#development

I just hope it's not CVE-2023-32424 lol

instead the one linus found

oh nvm that's a PAC vuln

what about both

roller.m -o /Users/royalgraphx/ReviveOTA/build/usprebooter.build/Release-iphoneos/usprebooter.build/Objects-normal/arm64/troller.o
/Users/royalgraphx/ReviveOTA/usprebooter/troller.m:124:5: error: call to undeclared function
      'xpc_connection_activate'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
    xpc_connection_activate(connection);
    ^
/Users/royalgraphx/ReviveOTA/usprebooter/troller.m:124:5: note: did you mean 'xpc_connection_create'?
In module 'Foundation' imported from /Users/royalgraphx/ReviveOTA/usprebooter/util.h:10:
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS17.0.sdk/usr/include/xpc/connection.h:147:1: note: 
      'xpc_connection_create' declared here
xpc_connection_create(const char *name, dispatch_queue_t targetq);
^
/Users/royalgraphx/ReviveOTA/usprebooter/troller.m:106:18: warning: unused variable 'xreply'
      [-Wunused-variable]
    xpc_object_t xreply;
                 ^
1 warning and 1 error generated.

** BUILD FAILED **


The following build commands failed:
        CompileC /Users/royalgraphx/ReviveOTA/build/usprebooter.build/Release-iphoneos/usprebooter.build/Objects-normal/arm64/troller.o /Users/royalgraphx/ReviveOTA/usprebooter/troller.m normal arm64 objective-c com.apple.compilers.llvm.clang.1_0.compiler (in target 'usprebooter' from project 'usprebooter')
(1 failure)

where do I get the proper headers wtf

could you point me to which trollstore file i find this on ?

copy it from the macOS sdk over

sorry didnt mention it

sweet PPL write :p

https://vxtwitter.com/pattern_f_/status/1737782603036651528

Doubt it’ll get released

He’ll probably keep it for further research

Only use with unc0ver
😂😂

it's either krw -> ppl (0day) or krw -> pac (0day) -> ppl (n-day)

or both nday… the phone is on 16.3.1

there is no PAC nday

oh i see

at least none that's publicly known

not keeping my hopes up for any release tho 😅

@indigo peak how’s ur game pigon cheats going ?

Do we have any idea of What iOS that wil support if it release?

Well in the screenshot it’s on 16.3.1

So there’s a clue

Maybe
< 16.3.1

there'll probably be a pac n-day within 5 years

so stay on the version

:3

ios 16.4 did fix a PAC vuln

https://www.usenix.org/system/files/sec23_slides_cai.pdf
https://i.blackhat.com/BH-US-23/Presentations/US-23-Zec-Apple-PAC-Four-Years-Later.pdf

cool

https://fxtwitter.com/Fame_G_Monster/status/1711501845762576854 lol

yeah this was a bit ago. i forgot

could someone please explain to me how the tweaks part works on trollstore, I just can't figure it out, or point me in the code which flow to follow

Wdym the “tweaks part”?

I read on x that it is possible with trollstore to run tweaks on other processes ( even on the springboard) but on the code I can't see where this part is. Also because I knew that without PPL bypass this was not possible

even on the springboard
that's only possible with KFD

and this part isn't built into trollstore

it's the bug that allows it

^^^

a ok, but with KFD you want to know is there an example of this on any github repo?

I don’t think anyone have achieved springboard injection with TrollStore and kfd yet

Anyone knows if there are similar resources to this handbook on arm?
https://azeria-labs.com/writing-arm-assembly-part-1/

I wanted to gets hands-on, but specifically on iOS device (arm64). The guide is tailored for 32bit. I have a arm64 jailbroken device, so I thought might just as well fully utilize it without getting additional hardware. Corellium is so expensive for me.

ok thanks 🙂

But if you want to try the best ^guide I can give you^. Would be reading this conversation with jb hub Evelyn and Jake James

https://x.com/eveiyneee/status/1736078446583816306?s=46&t=uESiJ_nOfdZzD0m-rYigOA

ok thank you i will try

1. injecting tweaks into other processes isn’t with trollstore, it’s by using the bug that trollstore uses

2. tweak injection into springboard and other system binaries is only in theory, no one has actually written code to try and do it. what evelyne has suggested is, (with KFD), symlink the system binary to a fastpathsigned binary that can do whatever you want with. afaik this is so that the codesign cache is removed

3. on app store signed apps, this can be done by fastpathsigning your dylibs to have the same teamID as the app binary’s teamID. currently, fastpathsign can only sign binaries to the teamID of GTA car tracker. to change fastpathsign / ChOma to sign binaries to any arbitrary team IDs, you’d have to:
   (from Alfie)

1. Pass in the App Store-signed app
2. Create the custom signature blob structure by adding in extra SignerInfo and CertificateChoice elements
3. Update load commands and CodeDirectory hashes in SHA256 CodeDirectory
4. Update signed attributes in the new signature blob
5. Generate signature

