Why?

is that supposed to happen

iOS 12 best

because apple

Don't listen to @radiant idol they only started programming a week ago

dont listen to alfie, I'm the one who made trollstore

Just use the latest SDK, it works down to iOS 12 anyway

Imagine jailbreaking a iphone in Xcode simulator

We all know that that was @hasty ruin

false info

Ch0ma guy

Fr

@radiant idol the irresistable urge to tell everyone in #jailbreak to ping iCraze because they will listen

Can I use your exploit

Sure

i'll do it instead

Disaster

Absolute disaster

is it possible to maybe modify some values on a vulnerable iphone and then use quick start to carry that over to a non vulnerable phone

its like changing a setting on a tweak but instead of respringing you just reset the entire phone

@hasty ruin

Can I make TrollStore 3 with your exploit?

https://cdn.discordapp.com/attachments/1169461256386785290/1178720132755882084/caption.gif

@hasty ruin

No you cannot

Not the one in ChOma

Ok

It was patched in 17.0

most exploits are written using objective-c correct?

C

No

To recreate TrollStore

Mine was written in C

whats the huge difference between c and objective-c

What about shell?

ObjC is OOP

@radiant idol will tell you more

oh

@acoustic imp

i hate you

Can't really write an exploit in shell

i thought u needed objective-c for any type of ios programming

i guess not

Jade > Rune

Is that better?

Doesn’t TrollStore use shell?

W

You can use Swift

No...?

theres a tweak written in arm64 assembly

Ohhh

yes ❤️

who the fuck would go through all that just for a tweak

why not

fair

Somewhere on my Mac there is an Xcode project Hello World app written in arm64 assembly

Where is it...

why

Who is masochistic to that extent ?

now write an entire jailbreak using only binary

lemme send

Already got one

all i can say is it probably has atleast 1 1 and 1 0

Make an os with assembly

real

It's actually easy

ok make one for ios 17

Well idk asm so can't do it

@robust totem @slim bramble https://github.com/qwertyuiop1379/Tweaks/blob/master/fixshitbook/Tweak.S

but the process of making it is easy

Get a kernel exploit

oh

@radiant idol should I drop fastPathSigned3: Assembly edition?

ok yea let me find one rq

easy job

drop slowPathSigned -1

damn

Download xnu kernel

That's called Jade

JOKING

ok buddy

how do people even find exploits without any access to ios backend?

Reverse engineering

can you use like the firmware file and inspect that with a program

Like this

mhm

yes i understand all this

definitely

i gotta learn assembly

@radiant idol "alfiecg who developd choma is finding bug in coortrust iso 17.4"

ysy

Decompiler exists

ok thats better

now i go find coretrust bug for ios <17.2.1

Look at 17.4b1

will ghidra work i dont got a mac

Yes

ok cool

the thing is while 17.4b1 will probably have something changed related to coretrust and possibly an exploit i dont think any bug introduced in the beta will be in older versions

first ever binja user spotted in the wild

Exactly

Real

I love Binja

Binja is the reason we have TrollStore 2

There’s most likely more bugs in 17.4 though

Moving to IDA eventually though

anyone seen this already? https://x.com/eveiyneee/status/1751723085659566525?s=46&t=slL8cf6usQejcJzNt825vw

no way

Yes

of course im 1 version higher

It doesn’t mean there will be an exploit

17.2.1

laurie is making an actual objc decomp for ghidra so we'll see how that turns out

Okay W

binja scripting is already better than ida 🙏

The Binja decomp for ObjC is not good

I’ll take both

and swift too apparently 😳

@radiant idol will be happy

yes

value wise(assuming no piracy) binja destroys ida

goes pretty hard cus i can run it bare metal

Agreed

i hate booting up a vm for ida

And why would you have to do that?

cracked ida

im not a genius but if someone can crack the app designed for reverse engineers they can probably hide malware in it well

LOL

Just buy IDA

@hasty ruin how much is IDA

I feel like you’d know

Free

well for the bare minimum arm64 package like 4.5 grand for an actual license

Use the 100% discount code

~6 with arm64 and x64

Xi Jinping

HUH?

