#development

i'm building a safari extension from source and struggling to include the appex

this specific thing seems like it doesn't work on 16.5.1

like it causes GFX panics apparently

so maybe <=A14 work on 16.5.1

Ah, weird, sometimes I'd get the occasional GFX panic, but it usually wouldn't happen

well once you get the ipa, appextensions should just be in the payload as PackageName/PlugIns/extension.appex
with an info.plist and a nib or other files

hence the name, extensions have to be built with a main app binary as well

i thought they were included but the extension won't show up in safari so i was confused

it is included.. dunno why it isnt showing up 😦

is this a trollstore limitation?

these show up for like a single frame

openyoutube and unagent

unagent is what i am trying to sideload

openyoutube is just another app extension im guessing is sideloaded with youtube++

does trollstore not support app extensions

i see it does not as they are system apps

interesting

well

you can temporarily switch to user registration

do they work until reboot or do they not work

opa made a comment on this reddit saying they dont work

lol

not really surprised at that

it does not work

kinda sad i wonder if there is any way around

yes, binaries in paths other than /var/containers/Bundle/ will not be sandboxed by default (such as preboot), but the kernel will refuse to execute binaries without unsandbox entitlements in /var/ (including /var/containers/), this is my test result on ios15. but I am not sure what the policy is for /Applications/ in rootfs since we cannot modify it on ios15.

do they not work because they aren't signed with the main binary or because of a system app incompatibility

if there's multiple binaries, ts should sign them all
i'd assume it's because of the system app registration

makes sense

rip

guess my cert is still valid for like 2 months

and due to the system policy of the kernel, the platform binary cannot spawn the binary in /var/, so the daemons/apps in /var/ will not be able to launch. this can be solved by re-signing the system binary.

and another interesting thing is that if the app is registered in /var/, then launchd will use xpcproxy to launch the app.

yea sideloading w cert fixed it

maybe i do need appsync lol

yeah i mean

sideloading with a cert is how apple intends development to be done

go figure

lol

seems like this app cant even change my user agent anyways so i guess it didnt matter anyways lol

anyone know if there is a tweak to change user agent on safari :p

on ios 16

possible for extensions to do this

it is i can't find any free one though

https://github.com/katagaki/Unagent

thats what i just built

doesn't work and seems to not work for anyone else in the app store reviews

not sure why though

probably something to do with ios 16

then you're probably limited to just browsermask

dam 3.99 but does seem to be what i need lol

ty logos linted

or a browser that's not safari

actually could've thought of that yeah

orion would be a much simpler solution i just got hyper fixated on using safari lol

also does anyone in here know if there is a vnc server that works on newer ios? veency exists but i'd be astounded if it still works after 6 years of no commits

screendump

but it's been patched up like 3 times over since the ios 14 release

a viable alternative is something like https://er.run/blackhole but that's paid with a trial

interesting

i use that UA switcher it absolutely works

what ios are u on wtf

17.4

bruh

is the github version outdated i wonder

i mean the commits are only from a few months ago

weird

well then it's working

what a dick move to give it a one star

the agent string isn't the only way to detect a device like they say

i was using a user agent checker and it wasn't showing any difference but ill try again

nor is it reliable

yeah it doesn't change for me :/

definitely works

a symlink to /usr/lib/TweakInject

you didn’t restart safari…

i did

did you even enable the extension?

yep

no need to patronize lol

then you definitely set it up wrong

ok

the message before it was fixed was jbroot/MobileSubstrate/DynamicLibraries, that's what i meant by "Library missing"

@restive ether

👌 I didn't modify this part, it should be consistent with the rootless ellekit. I just change /var/jb path to jbroot

got it

and ellekit builds off libhooker which is why we still have tweakinject

wat

isn't ellekit fully compatible with libhooker functions

same with substrate and substitute

well i mean that you can quite literally use LHHookFunctions etc with ellekit

https://tenor.com/view/schezo-schezo-wegey-schezo-puyo-puyo-puyo-puyo-puyo-gif-7000024585298137156

i lied no substitute shims

but same with substrate

and the /usr/lib/TweakInject folder was just what libhooker used then symlinked for compat reasons

reboot fixed the app

unless you’re gonna roll this weed for me

its 4:30 brother u got bigger enemies than me

that’s later than usual

go to rehab

why would i do that

city boys we up

Proc soc on top

nebula do u know if ur tweak ding has the ability to use mute module in control center while the mute switch has its own function 👉👈

currently if its set to force either way the mute module cant change mute status

@sonic totem ok so your idea did something, because now when panicking, instead of AMCC PLANE1 or AMCC PLANE2 it's always AMCC PLANE0

Very interesting

The writeback is still happening though

Presumably

AMCC ? PLANEX ?

What are those ?

AMCC = Apple Memory Cache Controller

yeah

Oh

thanks

oh no I'm about to be scolded

(jk)

seems that way, yes

even though I'm constantly reading it in a while true loop in a seperate thread

perhaps at some interval it's forcibly written back?

