#development

means you can only modify symbol table and not instructions

But APPstore has the Dynamic-codesign entitlements this entitlements is not usually associated with JIT?

It doesn’t

only WebContent has dynamic-codesigning iirc

@frank fossil can you help me plase?

please*

A but seeing the entitllemnts with jtool I saw that it has this entitlements.

even if AppStore has it, it has nothing to do with user apps

what

this one:

A ok clear. So if I consider another app in which I enable jit. How do I hook a function by not writing the hook function in the process?

when i build instaspring it just crashes but the ipa provided with it says "fix"

what did they do to it

No idea, I checked the code and all it does is xpc_crasher TouchDeliveryPolicyServer

Use opainject to load your library to the process, I’m not sure what you’re talking about not writing, hardware breakpoint stuff?

yeah ik

it works on ios 14-16

but on ios 17 it crashes

if i build it from source

yeah because xpc_crasher is fixed

but the precompiled version from github works

and what can be the fixed line for it???

Add unsandbox entitlement and steal TSUtil.m#L210-L281

do you have any ideas? @frank fossil

what the

im not that skilled

@frank fossil the fixed version ipa and the source compiled one are not so different in size

idk what could be added

ok I'll try, thank you. So in system apps like AppStore you can't enable JIT, or rather even if I enable it I can't do anything with it.

Bc I’m lazy, but now realize it’s a lot easier to read stuff with caps

anyone knows a way to invoke control center?

[[%c(SBControlCenterController) sharedInstanceIfExists] presentAnimated:YES]; I think it’s this if I remember correctly

thanks :))

https://twitter.com/earth_updates/status/1752266658519892107

W

Uhoh

I don't know why I get this error when I try to enable jit, could you give me some advice?
System Policy: launchd(1) deny(1) system-debug children

oh this annoying guy

Sorry?

NOOOOOOOOOOOOOOOOOOOOOOO

https://tenor.com/view/dead-gif-24973773

me asf

system out print jumpscare

https://tenor.com/view/cats-scared-jump-frightened-shocked-gif-3545690

True

Man I'm too lazy to push the shift key

I remember in like 2nd grade my friend typed in caps lock

but he still typed normal sentences

like

“Hi How Are You”

he just released shift at the start of a word

and held shift for the rest of the word

It still haunts me to this day

How are you trying to enable JIT?

With ptrace using PT_TRACE_ME

I also tried the PT_ATTACHEXC flag. I don't get that error but ptrace gives me -1

Does anyone know precisely how long it takes for the CPU to write a dirty cache line back to dram?

Libimobiledevice in Java

ibootpatcher in Java

does runtimebrowser work with Bootstrap and Serotonin?

anyone know what might be causing this

just trying to build a tweak (intended for ios 14) and have libsona installed but for some reason am getting this

my makefile

it was in the normal libs dir, wasnt in rootless but adding the rootless dylib still doesnt fix

yea i think so

@primal perch got it to work without memory patching

it uses some

uh

questionable code

like rosie level code

(imp_implementationWithBlock)

https://github.com/donato-fiore/GameSeagull/blob/main/Utils.m#L28-L59
is this even needed anymore

like arent there like shims or something built into libhooker or whatever

like where MSHookMessage/Memory works on libhooker

@radiant idol hey uhh is throwing all preferences into it's own class a good idea

rather than using static

Wdym

Basically this

oh

yea that’s fine

Ok nice

Call it by a unique class name tho

It can’t be something that was already taken

Preferences.m

That is very generic

It can’t be something that iOS (or other apps) already use

Oh mb I'll add trolley stuff

I'm completely rewriting 16player lol

you can still name your methods how you have them, like loadPreferences
but def name the class smth different, something like 16PlayerPrefs

You can't start classes by digits ;)

Dw I fixed it

SixteenPlayerPreferences

😟 how do you know

bc "You can't start classes by digits ;)" so just spell out 16 lol

iOS16ClassName

fr

💀

Bro getting the null

name your class c75214e7-a6af-4d48-bc7e-670af6fb68e2

NOOOOOOOOOOOOOOOOO

capstone/keystone has java bindings that is very feasible

That would actually be fun to do

hell you could even do it in ruby or js if you wanted

python iBootPatcher 🔥

rat.exe

go to the repo in my nickname

possibly a very cool thing that I found on my drive which I haven't turned on in a few years