4.5???

Time to get a job

anyone have a working link to this google drive ?

hey @hasty ruin you still up for a quick chat

this man is a future jailbreak developer

I've found that companies hide all their good stuff in iOS apps lol. SInce android is so easy to reverse

iphonedevwiki is ancient so I would guess that that link, along with other ones, are probably dead

oh bummer

Tbh that’s outdated by now

okay

Explain the path that you’re looking to go down

Hopefully I can offer some advice

advice: dont touch sw*ft

u dont have to tell me twice

lol

https://cdn.discordapp.com/attachments/688124600269144162/1189761389858930878/banned2.png?ex=65c440a4&is=65b1cba4&hm=4aff4547288c209699d6d1e6dfdfe915cf5c0ace5b59ab126b76b774e26c83d5&

well i mean
with android you have a built in debug bridge
and if you want to modify an app you can just patch it, resign and install (either lspatch or actually patch functions)
then there's frida lol

Sw*ft is the stupidest way to make a jailbreak

GIR broken™️

womp womp

don't say that in front of linus

Objc is worse

make a jailbreak using brainfuck

Only valid way to make a jb is c

Make a jailbreak using assembly

more possible than brainfuck

lol

Seconded

how similar are c and c++

c++ is c with various extensions

in c++ i am kind of intermediate level

Not similar at all

Tbh

c -> imperative programming language, c++ -> oop

My C++ knowledge would not be good and I consider myself fairly well-versed with C

oh

so i gotta learn c

ik c++ and c# but didnt touch c ever

C++ belongs in a molten lava pit on Mars that is about to explode
C should belong to every programmer's brain because it is so simple, elegant, and great

C is better imo

C is the best

That whole C++ class shit is quite weird

My two biggest projects have been in C

Best language ever

if you think THATS the weirdest part of C++ then you'e way off

time to learn c ig

Is achilles one of them ?

It is indeed

what achilles

Where have I said that

Just rewritten v2 if you didn’t see 🔥🔥

Gaster skidded

OSS checkra1n 1337 alternative

Also incorporates gaster for disabling signature checks

With some memory issues

??

@sonic totem i wouldnt let this slide if i were you

Sshhhhh

c is great until you stumble upon more complicated declarations like this for the first time: long �*const *�(�xyz)(char� var);

Where are their projects?

lmaoo

Saw that comment from siguza

In HD

Oh yeah

That wasn’t even memory issues

Just horrific code

I read it half

You payed 299 dollars?

Uhhh void*

ok done

Exactly

ik what a print does and what a variable is

No?

Oh right

can i make a jailvreak now

@serene hawk btw thanks for the media remote thing it works great

No I got the student discount

🔥🔥

no worries, glad it works. the api is just a pain in the a** to work with

I want to master arm64 assembly / reverse engineering binaries / frida method hooking etc for reversing apps mostly

You need to try Achilles v2

idk where my iphone x is

me?

No clue if it actually works on anyone else’s machine

No one has tested it except me LOL

"Go right when you can, and left when you must" or something lol

Oh very nice

Well they are on my GitHub

Oh you’re actually a dev

Didn’t even realise

And you’re French

😭

W

is there i way i can say if one or both of these(vars) is = to 1 then do {}

||

if (cond1 || cond2)

ah thx

Use && for and

ik

didn't know what or was

A simple Google research would have told you

tru

brother

how

I have a lot of unfinished shit

A lot of shitcode™️

sister i frogot

king of languages!

let's go!

Two words: arm64e support

@sonic totem achilles windows support eta wen

palera1n arm64e wen

Uhhh checkm9 eta wen ?

I don’t want have a Windows computer

KTRR full jb eta when

checkm8 works on A12 and A13 but needs a mem leak to function

Yeah and version string to be 2 byte shorter

For A14

No

That’s A12

Oh

Mb

The UaF is completely gone on A14

Well I still want checkm9

checkm8 would be so cool on A12/A13

Yeah read your blog post about it

would revive the jb community a lil

And A14

alife developing checkm9

Yes

SEP mitigations:

(the security chip)

SEp*

yikes right

forgot about that

Secret Haxx™️

Untethered ?