Quite possible

I don't know enough about this to be sure

although interestingly

it says the panicked task is my task

Actually it would normally say that

yeah

maybe I can somehow freeze the AMCC

how much time passes between the write and the panic

or is it instant?

pretty much instant yeah

it would not

a standardized API to get the root path

roothide has it's own thing

I will get to that really soon

 dma_perform(^{
        uint64_t thing = 0xfffffff00832be94 + get_kernel_slide();
        dma_writevirt32_premapped(thing, (uint32_t *)&mov_x2_afce);
        dma_writevirt32_premapped(thing+4, (uint32_t *)&paciza_x2);
        dma_writevirt32_premapped(thing+8, (uint32_t *)&str_x2_x0);
        dma_writevirt32_premapped(thing+12, (uint32_t *)&ret);
    });
    uuid_generate_time(ourbuf);
    ksigned_afce = (void *)kread64_kfd((uint64_t)ourbuf);
    NSLog(@"Signed afce: %p",ksigned_afce);
    pthread_cancel(posixThreadID);
    asm("IC IALLU");

(I overwrite uuid_generate_time)

the IC IALLU is to invalidate all the instruction caches

although I'm not even sure whether or not that instruction works in userspace yet

can't think of anything rn

Rootless V2 will likely have a "libroot" that jailbreaks ship

then there will be a .a that people can link (This is very small and only handles finding libroot and dlopening it) and preprocessor macros to convert paths

and this will be integrated into theos

I have no clue how roothide does anything currently

void *preventwritebackthread(void *notusing) {
    NSLog(@"Entered the writeback prevention thread!");
    uint64_t _uuid_generate_time_addr = 0xfffffff00832be94 + get_kernel_slide();
    uint64_t start = 0xfffffff00832be94;
    uint64_t end = 0xfffffff00832c018; // Also static for testing purposes.
    uint64_t size = end - start;
    NSLog(@"Size: %d",size);
    sleep(1);
    void *gotome = malloc(size);
    bool hasalreadyprinted = false;
    while(true) {
        kreadbuf_kfd(_uuid_generate_time_addr, gotome, size);
    }
}

wait

I forgot to remove a sleep

I bet that's the issue lmfao

@willow lance save us

lmao what

I’ve interested in this bug for a several years and I want to find it!
Because of this bug is faster than any other bugs

nvm 💀

for the record, this is mostly an experiment

I just want to see if I can sign a pointer in the kernel lmao

if I can then kcall

if not then

oh well

the problem is we don't know if there is any way to revert the writes without panicing

so even if you could get kcall it wouldn't be for very long 😛

well invalidating the cache should do that

invalidating the cache marks everything as "invalid" which means they can't be written back, so the cache gets reset without writing to the DRAM

(or read from)

(or written to)

technically roothide and rootless (even after rootless v2 is implemented) will be different things in regards to what paths they use to my knowledge

roothide will still be it's own strap

and AARCH64 conventiently has the instruction IC IALLU which invalidates all instruction caches

it's still a separate thing to rootless even after rootless v2

which (should) theoretically make it so it doesn't get written back and the cache is reset

RootHide and rootless v2 are not the same things whatsoever

I think you have a misunderstanding of what roothide is

Dopamine 2.0 does not do anything to hide the jailbreak on it's own

That will only be used by external packages

The bootstrap itself has it's own idea of what the root path is

yes

Yeah but after the arch merge is done I think it should be an option

how did y'all manage to get it to last for anytime at all?

I even offered tuan to integrate it as an option into Dopamine later

I can't get it to do anything lmao

no one has gotten it to last except boris

ah I see

wait is a rootless v2 strap able to load rootless v1 packages?

then what are you doing? I'm confused.

or do we need to rebuild all our packages?

https://tenor.com/view/prime-minister-union-jack-wire-boris-johnson-gif-14622193

roothide no

rootless yes

on traditional rootless setups yes, roothide no

yeah I haven't done roothide

this time I got a kernel data abort, what?

(nor do I care too)

thats neat then

won't get some thing of people hacling packages to work on the new format and getting bugs

I'm assuming rootless v2 packages don't work on a rootless v1 strap (aka current dopamine/pailra1n)

Real

anyways I should probably just suck it up and just figure out why the is_table is empty on daemons lol

RH is the nuclear option for when nothing else works, so I guess it would be nice to have as an option

Imagine if he fell 💀

Would be the best gif

relative humidity?

He fell off in other ways anyway

I'm just kidding

We gonna be voting next year smh

Better start researching this stuff

and you’re gonna vote Tory ofc

fucking poshie

if this is the case, do we need to add smth to the Depends to prevent v2 packages from being installed on an old strap?

looks good

ugh we're making another jb standard?