OK clear, I will do some tests. One thing a little different, once I enable jit in my process is it possible to download a dlyb and start it in memory ? because to my knowledge it is not possible to start in memory dlyb that are not inside the app, but from some tests I did I realized that if the app is in debug I can do this thing. Could it be related to jit ?

if this my thinking is right then you could start a system app enable its JIT and then have a signed dlyb loaded into memory with fastpathsign or not ? even though doing so would not achieve anything because it would be a second app anyway and I would not go touching the original one

yes you can dump a system app and use opainject to inject dylibs into a trollstore installed version of it

just not that practical and a bit dangerous i think

unless you changed your installed app’s bundleid

I was saying without changing the system app physically couldn't you start the app with active jit lock it in the main and have our own dlyb loaded there. In theory if the dlyb is signed with fastpath it should go. A Maybe not , because the teamId is different

https://github.com/beeper/phone-registration-provider

lol nice

can this not be exploited?

or is it unstable

I have no idea

Just a thing I found while I was searching for the PAC CVE

Interesting

good

gonna try this later

Lol

i have a 7 plus with taurine so i'm set

I just find it amusing that a company had to resort to jailbreak tweaks to get their stuff working

cause jailbreaking is epic

So true

inshallah rcs ios

they’re just coping atp

So true

you mean imessage android

dumbass

how about both

i want both

could you be a bit more descriptive? or possibly a link to said proper SDK

1. go to wherever the macOS sdk for xcode is on your device, typically it’s just in Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs
2. copy over xpc.h files and bootstrap.h file over to the iOS sdk which you are using to build

ohhhh bruhhhh

i see now

excuse the ping, can I ask what SDK you're targeting? atm, it's ofc set to 17.0 by default as i've not set up anything previously regarding theos at all

i notice when im building there are multiple versions being used, 15.2, 15.5, and 17.0, so i'm just confused as to how I can unify them all, or wtf is going on with my environment atm

wait i may just be slow asf, i just read the log as discord formatted it much cleaner lmfao

nope, they're there

you can specify which sdk version to target in the makefile for the theos project

but theos will only use ones that exist in $THEOS/sdks unless you specify a path yourself

ah shit, i completely forgor, yeah setting it to latest has fixed theos issues

but im still getting build errors with trying to compile the rest with the 17.0 sdk in xcode

it said it couldn't find launch.h and foundation failed for some reason

yeah, i've deleted all sdks in theos, and i'm gonna attempt to generate fresh one myself I guess

then maybe reinstall that simulator/sdk

you need to copy launch.h as well

^

and make sure your system include path is configured properly

oof from the macOS SDK? alr bet

yeah custom IDE that only does one thing

sadge

yeah you need launch.h when doing stuff that goes through launchd
which makes sense for xpc

luh mao, thought i moved it over before from a downloaded launch.h

it only looks nice

GM

i mean it being proprietary has some justification

okay finally

LMFAOO

the app crashes on my device but im pretty sure thats just because im using 16.5 theos and 17.0 SDK so, need to get on 15.5 for those i guess

it also could be that since I didnt make any changes to the app, its prob empty lol

i mean

you could find out exactly why from logs

thats true, where @? just on console? or did you mean at a path on iOS

interesting lol

crashes generate a log file
or you could look at console too ye

log file would be more helpful here though

since it will typically tell you what terminated it and why

mmm could you tell me the path its at? I'm assuming ~/Library/Logs/CrashReporter or something? idk what it is for iOS

i don't remember the path but ios lists them in settings > privacy > analytics > analytics data

from there you could search for the name of the app and the log should be there

wow yeah nothing there

damn RIP

its all good ill get on 15.5 SDK as to eliminate that possiblity anyways

/private/var/mobile/Library/Logs/CrashReporter/
yeah

maybe you don't see it in the syslog since you filtered to the bundle tho
at some point it could've been referred to by the executable's name or PID at the time so

@hasty ruin what do you think of my types

I’ve done far worse, don’t worry

such as?

now I need to know

like 6 levels of that

whaaaaat

Why not type the array??

why

I mean I guess I could

fine

no

too much

you're going to ham on that beeper project lmao

This is worse than Swift!

it is

can I typedef this somehow or something

this is attrocious

to look at

i was gonna do a third but decided 2 was enough lmao

what were you gonna do for the third one lol

whar

but that's zefram

zefram is special

because it is written by c*pt

that's just as big as mine

in fact I think mine is bigger

NSDictionary<NSString *, NSDictionary<NSString *, NSDictionary<NSString *, NSString *> *> *> *map;

still bigger

woohoo

type measuring contest

1 point for length
0 points for readability

take a joke

smh

so true!

what is the way to do that in swift

URL.stringByAppendingPathComponent()

oh

mmm maybe swift did something normally for once

LMAOO

doesn't really work when they provide the same files

lol

install rosetta homebrew

profit

bru

yeah that'll work

gm

arch -x86_64 zsh
install brew in this session

wait i thought you could just cross-compile

wtf

well yea

that's the other option

just build brotli yourself

and then statically link it

Is M1 still good for simple Xcode projects?