I cannot comment

eh itd still be fun

witawee use kttr

ios 17:

*bypass

ios 18:

p sure ios 17 makes it impossible to boot from dfu without a sep exploit

We want untethered bootrom exploit A17 pro

ios 19:

could still fuck around with pongo tho

boot another OS

I wanted to test that

true

Because part of me thinks that’s not the case

find SEP and SSV exploits please thank you

done

oh

fugu15

please send 50000000$ to my paypal

someone comment out the line that runs sep auto in palera1n

trol

No more booting

i'll send it straight to tim apple himself because i know you're secretly working for him (or maybe you ARE him?)

Because SEP won’t even boot in that case

someone remove blackbird from pongo

trol

I killed SSV

Reminds me of when I tried to get custom SEPOS booting with blackbird

Just process it like they are A11

No passcode SEPOS™️

true

Me when I’m totally NOT using blackbird to bruteforce an iPhone passcode for an assessed school qualification

sounds fun

Mind sliding that in dms

The assessors gonna love it

It’s not done yet

How do you decompile?

It’s on my school timetable for… Wednesday?

You doing that for school ??

for educational purposes only i assume

Fr

Educational purposes only

Help Alfie is trying to hack m-

Yeah

Cut off mid-message by my 0click RCE

How do you decompile?

@slender glade hii

Oh it actually is

It’s a proper qualification you put on your university application here in the UK

Install Binja, Ghidra whatever

any way to make freePip not default to freepip mode?

Rest is fairly self-explanatory

you use a decompiler such as declang, degcc, and dellvm

damn that’s actually great

How do you get to do cool projects when I’m studying stupid shit at the same age

i’m asking myself the same question rn

Fr

It’s a self-guided project

LOL

I have like a year to do it

NEA ?

?

NEA?

NEA ?

NEA ?

I have a brit friend that have something called a NEA (Non Examined Assement) to do

Oh I see

He’s making a java re tool

No it’s not that

It’s called an EPQ (extended project qualification)

what course do you want to apply for exactly?

It’s hard to explain without a knowledge of the UK education system but it’s like half an A-level

Computer science

But I’m contemplating whether to go to uni tbh

it’s a lot of maths + much theory and shit you already know in the first few semesters lol

Ughhh

Not sure if it’s worth it tbh

If I got to go somewhere cool it would be

but it’s good to have some sort of qualification

agreed

But like

Half A level ?

…if you don’t already got a good job you like

Once you’ve got 2/3 years experience your degree doesn’t matter that much

Well exactly

true that

Just pull a jjtech

Find a 0day pro max

Yeah lol

It’s worth half the points

And get a job

I’m trying

Ping me first when you find checkm9 super pro

I’m not looking for ROM bugs rn

Well not in A12+ anyway…

😭

I have like 3(?) projects going at the same time

Pain

Is it fun to stay 10h+ looking at binja ?

No

I have PTSD of Binja from diffing CoreTrust

Oh

whats this mean ?

Push

i have checks to see if the views r there why is it doin thees

New coretrust exploit eta

brother

(dont mind the 15 .superview's)

how far does it go

im afraid to ask

idk how to get a referance

2 years

BRO

the most I've ever done is like 3-4

Tbh leave school and work fully on coretrust exploit

I’ve considered it lol

Lmao

what esle would u spose i do

@acoustic imp https://medium.com/@rajeshvelmani/best-practices-for-writing-clean-and-maintainable-code-8de6ffca3986

hold on bruh I can't let this stay

one moment

I would leave cuz I’m just bored at school but I need to finish to attend an engineering school

what is this hooking

what class

Basic shit

i belive MRUNowPlayignView

See I don’t need to finish which is the problem lol

ok

Why do I need an A-level in economics

@radiant idol MRUNowPlayingView

If I’m never gonna need it again

Well it’s just a qualification

I ain’t getting anywhere without the french equivalent of A level

for building your own business i suppose

Hmm what’s that again

It’s not IB is it?