🪤

https://tenor.com/view/malware-spyware-ransomware-faxalot-gif-23230130

💀

JARVIS malware 💀

best iboot patcher 💯

I only send semtex fanmail

it works at least ?

my pdfs are safe

icreaze stark

icrazeware is ratted

https://github.com/m1stadev/eyepatch/blob/b84129398235d56bda8ab801cd88c45c5f0480ca/eyepatch/iboot/iboot64.py#L113 name another iboot patcher that lets you inject prints

ofc

Pretty

looks clean.

Now make it in assembly

ew where’s ur syntax highlighting

Dark Reader did a goober

hell yea

disable dark reader on github and enable native dark mode

Teslaman's code :

Dw, I just hadn't setted it up for Arc

It uses the same math scoop discovered, but figured out how to do it without memory patching

I'm slowly switching to arc

arc?

You never heard of it?

https://arc.net

Automatic refrence counting

💀

Yeah fr never noticed

Anyone here have experience with multi-threading (bugs)?

of course it's in python

never heard of it, nor does it even look like I can use it

👀

My program crashes

just debug it

also I don't really want to use a closed source browser

fr

W explanation

pthread_mutex_lock(mutex) == 0

just switch to the main thread when doing any logic

Idk how to debug that

There shouldn’t be a thread running when that error hits

Webapp patcher

mutex lock operation moment

printf("%i \n", pthread_mutex_lock(mutex)); ?

But which mutex

But I don’t have a mutex that I’m locking lol

so it doesn't return 0?

Idk where it’s coming from

I don’t call that function, it’s done elsewhere

Perhaps you have a backtrace ?

OH

It’s a libusb issue

💀

Ugh

https://stackoverflow.com/questions/76226163/allow-application-to-access-specific-usb-device

Exactly the same issue

With a Raspberry Pi

lmfao

isn't libusb only used in linux?

or am i thinking of libimobiledevice?

No ?

nvm

both can be run on *

There’s literally no USB functions called in the timeframe that it crashes

Are you cooking Achilles ?

Yea

Achilles Linux support

a chille

Achilles windows support ETA

GNUs

wen windows support

Libusb

Zadig

@sonic totem https://github.com/merbanan/rtl_433/issues/1793

Perhaps there's something to extract from there

It’s a raspberry pi issue man

Why

you running it off a pi ?

Need someone with a regular Linux PC to test them

Yeah

Can boot arch

I am running linux rn

You’d need libusb and libimobiledevice

And a checkm8 device

Alr I'll boot arch

I have *

I won't have a checm8 device for ~4.5h

although its charging port is super jank

@sonic totem by any chance is it a pi 3

iirc there’s some issue with it’s usb stack

it’s also why check doesn’t support it

or at least they had a working impl at some point but never a pub release with it working

i wonder how much 1337.x changes that

It’s a Pi 5

:/

What is this entitlements for?
<key>com.apple.private.amfi.developer-mode-control</key>.

Turning developer mode on/off

@slim bramble @cloud yacht latest Achilles commit should support Linux

A ok. I thought it might be related to my ptrace problem.

I'lll try

just finished bulding libimobiledevice

@sonic totem what should I try

Either signature check removal or booting Pongo

Well both ideally

is Achilles just checkra1n but open source?

or is it more than that

Similar

It can boot PongoOS, jailbreak (with provided ramdisk and binpack and KPF) or disable image signature checks (like gaster)

cool

uh alfie

Yea

what happened to reverse engineering the image stack and finding a untethered bootrom?

you removed it from your blog

Still going mate

niceee

good luck

I just wanted to make my blog more bland

Less words

More mysterious like @hasty ruin

right

I’m balancing like 4 projects rn that’s all

@sonic totem you have to wait for my phone to finish charging for some reasons it wasn't

british

No problem

I'll compile the rest of libimobiledevice

in the meantime

Thank you

Gonna try jailbreaking with p1

and what

phone booting

👀

british = the best

i'll spill my tea all over your nexusware

and throw my biscuits at your runeware

i agree

Successfully jailbroken with Achilles-Linux 🔥🔥

https://media.discordapp.net/attachments/688121419980341282/1139608104447791256/capt.gif

@sonic totem do achilles have dfuhelper ?