yes

yeah

M1 is a decent PC

can anyone recommend me some devs for a projoect ? dm me

You should probably explain the project a bit more

No one will just give you a list of developers

except the kernel panics

very weird occurances

L

but aside from that its good yeah

odd

that sounds quite sketchy

Dude I just have fucking stalls in the DCP code somewhere

Internal display dies while external works fine

Microsoft moment

lmaooo

Who are all the people who have found PPL bypasses?
To my knowledge, it is 3 people (Linus Henze, pattern-f, Asahi Lina) and I'm wondering if there's anyone I forgot
(This question isn't really dev related but I'm posting here at the advice of Nightwind)

bazad

thanks

https://bugs.chromium.org/p/project-zero/issues/detail?id=2035#c4

Fixed in iOS 13.6
ancient ahh PPL bypass

he’s the OG

how much do you care about properly building it

build normal

build rosetta

lipo

otherwise look up how to cross compile with meson i guess

never used it

Bring a loaded gun with you as well

except that requires a mac

https://tenor.com/view/sad-gif-13261737358986789359

this seems like something hayden has already done and he’d called you stupid for not figuring it out

what do you need an ini parser for

so its arch -x86_64 and whats the identifier for apple silicon? arm64?

Mmm

Meson build system is like cmake

ok ☠️

i guess

what did you plan on accomplishing there

meson is super easy to get to cross compile

Way better than all the other alternatives

lipo

look at procursus

build_misc/templates/ there is a file for meson

see procursus does it all

Basically make a cross.ini that does cc = xcrun -sdk macosx cc -arch x86_64

I will not help you more than that

Until you show me that you actually tried

BORING!

DONT BUILD AS FAT

Build armv7

It never works

“Why shouldn’t I use this thing that I just complained about not working” - capt

hahahaha so your momther

im sorry

go away

member plus

this is for devs

/s

im sorry bbg

im outta here

👋

Oh I guess that means I should go

oh what

why do you not have dev

Uhh I didn't qualify

oh?

Idk maybe I do now

It's been a while

apple when they ship every binary as FAT:

though i guess it makes sense cause of rosetta

theos also currently builds all tweak dylibs as FAT

even if they have a single slice

oh right, libs

fun fun

i mean

you lose nothing by doing so

its probably easier to just unconditionally do it, or it might just be a byproduct of how its built

yeah true

there is an open pr to change that though

I think I saw the team working on making single-arch binaries build as non-fat

yep

^

oh true I should read

lol all good

also gm adam

gm

Hello, sorry to bother you, I thought I heard that it is still possible to upgrade to 17.0 (I'm jailbroken with Taurine 14.3), with Dallas or Palllas I just saw someone who succeeded, can you please confirm?

that was a special case

Tf texas gotta do with jbing

lol

Oh no 😦

No in dead serious

Idk shit

I thought it was still possible, I was hopeful when I saw the guy upgrade to 17.0 by forcing the update or something.

pallas is the OTA server

my budget hax one is called dallas

it requires a bunch of manual work from me and i don't have the time to do that now

assuming i even have data for your device to begin with

Okay no worries I can wait if I have to, there's no problem if it suits you, unless you have a lot of work and the chances are minimal 😦 which I also understand.

I don't want to hold you back in your work

I'll wait as long as it takes, otherwise I'll be stuck with it

What does this mean

I'm so angry at myself for not wanting to upgrade, I'm losing support for almost all my applications, I'm just a moron that's what I am

Pallas is the codename for the server where your iOS device looks for updates

i am uncreative

Oooh so u like make a custom one

so i made my interposer thingy Dallas

And it says yo you can update to this version

basically

But in reality u cant

But cuz u hacked it u can

well you still can, TSS is signing it

my server in the middle is just feeding the right parameters to make Pallas return XYZ

Oooh but pallas by default gives the latest version

So u say ok lets pretend this the latest version and boom

You're a genius wtf

in most cases, my server quite literally inserts "give me XYZ" into the request

sometimes its a bit more work

ie. security updates for devices that didn't support that (apple added support with 14.5)

I'm on 14.3 with Taurine, so it should be easier, but as I said, I don't want to bother you, I've just seen the guy who's succeeding thanks to you.

#jailbreak message

what device do you have

if i am available later i will check if it's possible

iPhone 12

mini or normal?

I'd be so happy, I'm always available, I'd wait until you are.

normal

norman

ok i will look later

Thank's you Dhina 😄

@ocean raptor what's the best way to normal reboot

reboot(8), shutdown(8), launchctl(1)

You’ve got lots of options

They’re all identical

do any of those exist on stock

No

shutdown(8) is only on procursus, elu and tele don’t have it iirc

Just use reboot3(3)

is my best option to just copy the reboot code then, which essentially consists of

sync();
(void)signal(SIGHUP,  SIG_IGN);
(void)signal(SIGINT,  SIG_IGN);
(void)signal(SIGQUIT, SIG_IGN);
(void)signal(SIGTERM, SIG_IGN);
(void)signal(SIGTSTP, SIG_IGN);
(void)signal(SIGPIPE, SIG_IGN);
exit(reboot3(howto) == 0 ? EXIT_SUCCESS : EXIT_FAILURE);

do i need the signals

No

That’s just so that you can’t ^C and stop it

ah alr

evil

so sync & reboot3 it is

the sync() is probably a good idea, but unneeded tbh

no loss from including it ¯_(ツ)_/¯

https://github.com/ProcursusTeam/launchctl/blob/main/reboot.c

yee have already been looking at that

thanks

I have time to go eat and take a shower, do you think?