Wait for him to release PaidJB only 10$ a month

BAC

That’s A-level business 🤓☝️

Ah yeah

I took A-level French for like three months

But dropped it

based

I dropped it to devote more time to diffing CoreTrust

ok nvm the lockscreen is cursed

yes ik

But you found the vulnerability anyway

Fr

15 .superview's it is

At this point isn’t 16player OSS ?

Fun fact we went from PoC to automation in like a week

And automation to TS2 in < 48h

I’m pretty sure @radiant idol alr have the full source code

i jus inv him

i wouldnt be surprised if i can piece it together

I’m pretty sure too

u rpobly can exept the notifaction fuckery

im gonna cry if i see this

oh u will

Bro you don’t wanna see it

i didnt clean my mess's up yet

His animateartworktolarge is worse than blackmagic

why

that was @slim bramble

Oh that’s me

why is it a submodule

It’s easier to get it

@radiant idol I need an app to track my cars in GTA, got any ideas?

GTA CAR TRACKER by opa334

use iCraze's newest app called Asphalt 10 car eater

Not sure if that worked when I tried it

🔥

Car eater?

yes

car eater

Sounds like a blast

@acoustic imp bro what is going on with these variable names 😭

i feel like i'm having a seizure looking at them

Don’t take a look at the function name

I’m trying to keep everything sane

bro doesn’t know camel case

But this man is mad

ik what they do

I tried to explain him

you know you can just do UIScreen.mainScreen.nativeBounds.size.width right

//artwork LARGO

wheres this

at the top of tweak.xm

@radiant idol I’m rewriting the code dw

oh this is stolen artfull code

um

heres an idea

YOU MISPELLED HEIGHT THERE

layoutSubviews

NAH

LMAO

me beloved

int controlsViewHeight = 0;

%hook MRUNowPlayingControlsView

- (void)setFrame:(CGRect)frame {
    %orig;
    controlsViewHeight = frame.size.height;
}

%end

crazy

or setBounds if you want bounds

@sonic totem anyway, how are you making a custom SEPOS without knowing how sep is loaded and handled ???

thank you windnight 🙏🏻

never mind it got worse

Oh bro

No

This reminds me

there temp frame who cares

Some deep stuff

oh wait these should be like real things bc they r used alot

ok this one is an actual criticism

dont EVER directly call layoutSubviews

always call layoutIfNeeded instead

ok, but y?

hold on

(i call it a bunch)

It might fuck the location of things

does this animation even do anything with duration 0?

??

I don’t get what you mean

rip your battery

@acoustic imp im glad you invited me to this because if you were to make it a paid tweak without this code review, yeesh the community would rip ya apart 😭

if youre actually using it to layout subviews then its fine

Like you are writing a custom SEPOS right ?

I’m rewriting everything

how woudl they know?

Once I get my hand back

Battery issues ?

when their phone dies in two hours

this code is so inneficient its crazy

Battery drain

im scared

Oh I’m not

it works

but like

I’m just patching sepOS

yikes

Specific instructions

how else whould i do it?

where is inecficent

Ohhhh like seprmvr64 do ?

I know how to boot fully custom images but it’s a pain

everywhere 😭

Well I’ll be doing it from PongoOS

Pongo already patches sepOS anyways

@acoustic imp is this just a temporary method that you'll later remove

Well fun

Yeah hopefully it goes well

I might post a demo video if I get it working

stuff was there but got moved to layoutsubview, but it might go back if i do it a dif way

if not, this is just an extra call and is inefficient code

But obviously no public release

Can’t you patch sep directly to remove passcode

No

https://nightwinddev.github.io/Tweak-Tutorial/no_layoutsubviews.html

read this

The SEP cannot decrypt user data without you entering the passcode

this page specifically please

I’ve heard somewhere that apple could sign a SEPOS version that do not have a passcode and boot it to get access to user’s data

yea, well, that the only way

no

it is not

well idk set_subclass

It never stores the actual passcode, just a hash of the passcode entangled with the device UID iirc

