

not need jit

its fiores thing but im looking too lol

is the line length dynamic?

i have no clue (@indigo peak do u know)

what if it was static, though

the game installed with TS right?

yes

just patch the bytes and resign, then install again

this is a preference tho

like

that would just make it forced

lol

cant turn it off

could patch it to reference a value in rw mem that you change then

that'd be annoying to do lol

no, it’s a const uint32_t

0x52a9cdc8

send the bin

ill do some hax

im bored

how install this to test lol

do you need the whole ipa?

might be easier yeah

I can test it
what are you changing anyways

not sure yet, ida loading

https://drive.google.com/file/d/1X45W2LZdaVTOQClJRfbjOl8jkSPOl-qW/view?usp=sharing

if need

whats ur idea tho

@indigo peak whats the stock value for it

It might be this (?)

Idk

O

0x1000e4e18

thats a better addr lol

nerd chat

ida_kernwin.jumpto((0x1000e45b8 + 0x860))

I should really swap refunds and fees there

0x1000e45b8 is mMove start
0x860 is the offset

nop it doesn’t, because we don’t require login to download free products

that value is 60.0f btw

yeah ik

ieee754 moment

Can anybody who actually knows computers help me with this? https://pcpartpicker.com/list/GGfZXk

why are you getting a DRAMless SSD

yeah get one with a dram cache

and why ryzen

Fixed

ryzen better

yeah the p5 plus is better

I like crucial

my ssd doesnt have one

does the PSU make sense idk

idk how much wattage CPUs and GPUs use these days

you can probably get away with a 650 W but 750 is fine

so 4070 is not a power sucker like the other ones right

idk

Intel uses so much power and is super hot

@native orbit @visual meadow

tf did I do

lol what did you do

what u set it to 💀

what about a liquid cooler

yea 750W should be fine

nothing 💀 i did other hax

++ and semicolons??? what is this, C?!

id make some changes to this list but im currently editing a list and i dont want to lose it lmao

Hehehe

cwift

incognito

How do you even pronounce that

true

swift

English doesn’t work like that I’m afraid

"shit language"

Nah that’s the regular swift

This one is tolerable

swift++

Swift except with :: everywhere*

why a mini itx board

well it's a mini itx case

i presume they want smol pc

So it’s small

P5 Plus 2TB 💪

My desk isn’t that big…

ok

oh and NR200

bro’s onto a winner

yeah it seems like a nice setup

just make sure the cooler will have enough clearance in the case, I just bought that Thermalright so I can find out for you if you’re curious lol

Funny enough this is how much money you owe me

You owe me for buying you that meth

piracy :/

Hey everyone! Maybe someone can help me. I discovered that after I did login -fp mobile (like NewTerm3 does to open a shell) pseudo whoami always returns mobile. pseudo is this GitHub project. And to be clear I use an iPhone 11 with iOS 15.6RC2. Any idea?

Any 27” 4k monitor recommendations?

time to attempt to set up a decent development environment

Aaand I can’t jb my phone

do you care about >60hz

so what about LHPatchMemory/MSHookMemory breaks codesign- like what part of it fucks it up

the fact that it’s runtime code modification

Is >60hz worth it?

for me easily

For me not at all

realistically there’s no gain if you don’t play games but it’s smoother

It’s whether you personally think it’s worth it

i thought someone said at one point its bc of C hooking or smth

the same reason is for both

mshookfunction is on principle basically mshookmemory reskinned just with some orig convenience

but then how does fishhook allow for c hooking without fucking it up

idk

magic or some shit

https://www.rtings.com/monitor/reviews/best/by-usage/business-office @ocean raptor

anything off rtings is pretty legit

s2722qc or s2721qs are solid for cheap

Time to figure out how to develop tweaks without a jb

I’ll probably go for the s2722qc

That way I can get 2 and stay in my budget

how do you make a symlink vnode

buy corellium

Not sure I could fit an aio in that case

funvnoderedirect - refer to wh1te4ever’s kfund github

I wonder if a like i9-13900 would be better

You were like 5 years old shut up

or 14900k

since new gen is out

Iirc the performance increase is not enough to justify the price increase

its like the same price as 7950x3d it looks

and like $30 more than the 13900k

idk if the 7950x3d and 14900k are very different

Oh, I was looking at something different

Don’t remember what now

i9-14900k has 24 cores…

vs 16 of 7950x3d

is that 40 threads on the 14900k

oh no

i cant count

no i can count but i cant read

Yes

i would probably pick the 14900k, especially because ddr5 might not be great on amd

but idk

maybe its just zefram

https://pcpartpicker.com/list/DRgfxH

Did some changes

Using a 240 AIO and got 3 case fans

hi everyone what are your thoughts on this guy? he has shown flex, springboard actually responding, and the camera bump + dynamic island and serial number https://vxtwitter.com/lfy_trav/status/1736595789382619197 unless i’m being blind or something he’s proven it’s not fake

The first two videos he posted are proven fake, but this one idk

Looks pretty legit…

yeah i also thought it was fake

but the new video shows its pretty legit

They’re always fake

Faking the version shown in settings is so easy

you can’t fake the DI without actually being on 16

But it is a real iPhone 14

Also there is literally no notch

What is DI?

Dynamic Island

Dynamic island

iOS 15 didn’t have Dynamic Island?