Does that mean I have to adjust my (in progress) jb?

it will only require minimal changes

alright

i hope this is the last time it changes though, the amount of fragmentation is getting a little annoying

should probably delete that message before the whitenames see it...

so iphoneos-arm64 roothide will still be an option?

and it will be backwards compatible, rootless v2 packages will still work on rootless v1

oh alright cool

(just not on roothide)

oh neat

Excuse me

so its backwards compatible both ways

How am I posh

Posh

uhm

I appear to be getting a kernel data abort near the address I'm writing to for some reason

Useful as usual

Wait this server has AutoTSS?

isn't that a good sign?

not sure

it's closer to the kernel base than where I'm writing to, but

no

no

RH has had its own fork of theos, that's why the adaption rate isn't that great

Overwrite stuff with 0x41 and see if it appears in panic logs

I will PR rootless v2 into theos when it's done

0xfffffff0118c7e94 this is where I'm writing to
0xfffffff0112db548: this is where I'm getting the kernel data abort

idk if they're related

sorta yeah

for non-bootstrap packages yes

I really just hope this is the last time this happens, it's getting annoying with all the arch changes, hard to keep up :P

Still like 0x600000 away

So I’m not sure

but wouldn't it be like a kernel instruction abort, if it was something related to what I was doing?

Yes “undefined kernel instruction” I believe is the panic log you’re looking for

yeah

uh

idk yet

If you overwrite with a bad instr

I think it will be the same

ideally people that already updated for rootless will only need to recompile

my way of getting them to my pc

@tepid olive I can’t remember for certain but I feel like kernel data abort can happen with kfd

yeah that's probably the issue lol

If you can reliably trigger it though then it’s probably not

yeah it happens everytime

I wonder if it's because I write and constantly read at the same time?

maybe it doesn't like that

Shouldn’t be the issue

You’re on separate threads right?

yeah

Then I doubt that’s the issue

should I try just overwriting stuff with 41 to see what happens lol

Agreed

Or like some magic value

Also I’m surprised I’ve never seen you around, you seem to know your stuff 😅

How long have you been working with iOS?

uhm

like 2 weeks

lmfao

but I have background in Nintendo Switch RE

I need to step up my game

Ah i see

Was gonna say

Learning all that in two weeks would be a challenge

yes it would've been, thankfully I already had AARCH64 ASM memorized

I've also read like alot of iOS security research writeups in the past 2 weeks

Ah Nice

What have you read?

Some of the *OS internals books, the Fugu15 writeup, coolstar's jailbreak presentation, the PACMAN writeup

uh

some other stuff

a bunch of Project Zero writeups

Very nice

Fugu14 writeup is also nice

Siguza’s blog is great too

oh yeah I've read some of them too

the KTRR and the APRR ones I believe

There’s a KTRR one

Yup

Siguza has a repo for this

https://github.com/Siguza/ios-resources

oh yeah and I've also read through some XNU source and the KTRW source as well as Fugu15 source, Fugu14 source and async_wake source, taurine source, undecimus source

Wow nice work

Learning a lot very quickly then

and I think voucher_swap source?

I really need to get into kernel exploitation

PAC is my worst enemy

Even just messing around with kfd + PPLRW

that's the big thing I've gathered so far lmao

Fr

I mean

PPL is more of an enemy tbh

yeah, but PAC is more of an annoyance

than an actual roadblock

PAC you only need if you want to kcall

I have been feeling like that aswell

But I don't have the time for it lol

Yeah but you already know what you’re doing :P

eh, the only kcall I need ever is kalloc, which you can easily do by abusing some random kernel structures/ user clients

I need to familiarise myself with how stable r/w and PPLRW works

like OOL mach messages

guys I know how to uninstall ios

Yea agreed

Unless you need kcall for a subsequent PPL bypass

I mean in my first week of doing this, I achieved iOS 16 arm64e trustcache injection

Oh my

Very nice work indeed

thank ye

Did you take a page out of the existing Dopamine source?

eh actually more DNAJB

Ah of course yes

Forgot that that existed

actually KpwnZ has been working with me alot

There were some trustcache offset changes between 15/16 iirc

I see

yeah, I also had to ask them how to patchfind the pmap_image4_trust_caches offset

because I searched for days

I’ve made it

Due to school, I cannot push it

that doesn't even exist anymore

Apparently I was looking in the right place, just being dumb and accidentally ruling it out

yes I know I just call it that

Made what?

because that's what it used to be called

KPF

Ah very nice

alright lets see this panic log

not a single 41 in sight

it probably is because I read and write at the same time

except there's no other time to start the thread

I would need to time it to perfectly line up when I finish writing

wait what

I get kernel data abort even when I don't do them at the same time???

oh

wait

it doesn't seem to like me precalculating the ECC hashes

AlfieJB eta s0n

@marble perch so would it be fair to say/confirm that RootHide will transition to rootless v2 based on what has been said here or is that still not finalized and could change depending on how things go?

nevermind???

lemme try just jumping to this address and seeing what's there

how can i get flex to select something that it cant?

i tried looking through headers but i cant find what i need

it's literally just a random place in memory lmao

to both you and @unique wedge: would I be in the clear to announce this now that this is seemingly definitely happening

that's the goal

You click on it even if it don’t select it then you open views and find it there

that doesnt work

it doesnt appear in the views

nor in a snapshot

Click full hierarchy ?

its like it ignores the status bar stuff entirely

what the fuck is this decompilation lmao

i did, not there

is it possible to diff headers?