But you can’t just patch the SEP to decrypt the data without a passcode as it physically cannot do it without knowing the passcode

@acoustic imp is this for ios 14/15 compat

Yes I made this

this was the part that caused the thread hang

If it’s wrong blame it on me

it is but im gona chnage it to just use the ivar bc that exists on both 14 and 15

ok make sure to set the variable to nil before, just incase
because just declaring the var but not initializing it, and then later using it, is undefined behavior

Sadly

oh, i do this w alot of int's

PLPlatterView *platterView = [self valueForKey:@"_platterView"];

Thanks 👍

Apple specifically designed SEP in a way that even if a government forced them, they couldn’t write a sepOS image that got around the passcode

ints are fine, they default to 0. object types no

Oh @frail cedar was wrong then

There’s specific protections involved so that you can’t change the SEP firmware installed without the passcode

so i can delete these

no keep that, it's better to make it more explicit

but

which is bruteforcable if it's a 6 digit passcode

or was

not having them also doesnt do much

I like how this chat is becoming a mix of cursed code and actually sane Alfie stuff

huh

Ig that by patching sep you can change max passcode attempts before lock

there is so much wrong in this image

yea but like idk atm another way

Idk why bro is using tags

bro doesn’t know if (!existingRedRectangle)

You can just stop the counter from ever increasing

So that it always thinks you’ve had 0 failed attempts

ok but like at least do this 😭

1. addSubview, not addwsubview
2. if (!existingRedRectangle)

Fun™️

You make me want to make that bruteforcer

ok, this was also written like 1 month ago

before bibi

is there a reason the top one cant be [self.superview removeConstraints:self.superview.constraints]; lol

bro 😭

idk this was tinywidget14 stuff

@radiant idol how do you efficiently find a view from another with like a 6+ distance

uh

you find it once and then store a ref to it

here hold on

thats smart

That was my original idea but if there is multiple it fucks up everything

@interface SomeView : UIView
@property (nonatomic, strong) UIView *_16p_anotherView; // new custom property
@end

%hook SomeView
%property (nonatomic, strong) UIView *_16p_anotherView; // new custom property

- (void)didMoveToSuperview {
    %orig;
    self._16p_anotherView = self.superview.superview.superview.superview.superview;
}

%new
- (void)exampleMethod {
    UIView *theView = self._16p_anotherView;
    NSLog(@"%@", theView);
}

%end

but again stuff like this isnt recommended but if you must do it, I guess this is the better way

I’d just hook init

no

thats too early

And store the pointer locally

Oh mb

the view didnt move to the superview yet when you call init

hook alloc

oh

Well yeah but can’t you do something like this

@acoustic imp fix your naming scheme i beg

where eve is that

16PlayerRootListController.m would be just fine

pla - player

class names are supposed to start with a capital letter

oh

i mean they dont have to but like

thats the common rule

on the zane tutorial it said u need a 3 leter prefix, didn;t know you could jus put the name

yea it can be whatever

JadeRootListController.m

FunnyView view* = nil;
%hook FunnyView

-(void) didMoveToWjayeverp {
view=self;
}
%end

-(void)funcIdfk{
// use the stored view
}

yes but global vars are bad

avoid when you can

why? memory

yes

Cooking code on phone is tough

and they F up namespace stuff

use %property

its your friend here

Maybe I should learn logos deeper

example in Jade

so is this, bad?

You don’t have the choice

honestly I would add static in front of all of those

Oop be like

oh no

this is in a header

maybe the colors but the image chnages

Well I see a little clearer

nvm its in tweak.xm

its fine

any atrocities at the bottom?

@radiant idol I’ll dm you smth tell me if it’s accurate or not

just say it here

Can you make a os like iOS in c?

you could but it'd be a pain in the ass

@radiant idol

Wydm?