No

See

You can’t fake hardware

No notch

Screen record, video edit, play video

Maybe

But idk

Gotta be really convincing to fake gestures

Yeah

def fake

don't see how it could be, though...

thats the thing

it looks pretty legit

it’s legit

I checked the serial

yes

it also does match with an older screenshot he posted

idk how it would be faked

also matches with this

#jailbreak message

the guy is typing in #jailbreak

14 pro launched with 16 lol

I don’t know anything

hmm

lets see what the guy says when he finishes typing in #jailbreak

oh he’s typing

ok cool

hmm he stopped

link pls

@indigo peak try not to be a idiot challenge (impossible)

jk ily fiore

https://tenor.com/view/die-gif-24778577

scroll up

Suspicious he didn't show the views on springboard very long

yeah the video isn’t super long

Also the settings app launches weirdly

Maybe it's some kind of fake springboard

I think he’s playing along with a video

Look when he tries to exist the fuckin hierarchy tree

Looks like the input should have hit but it just doesn’t

Prolly yeah

That’s the most obvious explanation

Just ask them for technical proof lmao

Something to test whether they actually know enough in order to pull things off

dms are closed, i’ll send a reply

lol

Proven?

SN in settings can be faked

Huh ok

it’s a UITableViewCell, he can edit it in flex

your mom can be faked

The second one was just a screenshot of springboard, the first one could have just been a recording

oh lol

He’s hiding something. The settings app is real but I think springboard is somehow faked

@granite frigate this is fake as fuck man

how man

im blind

everything abt this is just kinda

like

open this dude's profile

yeah I know

he’s so sus

dog

but idk how it’s faked

this is like

if gordon ramsey became the president tomorrow

like that shit just cannot happen man

fr

is he here

@tepid olivey_trav

anyone who moves that much while recording a video is clearly hiding something

He also said he had tweak injection like 3 weeks ago

(He literally just installed apps manager via trollstore)

Yeah details about them were proven fake

okay this is just fake then

Nah it is real

Y’all more fake than this jailbreak

Gm

I Also think this is EXTREMELY sketchy

But how can this be faked?

https://x.com/lfy_trav/status/1736610570084769882?s=46&t=uESiJ_nOfdZzD0m-rYigOA

https://fixvx.com/lfy_trav/status/1736610570084769882?s=46&t=uESiJ_nOfdZzD0m-rYigOA

sup cornballs

how yall doin

hello adam

One other dev I talk told me that he probably have a video running of his iPhone X with atria And he injected flex into photos app. But then my question are. You see him touch the screen so why don’t these things show up

no the FLEX is SpringBoard flex

it isnt injected into the photos app

it is injected into springboard

Ohhhh

So then is this fake?

I am so confused

SpringBoard is the homescreen

so no

unless this was faked some other way

it isnt fake

So a random guy found a way to inject tweaks on 16.5 with iPhone 14 pro max

lol

I am quite confused myself

I was the person that got him test atria

3 weeks ago he said it safe moded him

So then the other videos wasn’t fake or?

no

the other two

are fake

this one is also probably fake but I cant think of how one would fake it

Is it possible to do something so these stuff go away without jb?

afaik, no

unless he somehow made an app that is a video viewer without having those bars

but that's a stretch, considering the gestures he's doing

Because I think if you look at the video in slow motion it’s going faster then he taps

wdym

I am confusion

we're trying to debunk a possible fake jailbreak video

I’m with you I don’t see how that could be faked

So the person I know says it’s a video right. And he just taps where he taps in the video

he probably moved the camera away when he fucked up the taps

now that i think about it

possibly

but why not just re record

true

how do you swipe up on your phone without exiting your app

wtf

yea

This tooo!!!!

hmmmmm

Quick question, does anyone know that date that google TAG adheres to the 90 disclosure policy

22 dec iirc

21

afaik

oh sorry

Awesome

So we are expecting a kernel exploit for 17.0?

does theos support adding frameworks with spm in the package file?

He double tap on done though

In the end when he is exiting flex

As far as I understand we have a poc for two CVES patched on 17.0.1 right

Just missing the kern exploit ?

The chain was patched on the 21st September

So anytime after December 21st we can expect the writeup

I normally do that too though, it is a little finnicky

Alright would that be posted on google project zero or the google tag page

Well its not Project Zero

So it would be TAG page

Hmmmm

👍

This is so weird

Alfie, what do you think

is this video faked

Missing it in terms of what?

I think this new one looks very real

This video

But they went to such effort to fake the first three or wahtever

They must have found a way to fake this one too

yeah I genuinely can't think of a way how this one would be faked

I thought that there were 3 zero days patched and two have a poc and write up

probably

One thanks to you 😁

He wil prob be back

With more videos

And the whole taking the phone off camera for several seconds at a time thing is weird too

yea

And the 3rd is a kernel exploit?

Oh yeah

Also he says in the video: please don’t crash bitch

oh what

But we only need the kernel exploit for installing TrollStore

I had it muted lol

lets see

lmao

He says in some tweet text too that flex is unstable and sometimes crashes his phone

idk how flex would be unstable but ok

it is

sometimes

on iOS 15+

For me too it is

Crashes my phone too

Also why didn’t he just say that he achieved this 3 weeks ago. Why wait

@sonic totem in the past have they released just a write up or a full poc? Trying to see from a developer point of view how difficult it would be to write a poc from just a write up

Ppl in another server says he is a known faker

They also say it’s probably a fake springboard

lol what

:(((

Fake springboard?

How is that possible lol

I also got confused lol

Google said that they would release a detailed writeup, but whether that's just a detailed analysis of the bug, or a full exploit, I have no idea