Idrk then 🤷‍♂️

i just wanna remove these damn page dots

get the header from a previous version, get the header from a current version, and then use a text diff online tool

problem is

idk which header its from

idk the class name

Oh god I have a lot to read !

@radiant idol when do you sleep ?

uh

like

2 am

or just use the linux command diff

Aren’t you in GMT+4

EST

Ohhh

Right now I'm also not sure of all the things that uh PPL protects

I know it protects page tables

If the PPL bypass still hasn't been tested fully on 16.5.1 <=A14, and public help with testing is still available, @ember cypress has offered to test with their iPhone 12PM on 16.5.1. I'm not familiar with the current state of testing, so apologies if this isn't necessary

I know it protects the trust cache

why does flex not work well on ipads

I know it protects entitlements and certain task properties

what?

Page Protection Layer

https://newosxbook.com/articles/CasaDePPL.html

Maybe this will help you

@marble perch to avoid miscommunication, do you want to summarize everything to tuancc

what's going on? 🤔️

@unique wedge this looks like a good tl;dr of what the plan is though

rootless v2?

yes

RootHide using rootless v2

opa hasn't released it yet, and I don't know much about the specifics of it

what if we had a rootless v2 thread?

Might be nice to have a spot for discussion about it, especially if its still being worked on

what does the mean "using rootless v2"?

using iphoneos-arm64 with the definable root path

rootless v2 is just about the tweak package, it has nothing to do with bootstrap..

it does though because RootHide currently uses iphoneos-arm64e

we’re using iphoneos-arm64e on 17, no?

wat

since basically no 17.x arm64 devices

sounded like that plan was dropped/postponed last I heard

but rootless v2 has nothing to do with arch, right?

okay nvm then

i def haven’t paid much attention

this stupid arch naming scheme is such a pain

also I don’t even think that’s supposed to be public

it’s in proc discord so

in todo iirc

pretty sure that’s private

meh it’s limited to proc contributors

i only view [redacted] as private

help, it just randomly started doing this

anyways w/e forget i said anything

why is there another debate about arch? some people suggest using arch with a suffix, and some want to switch to iphoneos-arm64, but this all depends on how to do it after rootless v2 is released

don’t worry about what i was talking about, it was quickly disregarded among the team when it was first brought up

@radiant idol ?

sort of, but either way the goal is to move RootHide away from iphoneos-arm64e, and if it’s possible to use rootless v2 to move to iphoneos-arm64 then that’s ideal

your lib isnt connected properly, i dont have time to diagnose this right now

oh ok

but it wokred like few minutes ago

but the implementation of rootless v2 has not been finalized yet, how can I evaluate what to do next?

rh will definitely provide rootless v2 compatibility, just like it is currently compatible with most rootless v1 packages, but in what way it will be implemented, I can only figure it out after the implementation of rootless v2 is finalized.

I've already read this

Read it again

I have a question, assuming rh and rootless v2 share iphoneos-arm64, if rootless v2 switches to iphoneos-arm64e in the future ios version, should rh be also compatible with iphoneos-arm64e packages ?

how many times are we gonna change the arch bruh

not all rootless devices are arm64e

moving forward everything should be iphoneos-arm64

yes

a couple ipads

iPad’s, Apple TV’s, a HomePod

iphoneos-arm-rootless would've been a far better solution

but welp

but hayden said it might be possible to switch to iphoneos-arm64e in a future ios version

I’ve looked at that and that’s likely being scrapped due to cross arch issues

I'm confused now

agree

roothide already burned the iphoneos-arm64e arch, trying to reuse it would be a pain

idk im not the one in charge of this

they believe it’s not burned or something

I don’t know what’s up with that

it's burned, idk why people would think it isnt

presumably something along the lines of it’s still early on and most tweaks can just move to iphoneos-arm64 and ditch their legacy RootHide counterparts

I just dont get why some people are so insistent on changing core aspects of jailbreaking

how many times can we change the arch

I mean arch would make sense if it was actually used properly

but it hasn’t since like iPhoneOS 3 or iOS 7 depending on how you look at it

the names are so misleading

it's sad

why did they even do that anyways

thats a whole another story

that’s still partially a mystery today

arm64e is just apple's name for the v8.3 revision of armv8 lmfao

(more like it’s a mess but whatever)

why make it a different arch

look at the theos server

and

from:nightwinddev iphoneos-arm64e

grab a cup of popcorn

and read

I've got better things to do

rip

like switching disassemblers

to cutter

because ghidra sucks because it's written in Java and Java sucks

nope, wrong

I want to use binja

but I don't have $75

but java doesn't suck

it does to me

if you want a language like Java, just use C#

never touched c# really

it's much faster

its runtime (.NET) is anyways

java isn't as slow as people think it is

Ehh.