PLRRootListController

idk about you but I like my OOP for stuff like an OS

Doesn’t iOS use c and c++?

whatever the hell this is

some C, but mostly objc/swift

That’s how I memorized it

the kernel is c/c++

what hook is this in

mrucontrolsview?

iOS apparently has some c++

but it's mostly objc/swift

MRUNowPlayingHeaderView

It’s impossible to make a app to make your device go to dfu mode

DFU? yes

well, sorta

if you manage to corrupt iboot

it will boot to dfu

this in in layotusubview 🙈

but then you have to restore

i pinged the wrong guy

oops

@acoustic imp

ADD A SPOILER

So you delete your system files in filza?

To do that?

😭

iboot is not a system file

Oh

But how do you break it?

iboot is your bootloader.

You dd a partition

iboot is a separate partition

note that to boot to dfu on a9 and older, you have to break LLB and not iboot (separate partitions I believe)

Is it only read-only

but a10+, iboot is unified

honeslty idk y the if's like that

of course

it's not even mounted in ios

BRO

@hasty ruin @hasty ruin @hasty ruin @hasty ruin @hasty ruin

Is there an exploit to bypass read-only files?

oops

it's. not. a. file.

I meant other files

and theres no orig oops

How much is didMoveToWindow called ?

once

i hope not

but it is important 😭

And no orig

https://cdn.discordapp.com/attachments/688121419980341282/1059693318365265930/gornflag.gif

he messed up the view lifecycle

Is it impossible to break iOS?

you dont call layoutSubviews right after the view moves to the window

Cement :

no it's very easy

y

delete /usr/libexec/logd

1984

1984

1984

what is logd?

log daemon

Log daemon

log daemon

https://medium.com/@nirajpaul.ios/uiview-lifecycle-12435f8de492 read

deleting it causes ios to freeze after about 10 seconds

it will not unfreeze

if you force reboot, ios wont boot

you get bootloop

A restore fixes it

restore your device (i restored to 15.1)

Sadly

jade is instant 😎

yep

MORE

rest in piss 14.2 you wont be missed

How do cement work @frail cedar

I mean you can still jailbreak if you JB your phone if it’s A11 if it’s updated

@primal perch ?

it doesn't

hacked

i created it based off incorrect information so it does nothing

@hasty ruin

well

it will fuck up your bootargs but it wont brick

i could make it brick but im too lazy

There used to be a brick button in iOS

there never was

Is it possible to brick no restore possible ?

except in internalui, but all that did was delete iboot

just restore

ez

ssv

yes, cement could do that but i have no interest in making it do that

so im not

You can restore

There was it’s in a iPhone 6s prototype I think

prototype

How tho

.

rename snapshot, remount rootfs as rw, touch a file to /, reboot

rip device

ok im having a headache from this, once you try and fix this code, please lmk @slim bramble @acoustic imp
or add me to a live share so i can watch you fail to fix the code maybe

kek

iOS had one in one of the prototype iPhones

icraze

did you

fucking

read my message

read this ive linked it twice now

I am rewriting everything

whats live share?

https://media.discordapp.net/attachments/1159588280577294388/1159588361179254885/Untitled-7.gif?ex=653191d1&is=651f1cd1&hm=81b8901fed47379438a7d8aafa593a70e9c66ba7cf0a59ea7f0cafdf5db55dcb&

But only once I get my hand back

?

Someone should recreate the brick button in settings

i could

Can’t a dfu fix that ?

idc enough

im currently taking a break from ios dev stuff

to write music

lmao

restore fails

restored_external checks for ssv break and aborts the restore if it finds one

How tf

it is an intentional bug apparently

(https://open.spotify.com/track/3IxMaULfjq4IT2IN6v54PB)

i heard it got fixed or something

yeah it did

in like

16.4 or something

So there is no way to fix it ?

if your device is running an ios before that fix

@radiant idol now what

you can brick

send it to apple

? ? ?

the worse version of codetogether

Is rebooting your phone from a app impossible?

no im writing actual good music

On like 16.7

reboot();

?

find a way to panic ios

that will reboot

are you disrespecting dreams music

@hasty ruin