yes

i need to sleep

I'll see you tomorrow

Good night

I'd love to know if this is possible, and if it is, going straight to TrollStore would be great

rest well and take care of yourself

Quick question (sorry this is a macOS question but idk what to search): When I make a macOS app in for example XCode, and 7 days after compile it complains that it can't be opened anymore (I guess its to do with free developer accounts only being able to sign apps for 7 days), is there a way to disable this check on macOS?

cant you just right click open it

Fixed the page on chariz like 2 days ago and now there’s actually sales… I always knew you guys were part of the #antoine squad

(Sorry for all the sudden promotion and price stuff, uni and some other stuff is coming up so)

squad

glad you're getting some sales 🚀

🫡

hey how do i find a virtual address in another process

im trying to use it with vtophys in kfd

I’ve thought of another way to sandbox app after enabling JIT, by execv() to binary with restricted entitlements, but it turns out really weird. App home directory is changed to GTA Car Tracker’s PlugInKit data directory. Any ideas?

It’s somehow triggering the TrollStore bug where all apps share the same data container

Have you specified the entitlement for your plugin to fix this?

https://t.co/HU4nA0QvH1

MORE SALES THAN NEXUS WWWW

i had to buy another gift so it's at least 18 now

Probably more sales than rune too

Fr

okay u can shut up the joke isn't funny the 2nd time

does anyone know how the hell do I make a window draggable anywhere like PIP

why i cant build static irecovery?

....
make[2]: Entering directory '/home/Admin/libirecovery/tools'
  CC       irecovery-irecovery.o
  CCLD     irecovery.exe
C:/msys64/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.2.0/../../../../x86_64-w64-mingw32/bin/ld.exe: irecovery-irecovery.o: in function `postcommand_cb':
C:/msys64/home/Admin/libirecovery/tools/irecovery.c:344:(.text+0x1b7): undefined reference to `__imp_irecv_getenv'
...```

it means that the function _imp_irecv_getenv is defined and used but the linker can't find the reference to it

so i need to link library with this function?

well yes but presumably _imp_irecv_getenv would be in irecovery...

https://fixvx.com/lfy_trav/status/1738233582315864144?s=46&t=uESiJ_nOfdZzD0m-rYigOA

this is an interesting development

did you not link it to libirecovery

modified sileo? seems like everything hes using has already been shared

why does he keep saying turbo’s producer tag 😭

Lmao

now im curious lol, im going through the guy he replied to's github, and he's gotten things decent with just a CT bug

you mean -lirecovery-1.0 ?

I am just get so confused lol

wdym

It looks real but are probably fake

Wym

https://twitter.com/TranKha50277352/status/1730223940818075978

what if its possible to do that to springboard lol

a respring would make sense?

I guess

and, the guy sharing the AOD previously thanked someone for sharing the sileo ipa

so, assuming its modified to run on TS/CT

https://twitter.com/TranKha50277352/status/1731951879872270453

It does say “unknown jailbreak” instead of “palera1n (rootless)” which is what it said before iirc

unknown jb possibly because there is no jb

its just CT

No but the thing is

When you bootstrap

Well xina also says unknown jailbreak

It bootstraps with the palera1n bootstrap

So Sileo thinks you’re using palera1n even though you aren’t

in this case we're talking ab a device thats iphone 14pro max, i dont recall whether it has any exploits on 16.5 thats a jb

other than trollstore

hence modified ipa

lol

Well no

Sileo just checks if a file is present in the filesystem

why no? bro prob patched it out

Delete that file, and Sileo won’t know what jb it is

and it falls back to a default?

Yeah

Which is “unknown jailbreak”

couldn't you just patch out the default?

i thought sileo was fully OSS

@nimble oriole anything to coment?

Yeah but this is easier

https://github.com/Sileo/Sileo/blob/83bbf7196f5105204b631c54a3ab5982a001d6cb/Sileo/Backend/Root Wrapper/Jailbreak.swift#L75

my theory is, simply modified sileo ipa shared by dude he thanked, he is on 16.5 meaning he does have exploits, and the guy he thanked has the ability to fast sign and load tweaks into non apple store apps, which in theory could explain the respring, if bro is crazy and modifed springboard app container

This is the place where the checking happens

and the deb

the deb is fixed up to work on CT/rootless i guess

its just patches all around ofc, same as when rootful -> rootless, but now even more restricted to containers, but atleast CT can still do things such as the tweet above apparently

You’re talking about Cylinder?

ye, the deb he installs lol

Hm

mhm c:

@radiant idol trav dropped a new video that looks even more realistic

have you seen it?