Java doesn't have C interop does it

Self promo

it has a bad binding system but it does exist

C# has a good one

although I guess you could make the argument that Java is more cross platform

java is fine

but nowadays with .NET Core, C# is just as cross platform

one nice thing about cutter though is that it automatically identifies classes

and their names somehow

I’m confused what you mean by this

yes i don't want to be in rush now

It depends on the implementation of rootless v2, if it provides less compatibility, or full compatibility is difficult, then using a separate arch may be a better choice

I guess my point is to suggest that we should make an announcement that that is the plan in order to potentially reduce the number of developers who are hardcore adopting iphoneos-arm64e as if it is the definitive future when it’s probably not

the goal of rootless v2 is that it will be fully compatible regardless of root path with all packages that are updated for rootless v2

so what should they do now, or wait and do nothing

basically as long as the package is updated to support rootless v2, it should technologically be able to support current traditional rootless and updated RootHide

I mean the rootless v2 compatibility with rh, they are not just differences in root paths

honestly imo right now they should work on packages that support iphoneos-arm64 and iphoneos-arm64e

we know RootHide is more than just what rootless v2 will offer

the point is that the goal is that RootHide can use rootless v2 and support all rootless v2 packages

there are some differences in rh, 1) path expression in the configuration file, 2) bootstrap's access to rootfs 3) the way tweak and bootstrap interact with paths 4) PATH environment variable 5) jailbreak root path that is re-randomized every time 6) tweak the persistent storage of paths
so I said that only after the implementation of rootless v2 is finalized, then we can evaluate how to make it compatible with rh

this does not depend on rh, but on the implementation of rootless v2 and the degree of developer support for rootless v2. you must know that not every developer will use theos, so I believe that rh will still have to consider the compatible with rootless v1 for a long time

you would love symlinks

what does symlinks have to do with any of this

this isn't true

Dopamine 2.0 will support existing rootless packages

oh bad, there is another problem there, dependencies package.
for example, now I have ported libsandy/preferenceloader to rh, and some tweaks that have been updated for rh already work correctly based on them. so what should we do when rh is compatible with rootless v2?

hey @naive kraken hope you don't mind me asking a question, but why in Dopamine, do you launch jailbreakd using XPC messages to launchd instead of launchctl? Is there a specific reason, or is it just personal preference

launchctl doesn't launch in this state

codesigning is still active

besides y'all are living in the past

Huh, I wonder why my jailbreakd loads fine with launchctl lmao

before jailbreakd is started, the signature of the bootstrap binary has not been loaded into the trustcache, so launchctl is not available

jailbreakd??? what do you mean

oh I just have a seperate launchctl binary embedded into my bundle that gets signed with the main binary with trollstore lol

well actually, mine's called Jupiter, but

you get the point

iirc you're switching to launchd right?

#development message did i misunderstand

jailbreak app->load basebin into trustcache->start jailbreakd using xpc->load bootstrap binaries into trustcache in jailbreakd->launchctl available now

or is bootstrap here not the procursus bootstrap but some other thing

yeah that's what I do pretty much lmao

Except I'm still trying to figure out why my daemons ipc_space is empty, like, are its mach ports managed by launchd or something?

(I have read some things that say that, but I could just be misunderstanding)

all it's referring to is that you won't need to use /var/jb - /var/jb is still what will likely be used unless there's a need to change it for whatever reason

mines called launchd

ah I see

that's a good idea, I was only doing it this way to keep with the standard dopamine set lol

random question: does dnajt use jailbreakd or launchd

jbd

I should probably use launchd though

😵‍💫 this is too confusing and I haven't kept up with it

welcome to my life

I assume you insert a hook dylib into trustcache, use opainject to inject into launchd, and do stuff from there, right?

anything to do with rootless v2/roothide/archs is the hardest thing to follow in existence

Also I don't think I'm supposed to be compiling jbd with theos

not that that's related

Like I mean what are the benefits of using launchd over jbd?

launchd is pid 1 and the "parent" of userland in iOS

sandbox

this is true.

jbd is no longer feasible in iOS 16

Yeah I may have noticed that

too many processes can't contact it

I just was trying to keep a standard lmao

alright I'll do the "new way"

standards are a foreign concept at this point

but WebContent cannot even contact launchd on iOS 16 -_-

is it known yet what webcontent can contact

nothing would be my guess

WebContent can't contact anything, isn't it like the most locked down userspace process

has it's own pac stuff and everything

so basically webcontent injection is just dead?

yeah

not really

you could still make it work

it'd just be very hacky

does bootstraps automatic tweak injection require a decrypted ipa to have the tweak be injected?