Yes

If you need dfu helper you get zero bitches

ok just need to figure out why ideviceenterrecovery not work

It requires pair 14.5 and later

nvm good oll way better

arm64 14.8.1

I swear you use an A11 device

is A14 theoretically vulnerable to PACMAN, seeing as it uses the same cores as M1?

I’ve done dfu on every device pretty much most annoying is 5s no issues with a11 or a9

(very random, i know)

I’m getting initproc exited while booting

initproc exited

@sonic totem

Bad news

Yes

Why

Achilles: ./os/threads_posix.h:46: usbi_mutex_lock: Assertion `pthread_mutex_lock(mutex) == 0' failed.
[1]    40678 IOT instruction (core dumped)  ./Achilles -p

NO

NO

You should compile on docker debian buster slim it’s the best for older linux

But I need to checkm8

irecv_copy_nonce_with_tag_from_buffer: WARNING: couldn't find tag SNON in string GANG:KJC HAXX:Axi0mX ETA:son ????????????

W

Run Achilles again

It will get to PongoOS

yes

Half a W

So it’s not a raspberry pi issue

It’s not a bulk transfer issue

lol clearly you got PWNED!

I need pongoterm

do achilles has that yet ?

Not yet

It’s planned

W

Well

fix

GANG:KJC HAXX:Axi0mX ETA:son

linux achilles

I’ve found the issue

What's the culprit ?

Well

I’ve narrowed it down

It happens during the exit of the program

Maybe you forgot to end a communication ?

or smth like that

Fixed it

Push

In a sec

It’s still there

When booting Pongo

I might have fixed it

Fixed

@slim bramble pushing soon

Is Achilles 12-14 or 12-16

Wdym

iOS support range

7-17

Oo

Theoretically

I'm ready to test

Need proc for 7-10

Okay

There’s some bug

Which causes overwrite sending to fail

AKA success rate is low

:(

We good don’t worry

I’ll fix it

:p

Ugh this is annoying

Success rate seems to be like 1/5

Oh wait

Hm

Might’ve found the fix

@slim bramble try latest

No check the latest now

@sonic totem when eta stage2 reimplementation instead of stealing from checkra1n!!

When checkra1n goes open sourced!!

fr

Didn’t you decompile and recompile a 1:1 copy of the T8015 YoloDFU

2020!

yes, for s8003, t8010 and t8015

I didn’t add A6 support to Achilles just because I’m hating on armv7

it recompiles 1:1 but It's not really clean code

Oh wow

Assembly or C?

asm

At the same time when GNU Hurd will be fully complete

Me and Clarity will solve this though with untethered Image3 haxx eta son !

Posting on reddit

Let the eta kids flow

I’ll delete Twitter

Would love to do it <6 months but

Life is life

I’ll find a vulnerability in my sleep

I thought of the fix for ios 10 seprmvr64 right before going to sleep

Nah one of us will do it tbh and it’ll probably be you

delete humanity from yourself

I almost forgot it the next day

I remember figuring out how to fix checkm8 when I was asleep

When I wrote Achilles v1

And it worked

Like I dreamt about the fix and it worked

fix but no boot

checkra1n -p

💀

Yes

Huh

dw

Did it work or not

is ther a way in the tweak to see if another tweak is installed?

@radiant idol how do i do the thing you told bibi abotu with like getting then storing a referance so somthing?

i wouldn't think so

however i am working on rewriting it into C

and besides, PACMAN currently only works on macOS atm due to needing to use a custom kext

which iOS/iPadOS will not let you do

ah.

yeah

was just curious

do you want to see the rewrite i'm working on?

it's not very good lol

nah it's ok

k

yeah

W

Y

would this work?

it deos not

so when the animation finshes it sets the view to hidden

bc that doesn't animate ? like alpha

ios sets alpha to 1 when the LS updates anything

but doesnt chnage the hidden prop

so animate to hidden then set to hidden = good

how would i like just not set it, bc it needs an 'else'

nil ?

no but it will just set it anyway

when the animation runs

and wount animate

i could just ad 2 lines

like this

but it does tho

ok

full block*

hidden = yes on the first one

shoot

thx

also you want to set hidden to no before setting alpha to 1

@hasty ruin so i shoudl do it like this?