I mean it’ll still install because all the bootstrap files for palera1n are there

I now realise you’re all talking about it

bomboclat

Yeah we’re discussing that

What do you think

ye, and the possibility of it being possible, with enough effort lmao

He is confusing me so much

atleast from @TranKha50277352

TS2JailbreakEnv

make LDFLAGS="-all-static -lreadline -lncurses -lirecovery-1.0"
same

ok so he patched it

answers my question

has his own bootstrap

wait this looks legit

it is c:

read the rest till now as well, seems fully possible

Well we’ve always known that it was possible

why does he keep dropping his phone

We’re just not sure if that guy actually made it work

throwing something to someone to the floor is a sign of disrespect basically

well, only one way to find out, he's given the sauce out and explained it decently, i'm sure someone more talented than I would be able to take an actual attempt at it, and get it to work, so we can't say its fake atleast, but him flexing like he made it, is a lul rough

Mhm

One could ask him for the hash of the cylinder deb, presuming it needs to be patched in order to run in such an environment, the hash would be different

If it is the same, then something might be up

Soooooo are we believing it’s real now or still fake?

thats true, if the deb file is mishashed, itll let us know right away

esp since he explicitly shows he is not installing the tweak from sileo, but instead simply using sileo to install mentioned deb

also i've been out of the game so long i finally learned what procursus is lmao, jesus so much has changed

daaang

How long have you been out for?

since iOS 11 to 12 tbh

i did jailbreak up until 13.5, but by then, i was just enjoying jb not actually doing anything productive

https://gist.github.com/khanhduytran0/675bba3db59bb7fac3ceaa49f2ef24e1

check this out though

its crazy we're on iOS 17, jesus

Did you update ur tweaks for rootless though

never lol, i only ever dropped two things, one was a literal small thing i made simply for when i got into theming (showed app bundle ID on 3d touch) then apple killed 3d though, and then the second, i was da one who decompiled game pigeon c: and posted that on gh

but by the time i did, i had to restore to 15.5 ☠️ never did anything with it

i see

yeah, i mean i guess now theoretically i can work on GamePigeon hacks still, but that would be kinda yknow, trivial having to install a modified copy of the game

you should make tweaks

POPCORN JELBREK :V

i’d like to, i just have no idea where to start atm, being made to relearn everything in this climate is tough lol

Weeeeellll

as far as me being on iPhone XS Max, and on 15.5, i can use kfd or only CT bug?

https://nightwinddev.github.io/Tweak-Tutorial

self promo

shameless

wow you’re cracked

but yes

nah that’s me asf

hahaha

ong

and so, it’s just that KFD is unreliable? or unstable 😵‍💫

or both lmfao

no kfd is fine

should work

ah, good, that’s just fud then

it just needs offsets for every single device + iOS combo

He confuses the shit out of me

that’s mainly the reason it’s quite annoying to deal with

but I think someone managed to make an offsetfinder

so that shouldn’t be an issue

i thought someone made a lil tool a while ago for finding?

ah yeee

decent decent then, i have fiores troll decrypt but it doesn’t show imessage extension applications, any way you’d think i could add that?

oh actually, this may be tricky

I wouldn’t know, no

crap yeah i may have to actually uh, make a tweak for gamepigeon first, that loads classdump or something, but basically i need to generate new headers c: are there any macOS tools that could do that with just the binary?

because basically, reason why imessage extensions are a PITA to dump is cause they only remain active while the window is in focus ☠️

shouldn’t class-dump work

i can’t remember

if not it’s insta dead

there is also ktool which should work

never used it though

ooo i saw that

unsure if ktool works on the newest binaries

try it first though

ah okay, but to my understanding it’s kinda like IDA pro where it reverses it and gets the headers?

no

https://github.com/0cyn/ktool

it doesn't really reverse it

ah it’s in the binary

all the metadata is in the binary already, you just need to take the pieces and put them together

the problem is every year apple changes some aspect of the format

oof wow

dope, so i can theoretically yoink the apps executable from filza, and open with ktool? that would be nice lmao

Try it

ong bet

I also have done example tweaks on my GitHub if you’re curious about all the rootless stuff

Pretty simple though

It’s just a macro

yezzz ill def be bugging you lmao, atleast until i finally get to understanding

people conflate rootless as much harder than it really is

its just because people are often updating their tweak for 15+ at the same time as well

so depending on what you're doing there may have been no changes or a lot

Yeah

would either of you happen to have a template application that would basically build into a blank app that works with TS?

thats a decent repo idea

It’s just annoying for tweaks that won’t be updated for one reason or another

use whatever template theos has

dope, ill check that one out

to build it into a ts app you add entitlements as necessary and rename the ipa to tipa

pretty simple

most have their tweaks still closed source or something?

lol aint no way lmaooo

if you dont need entitlements you can just feed it the ipa directly into TS

yea tipa's aren't special

and then whats tsroothelper for?

the only reason it exists pretty much is to make airdrop work

ahh

trollstore's root helper?

yeah i saw that lol, airdroppable application or something

that's just how TS does anything that needs root

Closed source tweaks can be patched for rootless, but that’s quite difficult if you don’t want to use symlinks. Open source tweaks can just be compiled for rootless with very minor changes

ah yeah cause i'd like to be able to basically have access to the filesystem and spawn arbitrary binaries, i wonder if i could get classdump-dyld or its derivatives working somehow on-device again

decent decent

iOS 12’s rootlessJB (if you remember that) patched them with symlinks

But that’s quite hacky

middle school times

Lol

oh bplanks?