I guess it's time for the hacky solution

maybe it works over raw mach, I haven't tried that yet

because it's one specific check that fails

it might be something where WebContent can send messages but cannot receieve them

because im seeing no logs at all with NSLog, even in %ctor

and because of XPC being bidirectional it fails

just patch it out, isn't WebContent's PAC bruteforcable if you have root access?

you can't really patch it out

it's sandbox

oh true

we should still maintain compatibility with existing rh tweaks, obviously it's difficult to ask everyone to rebuild all packages at once

that's just probably not going to happen and is not reasonably feasible

https://tenor.com/view/letter-r-gif-9063762

leave the daemons alone

I don't think it is yet

iirc it isn't

but not all rootless v1 packages will be updated to rootless v2 immediately. If the rh user installs a rootless v2 dependency package(such as libsandy), the installed rh tweak may be broken, and if this tweak has not been updated for rootless v2, then users will not be able to use this tweak in anyway

I think you're confused

rootless v2 and rootless v1 are iphoneos-arm64

current roothide is iphoneos-arm64e

balls

this entire blob here

oh

so in this case rh users will not be able to smoothly migrate to rh v2, they will have to completely uninstall the installed environment and reinstall and configure everything

and there is still a problem. If a dependent package has not been updated for rootless v2 (some dependent packages may be closed source), then developers will not be able to update to rootless v2 for tweak

pretty much any dependency package that has been updated for rootless is actively maintained

so that really isn't an issue other than maybe the first little bit

that's gonna happen no matter what

either way the goal is to move off of iphoneos-arm64e - even if the arch was just changed to iphoneos-arm64-rh and nothing else it would still be the same way

Someone give me the cliff notes once this discussion finishes pls, I don’t want to read allat

Ok 👍

if we get a new arch i vote for this one

rootless is not changing arch-wise

do tweaks (bootstrap using ellekit) work with signed apps from app store or do I have to decrypt the ipa and install it through TS? When I tried making a tweak with a filter for an app, it doesn't seem to be "injected" or ran

there is appstore tweak injcetion

any logs?

and you enabled tweak injection into the specific app?

not that im seeing

yes, through bootstrap

idk if im creating the tweak incorrectly, I do see that these modules are loaded in the app though:

roothideinit.dylib
bootstrap.dylib
libroothide.dylib
libinjector.dylib
roothidepatch.dylib

but I dont see any mention of my tweak there, unless thats intentional?

i think it should be called iphoneos-x86

Nõ

iphoneos-ppc wen

Theoretical question: in order for other places in the world to access the EU side-loading, would it require the use of basic bypasses (profiles, supervision,etc) or would it require the use of exploits (Kernel, CoreTrust,BootRoom,etc)?

(which makes it practically useless, except if they only check for stuff at install time and not at every launch)

Every launch sounds brutal

appstore

https://github.com/fmyyss/XNU_KERNEL_RESEARCH

CVE-2024-23208 PoC

yeah

pretty cool

Damnnn

You have to use the same team ID

If you’re manually injecting

i got the pointer address to a swift ivar, however when trying to use the address explorer in flex the app crashes

anyone knows what’s wrong there?

I think that’s just a swift L

Maybe ASLR ?

Idfk

what’s the type of the ivar

👀👀

@radiant idol

fuck swift

Yeahhh good luck

I don’t think you’ll be able to grab that

alright thanks though

i hate swift

no

stop it

Yeah it isn't lmao

what

??

how lol

It is a kernel exploit

so it'd actually be powerful enough for physrw?

But one is a race condition the other is a memory management error. They are exploited in very different ways.

True, i was only referring to the actual impact tho

👍

Idk, MDC and KFD are also kexploits but idk what difference there is

MDC can't physrw

:p

KFD is a physical use after free that uses a uaf that points to physical memory to set up krw primitives
MDC is a race condition in the vmap layer of iOS that allows you to write to read-only mapping. it doesn't do anything else

if you want to learn more about the MDC bug, ian beer has a talk about it

https://www.youtube.com/watch?v=jrxOhGGxDZ8

one part that i'm curious about is what kernel data structures actually have pointers to physical memory addresses

all of kfd is related to the l3 page table

And technically what we've just seen isn't an exploit so to speak. It's just proof that it can be exploited

look at my fucking #development dawg

Man

Execute code with kernel privileges?

That's different than both kfd and MDC

That's called a LPE

I think

is it an LPE or a krw

Fairly sure it's an LPE

MDC's was executing code with kernel privileges according to apple

anyway the exploit doesn’t work on ios

yet

it will work soon tho

I could make it work on iOS rn

some things extra needed

But idk what the exploit is useful for

trollstore install (i guess)

@sonic totem what does apple mean by code with kernel privileges? Just root, or is it like code running in the context of the kernel

I'm assuming it's just root

If it's code running in the kernel, you likely need root for it to work, however if it is code running in the kernel it could be useful for jailbreak on older versions

and i aint wrong, they both say the same impact 🙃

You literally cannot arbitrarily execute kernel code without a PAC bypass

Idk what it’s on abour

Hold on I’m playing guitar

https://github.com/fmyyss/XNU_KERNEL_RESEARCH

Yeah I know, I was thinking that it was maybe abusing something to run code in the kernel

Something that the compiler missed PAC instructions on

this thing

Then again, I wouldn't be surprised if apple screwed up the entry to begin with. They screwed up their own description of PPL.