See

No fade/animation

no

how should i do it?

or .hidden = finished

💀

thx

when hiding:

• in animation block: set alpha to zero
• in completion block: set hidden to yes

when showing:

• set hidden to no
• in animation block: set alpha to 1

it just doesnt work

dfu helper legit quicker tho

bc of special timed reboot cmd

I have reset cable tho

the actual helper yeah

good 4 u then smh

can somone help?

You spelt flashlight wrong

🙈

thx

why are status bar elements not showing up in flex

fixed spelling but same error

any ideas?

@radiant idol ?

Nvm I got it

Finally …

Had to hook every set alpha method there was

aslo can you %groupd method hooks ?

Why am I getting errors?

maybe because you’re using something that’s been depreciated since ios 3

What do I use?

something not depreciated since ios 3

Heres my code

Can you show me?

no

Am using this guide

too busy smoking

based

i quit weed for 2024

i miss

fuck does this tv actually not have WPA3

@radiant idol yeo what sf-symbol should i use for this

the pref is "Auto Cup Pong"

i was also thinking "Auto Cup Pong Button" or "Auto Shoot" or "Auto Shoot Button"

dork

@granite frigate do you wana try 16player?

captinc is typing...

prepare for the captlations

chatgpt has taught me more than my math teacher

preach

quite real

@grave sparrow 🙏

there is no cup sfsymbol

ask chat gpt

ik

theres tea cup

wine glass

water bottle

but no like just cup

Idk I don’t remember all the sf symbols off the top of my head

?

cmon, if __ can expect me to remember every iOS header and framework off the top of my head you can at least remember all icons

Can you update your code thank you from your guide

i was thinking the breaksignal

It works fine

Your setup is wrong

Theos setup?

mug?

Idk something there is wrong

have you ever been to a party and they playin pong w a mug

I have my own repo

only time youd see that is at a retirement home

yes, we know

we remember this

Forgot to use this icon

@radiant idol well could you at least help w the name?

of the preference toggle

me too, need help

I woke up like 10 mins ago let me think straight first and I’ll help

🔥

It’s up to date

take your time

READ. THE. ERRORS

its like me but worse

a lot worse lol

You actually somewhat comprehend what you’re doing

^

and if we tell you something you actually try to learn from it

instead of dry pasting it into vscode without knowing what it does

iv **did **that

@grave sparrow @radiant idol

closest thing to a cup

lol

do this one tho

well

(wheres the cuppong video, i need a refernce)

@acoustic imp

How do I remove this?

cant you just do custom images?

jus like grab the model/imag of the cup and use that?

#jailbreak

@tough shadow if you read the error, it says its deprecated as of iOS 3
not sure if you know what deprecated means, but it means no good
and iOS 3, not sure if you know was a while ago
just google "textColor deprecated" or SOMETHIGN like that to find a fix

and also, the code you sent does not inclde the location of the error, so actually try starting with that first

In my repo

im using <key>iconImageSystem</key> in cephei

oh

thers a like cell left image or sm

no

all systemImages

iconImageSystem Optional. Supports displaying a system image as the cell icon, as specified below.
leftImageSystem Optional. Supports displaying a system image as the icon to the left of a PSSliderCell’s slider control, as specified below.
rightImageSystem Optional. Supports displaying a system image as the icon to the right of a PSSliderCell’s slider control, as specified below.

uh ok

i'm on 16 though

sorry

oh, nvm then

It’s in my repo

actually I do have a SE1

havent touched it in months

its fine, i meant to like maybe daily drive it or sm but nvm

oh nah

iun got any

bc i mostly fixed the like right now bugs, but i need like daily driving testers more or less

i have 2 on ios 15

if u wana mess w it il send u the deb

dm ig

wont daily it but I can try fucking around

maybe

How do I delete this from my repo?

what

It’s in my repo

How do I delete it

the delete button

Will this delete my Sileo?

isnt that literally what you just asked

I mean I don’t won’t anyone to see this

so... delete the debs off your repo??