Ye

nah i didnt get to use it

a11

I see

But yeah just saying

the transition period between iOS 10-12 jb impls looking back at it now was so mesmerizing though I knew nothing at the time abt how they were implemented

Haha

crazy how the twitter scene still rages on

never a rest

Yeah but it’s quite quiet now comparing to before

Unfortunately

if someone wants a tweak idea suggestion this would be very neat to have on older iOS versions https://www.macrumors.com/how-to/make-haptic-touch-faster-on-iphone/

I think there was a tweak that forced 3D Touch and it was quick but hasn't been updated in a long time

@timid furnace Hello Dhina, How are you doing? hope you slept well, I am yesterday's person regarding the 17.0 update on the 14.3 iPhone 12

stop giving this dude attention, this shit is 1000% fake

Oh he’s now saying he’s written a jailbreak?

Exactly

Even faker now

Like bro we only have a coretrust bug

@radiant idol will all the new tweak injection while being jailed, will it come to iOS 15?

Also will it “fix” spinlocks ?

The app tweak injection?

Yea, and the possible springboard injection

No, spinlock panics will only be fixed on versions that Apple fixed them on

Afaik Apple fixed that particular bug some point after 15.5

🥲

or if a KTRR bypass is found

It’s technically possible to fix

If the issue is what it’s theorised to be, it can be fixed

well

opa has been trying to fix it for so long now

in #1084320818231787552

He only properly diagnosed it a few weeks ago iirc

It’s possible but atm the attempted fixes are not working

interesting

This is assuming the diagnosis is correct though

well but those aren't fixes, they just get around the bug in pmap, no?

Oh yeah

But it would fix the actual panics happening

you'd need a KTRR bypass to actually fix the bug

Or a bootchain exploit

good luck finding one :P

Gonna try at some point

i hate pmap

L

If you hate it so much just find a bypass for it

does pmap stand for process map

probably

can a trollstore installed app prevent itself from being killed in the background by iOS?

Like a daemon lite

Without like using location or playing music

even apple music will get killed when it uses too much memory

so who knows lmao

Assuming I don't use too much memory

The maps app can keep itself around when giving directions but I wouldn't be surprised if that was partially the location services

Also it has an annoying pill

Like let's say I wanted to persist to handle cron jobs or run a simple server that doesn't use much resources

physical map

i thnk

pretty sure

i heard the bsd thingys work

debugging asm by only using a crash logs printed thread state is not it man

is this related to the "project" we're working on

or just general frustration

lmao

it is not

ah

ok

but yeah that sounds painful

hardcoded patching moment ig

should've just done front end dev smhsmh

never

I never diagnosed it

Do they persist when the app that launches them dies?

it's impossible to diagnose

I meant the big description in the issue on the Dopamine repo

I just collected all the info I know of and concluded is must be something related to shit being paged out

Ah

but like

that I could tell months ago because the issue is triggered when something tries to fault in memory

im pretty sure

i havent tried it though

Ok I'll take a look later

Like which bsd thingies?

bsd daemons

oh

trollstore

not so sure

bootstrap apis work fine

So can I daemonize something?

I thought trollstore only worked with things launched via springboard and down and not daemons

not a real daemon

You can have UIDaemons but not LaunchDaemons

Hmm never heard the term UIDaemon

Sounds promising though

Once Tatsu doesn't sign iOS 17 I won't be able to upgrade, right? I hope to upgrade before then 😦

it is still signed

17.0?

Yes

window closed but still signed with tatsu

i think

yes

But it requires manual work and that's not easy.

I hope you can find the data for my device, I'd be so happy

First time I'm hearing about this. IPSW.me says it's unsigned and ik the delayOTA window is closed. Where can I read more about this?

ipsw.me never had delay OTA status

it's something that only someone who knows about it can do, it's not for novice users if you know what I mean, it requires knowledge

?

whats this?