Because this does happen sometimes tbf

apple classified being able to run code that can access kernel memory as that, I think

What, that's so stupid

Running code with kernel privileges is different than kernel memory access lol

what’s with this

apple loves to hide

very normal

they silently patch landa in 16.7

I see

without even a second RC either

Interesting

apple is just wierd

Yeah it’s probably krw

The fix was improved memory handling

nice

if it’s true

That doesn’t mean it’s useful for TrollStore btw

It could very likely be that it requires root privileges

we don’t know

until the exploit becomes public

if not we have other exploits as well

The exploit is public wtf are you talking about

which ones lol, google hasn't made the kernel bug public yet

forget about that

never gonna happen

and even if they did, we dunno if it's powerful enough for krw

@sonic totem if this is krw, this could be good for krw handoff, as it appears it works only using a file descriptor

https://x.com/mastermike88/status/1753357815756845417?s=61

read the important bit

it aint an exploit

Oh it doesn’t exist in 16.x?!

yes

only 17.0-17.2.1

Also I’m a security engineer so shut up

It is an exploit, a poc means it was exploited

A poc is proof that it can be exploited

Uh no

No?

A PoC means that it was triggered

I guess I have a misunderstanding

Ah yea, that’s right

I mean handoff is handoff

I’m not gonna do any work with it because it isn’t useful for me

Yeah

Oof

It’s interesting either way

It was introduced in 17.0 so yeah

The manipulation with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

It’s krw

That’s… not accurate afaik

It’s a use-after-free

Oh, Google has mislead me

is it a P-UAF tho

No

cause isn't physical UAF needed for krw?

What's the difference?

Oh also

a pUAF specifically deals with physical addresses

Nvm

No

They’re just

Easier to exploit

Good to know

What does this mean

An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations.

What does Apple mean by that lol

PPL bypass

It could be

if u find a ppl bypass do you need to also find a sptm bypass for a15+ devices on ios 17+?

those devices don't have ppl if they have sptm

oh

Sort of, SPTM replaced the PPL binary in a15+ in 17.0+

so ppl bypasses wont work

on a15+

ppl isn't a binary

so lets say we found like a krw for ios 17.0.1+ and a ppl bypass too

Isn't it a hardware feature controlled by one?

PPL is a micro kernel running inside of the kernel

we gotta find a sptm bypass for devices above a15?

Only it can access certain parts of memory

i wouldn’t be so sure

real

uname -a?

Darwin iPhone 22.2.0 Darwin Kernel Version 22.2.0: Mon Nov 28 20:09:56 PST 2022; root:xnu-8792.62.2~1/RELEASE_ARM64_T8120 iPhone15,3 arm Darwin

👍

🔥

Sérotonine?

Seratonine yeah

Seratonine

🔥

Lit

Dopatonin

Dopaxine

lol

Wen eta

wen eta

ios 18 untether wen eta

i fone

i fone

https://www.reddit.com/r/jailbreak/comments/1ah2c8w/ rate my setup Nathan 🙏

bang

Ty

including a15 on 17.0+

once someone gets krw with that poc, hopefully, im gonna try and get serotonin working

My friend with 11 pro max is on 17.0

doubt that'll happen

you should use krw to get keyboard tweaks working

easy

Won’t become krw

zone_require

damn

Just gotta wait for Dopamine 2.0

That’s my only hope

gm

damn i just realized my phone wasn’t charging overnight im at 5%

L

fuck kalloc zones

and types

Yeah lmao

Zone_require is fine when all you need to do is get a kalloc though

?

Well if you’re just trying to abuse something to allocate some kernel memory, it doesn’t matter

uh, how so

the issue here is you can trigger the uaf but can't reliably fill that exact spot in memory with controlled data

https://github.com/fmyyss/XNU_KERNEL_RESEARCH/tree/main/CVE-2024-23208 some nerd sent this in pale server

is this anything new or no

i've seen that link like 39 times today

sick

But task_for_pid on ios16 does not work. I started a process as root with task-for-pid_allow. But the task_for_pid function always gives me -1 and I don't see any error logs

I doubt

that'll happen

are traditional (not puaf) uafs even worth trying to work on anymore? I was thinking about it and it doesn't seem worth it to trial and error with kalloc_type

like that apple blog post about sockpuppet showed that almost deterministic exploit was reduced to 8% reliability because of kalloc_type

Wait so if you delete the ppl binary will you bypass PPL?

I love how 120Hz iPhones max out at 80 Hz

Where are the pac and ktrr binaries?!

Delete them!!