It just deleted my Sileo

Yes I did that

well did you delete the package off your device

Yes

Now I have to rejailbreak

well what did you think was going to happen

Delete my Sileo

It’s not even in my github

rebuild your repo

With what?

idk do u have a build script

No

so how did you get it on your repo in the first place

Ohhhh

Yes

Got my sileo back

Fascinating conversation

I am not sure what I just read

any cryptobro online that is familiar with AES128? When I try to decode the decrypted token back into utf-8 I get an invalid byte error

Does this mean the key I'm using is wrong?

because the token itself looks similar enough to the working version

https://github.com/Cryptiiiic/SEPROMPanicDecrypt/blob/main/main.py
https://github.com/Cryptiiiic/aes_nonce/blob/main/aes_nonce.py

oh you have the right username

ironically not related

this mode doesn't use nonces

doesn't matter im saying use it as exampler for preperly getting the token back

it's a different mode of AES lol.

Doesn’t matter the output is bytes

Do you think using this method it is possible to start all processes with the CS_DEBuGGEd Flag?
https://github.com/mineek/Serotonin/blob/main/RootHelperSample/launchdshim/launchdhook/main.m

Is there anyone who confirmed ppl bypass on A15/A16 iOS16.5.1?

I’ve got dma with 37c3 bug on iPhone SE2 16.6b1 and iPad mini 6, but on iPhone 13 mini, I cannon even halt and unhalt

xina posted it on twitter

on 16.5.1?

Do you know the version of xina’s device?

#announcements message isn't it this

the question was specifically a15 and a16 on 16.5.1

and the answer seems no, there seems to be some issue

Thanks!

@naive kraken I don’t mean to ask you to release something, but could you tell me did you solved this issue? Thank you

no

I only discovered it yesterday >.<

from first look it seems PPL bypass is unexploitable on 16.5.1

writes either fail or you get GFX panic

Oh my gosh…

ah wait

there is also some A15/A16 specific logic that is not in my gist

I'm not 100% sure about the 16.5.1 thing yet

Speaking about register on 0x206150020, there is no problems. I can set to 1

What is tte about 🤔 and why do people always dereference it to a bunch of 41s ?

41s are “A” in ASCII

When writing in tte, we can know that it worked or not by looking at panic log

It’s just tradition to overwrite an address with 0x41 (‘A’)

Easy to see in panic logs + unlikely to be there for another reason

is there an easy way for somebody to test it?

I know somebody who has an iPhone 12 on 16.5.1

https://github.com/m1zole/meow16-kfd-pub
how about using this?
(do not forget to press on button!)

so what would process of testing PPL Bypass be?

Build the app + install it presumably

well yes but what would you do from there - I assume it would be:

• make sure it’s toggled to on
• kopen (with landa)
• I guess press finder?

or am I wrong on that

Finder might be to do with the TrollInstaller part of the app

Just kopen I guess

I’ll try now

Yes!

ok, let me send to the person I know with an iPhone 12 on 16.5.1

Okay my device has run out of battery so I can’t

You may got error about IOConnectTrap6 when building

Just a minute

I don’t even think they’re awake at the moment to be honest

Anyone happen to have the lockdown mode settings symbol on hand?

This

Think it’s an sf symbol

I’m not sure if it’s in there, but if you have FLEX installed, look through PKIconImageCache in the “Runtime Explorer” thing

I can just recreate it this way I think

Rounded rectangle + image

The main Settings page’s icons are there, I know that

It’s in Sw*ft too

wa

Sw*ftUI

where

Why is it sw*ft

I have no choice

I feel like the real icon is optically centred

Yeah me too

But idk if that even matters tbh

This won't be what they're looking at

How about this

Yeah that’s good

/System/Library/UserNotifications/Bundles/com.apple.LockdownMode.bundle/Icon.png

Oh ok !

But on iOS 16 a binary can't be run from inside /private/var/mobile?

sandbox will kill it

if it's in containers it will allow execution
which is why roothide uses that (but also to avoid some detection)

can u diff headers?

this isn’t limited to iOS 16, iirc execution in /var has been limited for a while

(besides containers obviously)

Okay thanks for the advice. In your opinion using a hook on Launchd is it possible to assign the CS_DEBBUGED flag to a process I run?

that is something i have no knowledge about

https://github.com/mineek/Serotonin/blob/main/RootHelperSample/launchdshim/launchdhook/main.m
Here if I understand correctly it puts the CS_Platform. Couldn't cs_debbuged also be inserted?

it is hooking the result of the csops system call for that process

it won't affect how the kernel actually sees it

if you put CS debugged on everything i think you just get banned from apps lol

launchd complains if stuff isn't platform, that's why it's being hooked to always think things are platform

Ok thanks

@willow lance I see you retweeting this

hii

Is there a way I can inject a dylib during runtime of an app? Or before an app runs?