MDM style delayed update?

damn you gir

dang

it's this right

yea it is

D53gAP

its my device yes

huh thats interesting asf

any way i would be able to do such method dhina?

no

need jb

ah yeah seems to be Apple Internal related, makes sense

#nathanlr message

Being an apple employee with access to the TSS room?

i wish

need that juicy apple vpn profile

what kinda knowledge then lmao

nowhere

hopefully that japanese guys thing is actually legit

then someone can try and modify it to work on 16

i doubt its legit tho

it ain't legit until you can use it

tried and true mantra

yeah

send tim cock an email

already checked there didnt find it

lets convince us lawmakers that we need to make tss keys public

given how inept they are with technological issues it shouldnt be that hard

anyways

Does that webkit bug even work on 16

Has anyone tried to get it to work lol

It doesn't work iirc

But it was patched there

Weird

Well the PoC doesn't work there

But the bug probably works

Shouldn't be too hard to make it work on 16 I gues

s

Why does T8011 have to be unique and have a random checkm8 issue

Apple™️

some kinda repeat of 15.6RC1👀

Mmm

@minor vortex https://cdn.discordapp.com/attachments/688122301975363591/1187269030474698792/Dallasfunnyshenanigans.signed.mobileconfig?ex=65964573&is=6583d073&hm=cc3a7c744b806f5f4441727a6d5ea8a12ea0e514744fe5126adf1a17a96d7b34&

OMG Thanks i'll try this now

Can I follow the ioscfw update (blobless) tutorial? then it seems to me that I have to keep TrollStore open in my appswitcher to recover it on iOS 17 otherwise I’m fucked

yes follow that tutorial

thank's you man

The profile is available until when? I'm finishing the work I have to do. I'd just like to know how much time I have left to install it

i genuinely have no clue

you probably have at least 12 hours

but i can't guarantee that at all

Thank you

I have 62/64gb of RAM in use, do I need to make storage in order to upgrade? or it doesn't matter

uh

RAM != storage

and yes you will definitely need more space than that

i would say at least 5GB

oh shit okay thanks wait

Nah apple would just tell them if they did that a bad guy would be able to remotely control their grandmas phone and block her sending their birthday money.

Now what you want to do is convince them that no one is safe unless the government has the keys and then wait for someone to leak it

that would be easy

if you want the TSS keys to be public, better have lots of bribery lobbying funds

@timid furnace On the guide it says activate supervision, on the other it says activate supervision-less mode, what should I do?

I just got home and I'm going to get started

for the delay ota steps follow what ios.cfw.guide says

I wish someone made a jailbreak for iOS 15.6.1 A12

I wish someone would make a jailbreak for iOS 18 but that isn't happening

But another problem is it should go to the regular data directory instead of PlugInKit one

I need to install Dallas Enabler ? Step 3 or i can just put the profile that you sent me

you need dallas enabler

Ok thanks

chimera on 4k has finally been fixed

based

In the profile description I see that the profile is made for 17.0 XS D331AP is this normal?

had to write like 200 lines of asm

yea i forgot to change the description

oh okay thanks you

arm though

🙏

the best

x64 better

real mfs use arm64

What a weird way of saying you are a virgin

struct cat Walter

real

i didnt do anything

I c nothing wrong w that

die

when presenting a vc onto SB

do I use UIApplication.shared.keyWindow?.rootViewController?

Serena doing tweak dev???

Am I dreaming???

LMAO

whatcha makin?

<redacted>

tell me

or else

wait

is it the calculator

but in springboard????

no 😭

Great idea, you should do it

dude it's like

been a full year

yes

since femboy calc

I’ll never let it go

😭

Until you make it

I would never

Do it

Why are you so resistant 🤔

cause it's a waste of time & effort

Mk

linux 2

Figured it out: this'll mess up the vc presentation, so instead store the SpringBoard UIApplication from applicationDidFinishLaunching into a variable and then use that to get the keyWindow

if you use the standard UIApplication.shared it'll be wonky when switching between lock/home screen

circa 1996

@timid furnace it downloads the update it tells me there are 0 seconds left I'm waiting it's been 5 minutes :p

@lime pivot https://vxtwitter.com/coreserena/status/1738526619940118841

@interface UIViewController (UIViewControllerClassDumpWarning)
- (void)attentionClassDumpUser:(id)fp8 yesItsUsAgain:(id)fp12 althoughSwizzlingAndOverridingPrivateMethodsIsFun:(id)fp16 itWasntMuchFunWhenYourAppStoppedWorking:(id)fp20 pleaseRefrainFromDoingSoInTheFutureOkayThanksBye:(id)fp24;
@end

What is the best way to analyse ios binary?

apple used to be creative

:c

They hated swizzling so much they made swift

£4000 will get you an IDA Pro license

and £0 will get you Ghidra

🔥

£0 will also get you IDA Pro

Hey @proper reef, have a look at this!

tr

ok fine

you can get anything for $0

not true

mostly

thats true

i can get money for $0

its called getting a job

💀

you can get nexus for $0

how much did you pay for nexus?

four dollars

also i will start work on spring board scrolling in a few days (im on vacation rn and hotel wifi isnt fast enough to download simulator runtime)

So I want to develop some small tweaks directly for apps (similar principle as YoutubeReborn where everything is in the app) and I already know a bit swift but not really much of obj-c. Would it be worth it to learn obj-c for that or would it be also relatively easy to accomplish with swift?

time is money

Nobody uses their time for money though usually

I’m not doing all dat

Capt is gay

I use my time at work to make money

This is rjailbreak do you think most people here have a job

I should hope so

@grave sparrow is this your brother?