£20 per path

£20 or I just run which pac on my device

Math isn’t mathing iCraze

what tweak should I make now

update calculatorhistory

make mud splasher

Nexus16

bootloops its coming

Delete the /var folder

instant jelbrek

@hasty ruin honest response

https://tenor.com/view/nexus-bootloop-gif-1842115589251525256

The dang PowerPoint transition

now fiore has a tweak idea

bootloop master

Customize the iOS Nexus Bootloop Experience

challenge: unlock 80 Hz lock for ProMotion iPhones

there's 2 ways you can force 120 Hz in iOS

I hate when people ask me to do stuff like this because I don’t have the physical resources for that

but they never stay

rip

has anybody done forcing certain Hz on macs yet

only works on my device

I don't think so

I'm not manually injecting, I made a tweak that has a filter for the bundle id of the app, and I enabled tweaking for that app. It's just that it doesn't seem to be hooking anything, and I'm not seeing any logs.

average BeReal. tweak

Can you listen to NSDistributedNotificationCenter.defaultCenter without hooking layoutSubviews ?

what does that have to do with layoutSubviews

all you have to do is add an observer for what you want

Thats all

?

why are you hooking layoutSubviews lol

So I can throw it inside ctor ?

not me but nightwind

i mean

that method works

but there's probably a better way to do that

yeah but battery bim boom bye bye

should remove the observer before adding

to avoid duplicate listeners

It did not work without layoutS unfortunately

I would like to avoid it too

But

¯_(ツ)_/¯

i can see why i guess

if you're looking at an ancestor then yeah subviews might come into play

Are you serious?

100%

start screen recording to see actual 120 Hz

This is fraud, we need to file a class action lawsuit against Apple

I mean the display supports 120 Hz and the latest update supposedly finally goes up to 120 Hz

so I guess it's not an issue anymore

They have been lying for 2 years if the latest update goes up to 120 hz, what about the previous ones?

I think they fixed it in 17.2 or 17.3

are you fr

I'm actually for real lol

https://apps.apple.com/hk/app/悬浮时间-悬浮秒表悬浮窗控时助手/id1568931280

you can use this chinese app to test

it has a Hz measurement pip window

once you start screen recording you'll see it start to hit 120 Hz but without it you'll see like 80 max on the homepage and in apps

and you can also easily tell 🤷‍♂️

?? since when does Xcode do this

@sonic totem I might know why the constant reading didn't work

I did it in a while true loop, so it still has to evaluate whether true is true

I should've done it in a for(;;) loop

Because that doesn't have to evaluate anything

Is there a solution for this? Like is there an example tweak I could base of off to actaully test? I know bootstrap is being injected in the app, it's just that my tweak for whatever reason isn't despite the bundle id being in the plist

Yeah quite possibly

Wait what?

I thought it was showing two devices called “Alfie”

It’s letting me run it as arm64/arm64e?

Another thing is that I used virtual addresses to read it, using mapped physical addresses would be faster

lol

Typical Xcode

Although dereferencing also probably takes some time

Now that I booted Arch

new issues™️

error: '/home/bibi_fire/theos/sdks/iPhoneOS13.7.sdk/usr/include/mach-o/module.map' as a module map name is deprecated, rename it to module.modulemap [-Werror,-Wdeprecated-module-dot-map]

Fun™️

Maybe rename it to module.modulemap

Thats what I'm doing

wait @sonic totem what if the compiler is inserting cache maintenance instructions into my code?

I have absolutely no idea

I can check with ghidra

But your program shouldn't interact with kernel cache immediately

the cache is a general CPU cache

L2 specifically

but compilers might insert the instructions to ensure execution order

Yeah idek what I was saying here lol

I was only half-focused

most modern compilers most likely will insert cache instructions

i believe it’s due to ensuring proper execution

but idk

-O0 supremacy

mods :/

oops forgot rule 3

sorry

I didn't find any anyways lol

only the one I put on purpose

@sonic totem I've encountered a new error

*panic

pmap_enter_options_internal: page locked down

now why that's happening: idk

Hmm

If opa sees these messages he will probably have an idea

probably

/* The regular old kernel is not allowed to remap PPL pages. */
            if (__improbable(ppattr_pa_test_monitor(pa))) {
                panic("%s: page belongs to PPL, "
                    "pmap=%p, v=0x%llx, pa=%p, prot=0x%x, fault_type=0x%x, flags=0x%x, wired=%u, options=0x%x",
                    __FUNCTION__,
                    pmap, v, (void*)pa, prot, fault_type, flags, wired, options);
            }

            if (__improbable(pvh_get_flags(pai_to_pvh(pai)) & PVH_FLAG_LOCKDOWN_MASK)) {
                panic("%s: page locked down, "
                    "pmap=%p, v=0x%llx, pa=%p, prot=0x%x, fault_type=0x%x, flags=0x%x, wired=%u, options=0x%x",
                    __FUNCTION__,
                    pmap, v, (void *)pa, prot, fault_type, flags, wired, options);
            }