Using a tweak you can

Which?

does ellekits mshook now work on jailed? i tried it some time back and it didnt even hook

A custom made

to do whatever you want to do

if you just want to inject a dylib into an app you can look on google

their is plenty of tools

That's what I did, but tools like opainject dont work

Do you want it to be injected at runtime ?

Either that or before runtime

I don't want to do any patches on the ipa though

oh

Do you have access to the sources of the library you are talking about

library?

You mean the dylib I want to inject?

if so then yes, I created the dylib

yeah dylib stands for Dynamically Linked Library

then what do you mean by this?

Perfect is it a theos project ?

yes

using iphone/Library

oh

Is that not what I'm meant to do?

Are you jailbroken ?

yes

You might want to use iphone/tweak

copy paste the code their

And then you set target bundle id to the app you want to hook

At least that's what I would do

so I can't inject dylibs? And have to use tweaks?

maybe there is a better way of doing it

it's an easier way of doing it, that way it automatically injects 🤷‍♂️

I sorta wanted to stay away from having to manually install multiple tweaks

I was going to make something to inject a collection of dylibs onto an app

you can probably use dlopen

UH

oh wait

with a tweak?

does github make ur email public?

if you allow it to, yes

yes sorta

i didnt allow it to

i set it to private

how did someone get my personal email

would this still require a tweak? Or can I just make an app that does that?

you can see anyone's email by doing git log

data breach or

Well what do you want to inject to ?

I want to inject to an app based on the PID provided

What email did you configure with git on your computer

or just, from a dropdown of the list of apps you have installed

If you don't use the anonymous github one, then yea it'll be visible in commit logs

oh

time to rewrite your git history

the fricking github site is broken

FUCK THE GITHUB SITE

No, you just leaked it yourself

Fr

user error doesn’t mean a site is bad

no

the website isnt working

@wind ravine check your dms

well its either that or typing in the name of the app since I could probably search the PID from there anyways, like for example for filza I would type Filza

if your personal email is that gmail one, I can confirm it’s in your repos @wind ravine

BRUG IT WASNT EVEN MY PRIMAYR

My real name and location is in my GitHub profile, same with email, cuz you have to do that if you want student developer pack

It’s whatever you used with git config

the GitHub website’s option only controls commits made through that

Which you can use completely bogus stuff with btw

You need to check noth

Just use the noreply GitHub one fr

Mine has me real name cuz I use the GitHub login manager with git

How does Misaka do dylib injection?

I seen they have a dylib injector

It doesn’t

I don't think it does

It just puts them into an ipa

what is this for then?

lemins club penguin got hacked 😔

Lmfao

oh that’ll be an opainject wrapper then

Yeah

i never played club penguin

How does opainject work? I did try installing it and running through NewTerm but it never worked

You can’t use it on semi jb

stop

haveibeenpwned says the email was in there ¯_(ツ)_/¯

dylib needs to be signed with the same team ID as the target process

Or in the trustcache

Wtf autocorrect

what if I decrypt the IPA then?

and change the bundle

Stop exposing my damn project

man why cant i catch a break

everything about me has been doxxed

even my house address

?

what

good luck mate

Nothing

trustcache?

google it

A list of cd hashes that are automatically approved during code signing checks

CD hash is a hash of the code directory, which is a list of hashes for every 0x1000 bytes in the binary

This means that every binary will have a unique cd hash

Yes

i mean if you're decrypting it you might as well just load substrate and the tweak

oh btw

is anyone here experienced with XNU IPC?