👀

What mail client is that

Airmail

It’s just ok

• learn C
• attempt some crackme’s, gradually going up in difficulty
• once you feel confident with those, look at past exploits and try to study them
• preferably get an old device on like iOS 9 and try to make a jailbreak based on an existing exploit
• then I guess you’d have enough knowledge to know what to do from there, but idk

Yeah but presenting it

A window could be used for a calculator

If you don’t shut your ass

Calculator made of windows

https://opensource.apple.com/source/xnu/xnu-4570.1.46/osfmk/arm64/WKdmCompress_4k.s.auto.html

average apple code

holy fuck thats cursed

Biggest issue with writing a jailbreak for iOS 9 is that Xcode doesn’t support anything below iOS 12(?)

right

that

uhhhhh

write it using theos

frcoal

I think it’s actual possible

it is

To compile for older devices

it's just a pain not to have debugging tools

Using Xcode CLI tools

Yes

can I just say

clangd with VSC is actually quite good

almost xcode-like autocompletion

@visual meadow I’m looking at twitter and it looks like the catstore developer gave you access?

I made a pr shits n giggles and it worked idk

It’s access for when it releases

You should leak it on a alt

And that’s assuming that it will release

Idk im on 16.6.1 but my irl friend is on 17.0

I will believe it’s fake until I see it

(hopefully they leave the tar update code in 🧌)

Just unfortunate that google is taking their sweet time rn

I’m guessing they adhere to the extended 14 days

I’m really looking forward to the Google writeup

Same brother

I wanna see how the spyware vendor managed to install the bypass binary

I didn’t even think it would be possible with the exploits they used

We have a kexploit web exploit and certificate validation bypass

How is that not enough

Probably just exec from /tmp right?

It’s not a kernel exploit

It’s a LPE bug

Which makes no sense

All they had was WebKit r/w and a LPE

They’re still sandboxed inside WebKit

You can’t execute from /tmp I don’t think

I’m confused am I looking at the right cve?

Isnt webkit a platform binary?

Yeah it’s a privilege escalation bug but not a kernel r/w bug

Like does it have platform-application

Yes it has CS_PLATFORMIZED

So maybe but idk

Then it should be able to exec binaries then i think

How would they get the binary into /tmp in the first place though

So you can spawn binary’s with a lpe?

Again, they’re still sandboxed

Lpe??

You need unsandboxing

Sandboxed

Inside WebKit

No clue then

I thought the other exploit was r/w inside safari webcontent

Yes but if you have r/w you’re still sandboxed

It sounds to me if they make a good write up that there is actually a 4th exploit

Undocumented

So maybe they managed to somehow escape the sandbox and then they could just replace a system app binary

Three different sources say there are only three exploits

Google (twice) and a Citizen Lab blog post

And only three vulnerabilities were patched

Since we have r/w to the safari process if we had unsandboxing is that enough for a 17.0 install method

You’d need the LPE as well

And then yes

Ah

Because you could just write to a system app bundle

Tips

Why does everyone use tips

lol

Because it’s the most useless removable system app

source: @slender glade

LMFAO

itWasntMuchFunWhenYourAppStoppedWorking

they really had a sense of humor

it was quite amusing

now u just lose a hundred dollars instead lol

Same

What's the best way to combine two thinned Mach-O's back together, programmatically? Should I just do it via a posix_spawn of lipo, or is there a better way of doing it?

Is this inside an iOS app or something?

ChOma has a test for it called fat_create and there’s no restrictions on creating a fat with duplicate architectures

Not exactly - I split a FAT file into two and patched the individual slices. Now I want to just combine them into one again

As a one time thing, or as part of a larger program?

Well

I'm taking a .deb of a tweak, unpacking it into a folder, looping through all of the mach-o files within that, recursively, and then splitting them into their respective thinned .dylibs. Then I patch the thinned .dylibs accordingly. After that, I would like to combine all of these thinned .dylibs back into a FAT macho and then replace the original one that was there. At the end, I just repack that folder as a .deb.
Right now I'm doing this in a test Theos project. Later, though, I plan to rewrite this as an iOS app with Xcode

I’d say check out the ChOma code for doing this

Not sure if it works on dylibs but it produced 1:1 copies (compared to lipo) with two executables when I checked

would it be worth it to do that instead of just posix_spawn'ing lipo?

Well idk if iOS has a lipo build

works for me via the iOS terminal

yeah

Oh okay

Yeah that’s probably easier then

I don't wanna do it the lazy way, but I do think that just using a native tool to combine them instead of hacking together something is best

all lipo does it hack it together as well lol

well yeah

but it's the "native" way of doing it

need a lipo api fr

real

yeah

https://tenor.com/view/learn-learning-javascript-learns-javascript-stupid-generator-programming-gif-26843752

just gonna do this then

lipo arm64_slice.dylib arm64e_slice.dylib -output combined.dylib -create

You have to specify the architectures iirc

Although that syntax might also be correct

https://stackoverflow.com/a/22938726

looks like it works

Oh cool okay

pretty cool