Basically I need to know if a daemon's IPC is handled differently in the kernel

I couldn't find any evidence of that

but something is different

would I be able to just add a folder in the substrate that would load the dylibs? Or would I really have to individually make and install tweaks?

you'd have to patch the app

why are you asking here?? this is for development stuff 😭

which is what tools like sideloadly/esign do

lmao

Arguably this is development stuff

i never used those before lol

ok fair enough

#jailbreak won’t tell you how to inject dylibs

yeah that's true lmao

i dont mind doing that, as long as I can inject them

just look at azule

are you not able to say the name

well then, decrypt the ipa and you can export a modified one with sideloadly

(specfically the is_table , for some reason the is_table of my daemon is completely empty even though I'm allocating ports)

no the script i was referring to is named azule

havent used sideloadly before so i was looking to see what advanced options and got this (not my screenshot)

🫶 ❤️

are you saying i should do the tweak injection? because thats not really what I want to do

but you asked how to inject a library

that's one way to do it

i want to inject a collection of libraries

you can

just add them all

like I can't find anything not even in the XNU source on github that indicates daemons are any different in this manner

i have to do this everytime?

like, I cant just go to filza and add a dylib?

well every time you want to make a new ipa yes

no

because existing dylibs aren't built to work sideloaded

both the library and the apps binary has to be patched

ohhh wait

is it because it's running under launchd lmao

doesn't xpc go through launchd

i was about to say

yeah for a daemon it might be different

ugh so does that mean I have to grab the kernel object from launchd's ipc_space instead of my daemon

whatever

except uh

it works fine in an app

doing the same thing

And reading the table size, I get 0x8

yeah I know

PLUS I'm exposing two bootstrap services in addition to the mach port I'm trying to grab

with a jb this can be done at runtime because we have control of dyld (the dynamic linker) and launchd
so we can just load a library when the process spawns

bro is humbling daemons

nsurlsessiond killed his grandma 💔

semi-jb too? or just jb?

just jb

serotonin+bootstrap works by patching
and then signing with the ct bug

uint64_t pr_task = get_selftask();
    NSLog(@"Got pr_task!");
    usleep(500);
    uint64_t itk_space = unsign_kptr(kread64(pr_task + 0x300));
    uint64_t port_index = MACH_PORT_INDEX(port_name);
    NSLog(@"Got itk_space!");
    usleep(500);
    uint64_t is_table = kread64_smr(itk_space + 0x20);
    NSLog(@"Got is_table!");
    usleep(500);
    uint64_t entry = is_table + port_index * 0x18;
    uint64_t object = unsign_kptr(kread64(entry + 0x0));
``` it panics where it tries to get object

not sure what's going wrong lmao

(with kaddr not in kernel)

Do someone know why Theos is fucking renaming my PreferenceLoader file 💀

I am getting trolled

unless its because I'm disabling Jetsam, even though that would make no sense

check the other makefile? idk

what about it ?

what's in it

so then would there be a way to patch the app each time a dylib is added?

the main makefile ?

like through a tweak or something

no

semi jailbreaks DO NOT have that capability

or by manually using theos to compile

trolling git

you'd need to patch both the app and the dylib
the only way i could think of is having a daemon watching the fs and patching when new files are added

this is not an option with a semi jb lol

there's no way jetsam would be causing this, right?!

not having a daemon watch the fs, i meant like, having an alternative app to check for new files and such when the user requests it

I didn't think so

well that's the same thing but with extra steps

exactly

but then at this point

you're doing the same thing

as esign

lol

ive never heard of esign

minus the reinstall

i mean

ik it but

yeah idk what to do

i basically want to do that, so i dont have to like, manually patch it and such

unless iOS has some specific behavior

for daemons

(which would be really weird)

whats the issue

mah daemon's is_table is empty

wat

yeah idfk

app like that doesn't exist. so right now all you can do is

• decrypt ipa
• patch app and tweaks
• sign and install

or

• patch app with app enabler
• install tweaks normally

oh its a field in a struct

yeee

it's part of the ipc_space

cuz I need to lookup a port's kernel object

ios version

16.2

that sounds familar

why

reasons

hm

anyways do you know the issue

your code looks lifted from kfund

correct?

like it doesn't-

no

I made it

kread64_smr looks familiar

the libkfd I didn't make myself though

however I did make that function

yea so you're using kfund kread64_smr, ok

YES because those offsets work not in a daemon

device?

app enabler?

uh well because UH well ok it's [REDACTED]