thx alpha

I charge $60/hr to fix procursus things, but for Java it’ll be $120/hr

did dev lose manage messages perm

who did what

well we can still pin

just no deleting

its like an old western town but the streets are paved over and theres a walmart now

Welcome to r/jb

2026

This is basically 1984

woeis

nothing

it's just a bunch of files from Fugu15

White name moment

who’s our walmart greeter

plx for sure every time i get pinged in announcements theyre here

this does not spell great things for my internet entrenchment

join furry communities theyre less mentally damaging and amazingly have just as many people in industry hope this helps

incredible advice that certainly many in this server will hate on

there is folf fur stuck in the ethernet port

Deservedly so

this server is a bastion of good takes always keep this in your heart

@naive kraken @sonic totem @robust radish

does any of you know what exactly i should call to ask SPTM to change protections of a page ? there is sptm_map_pagebut i couldn't make sure if it can be used for this.

goal is changing RW memory to RX memory in the kernel when ctrr is disabled. (which im still not sure if its possible or not)

Ermmmm

Can you patch SPTM

or not

Because lowkey the easiest way is just to modify kernel PTEs directly

That’s what I did under no KTRR

the setup is basically "SIP/amfi off + ctrr disabled + kextRW" so probably no ?

Hm

Does vm_protect work?

kcall’ing it

nope, that panics with Taking non-sleepable RW lock with preemption enabled when ctrr is on and Unexpected fault in kernel physical aperture when ctrr is off.

edit: okay now i am trying it again and it stopped panicking for whatever reason, although i am still trying to find out if it worked.

edit2: i don't think it worked, the target address panics with Kernel instruction fetch abort at pc. Which makes me think its still RW

That is such a cursed panic reason

<@&355174844205367317>

No way thanks mr beast

Ok but can it actually successfully “recover” data in that state if the passcode is right

I mean

To get into this state you’ve sacrificed the data anyway

If it doesn’t then apple doesn’t care

Although

Interesting since you can unlock a device with activation lock if you bestow upon it the previous passcode

Sometimes

I forgot how this actually works

backup nand !

very surprising to me to see the keybags haven't even been wiped

backing up the keybag

@fringe cove possibly got an answer

during data recovery it can't store the state of the failed passcode attempts onto the actual stashbag

who's to say the second update is the one that bricks it

its likely the first

I could've sworn everythingapplebro made a video about this like 7 years ago

everythingapplepro

@fringe cove https://www.youtube.com/watch?v=IXglwbyMydM

I found it

yo why is that technique so old

what the hell

surely you would think they'd have figured it out by now

well it is big, just... not the first time it's been discovered i guess

apparently vm_protect is returning KERN_INVALID_ARGUMENT (4). don't really know why

<@&355174844205367317> spam

<@&355174844205367317>

Thank you Elon musk

I can't believe my withdrawal was successfully!

Gir for the love of god

Gir ffs

top 10 gir moments

Thank you you heap of shit

No excuse

Just a shit bot

Yesterday gir had downtime

😛

unsurprising

tfw my bot, which has been running on pycord and hasn't had any real updates in over 2 years, has better uptime and reliability than gir

gir needs an async db

pycord in 2026 is insane

yes

just do the usual seprmvr64 dualboot way but just dont seprmvr64

make sure to copy sep fw and stuff

should work ™

yes

they are called anchors

well the sub number is an anchor idk about various disks

what are the chances we get coruna based jailbreak?

2.5%

It’s the same NAND but I don’t really know how to explain it any further

isnt this apfs container stuff

or atleast disk2 would be, i imagine the kernel just exposes the "NOR" as another disk(s) for convenience (?)

then those are views of the NOR

quote unquote because they're actually stored in the nand

they've had both iirc, partition pointing to the apfs container and also containers as logical disks themselves

boot components, i.e. the ones loaded by LLB

They have to have disk0 pointing to NOR

For ROM I think

huhh doesnt ROM not even have those abstractions

doesnt it just read straight off of disk with offsets and lengths

Actually yeah

Bare bare minimum just to read the raw blockdev

yes

Yes

Ah wait what’s on disk0 then

normal partitions

O

yes

nvme namespaces

0s1s1 should be root and 0s1s2 should be data which on sep devices you need giga locker for

then on apfs and later you get like 1s3 as preboot and etc

yes, the one in xART partition

is 0s1s5 in apfs usually

bool AppleEmbeddedNVMeController::IdentifyNamespaces()::2071:Found 7 namespaces in current NAND
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2520:Identified nsid[1] as nstype[1]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2520:Identified nsid[2] as nstype[2]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2520:Identified nsid[3] as nstype[3]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2520:Identified nsid[4] as nstype[4]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2520:Identified nsid[5] as nstype[5]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2520:Identified nsid[6] as nstype[6]
bool AppleEmbeddedNVMeController::DetermineNamespaces()::2520:Identified nsid[7] as nstype[8]

no

those aren't the disks

theres probably a namespace for various things
SYSCFG, NVRAM, and I guess disk0 and disk1 get their own namespace

disk0 just being raw blockdev format

apple only designs stuff they deem needed

idk

better off hijacking ANS2 firmware imo

the literally nvme driver

its own chip

its an interfacer like I2C

read raw address write raw address, controls functionality

you really should do some I2C/LCD breadboard stuff

you can try to get the BSDRoot code in kernel to init the syscfg/nvram as disks

may need decent amount of reversing

doubt its hidden, the code to show it just doesn't exist because it was never needed

I think its simpler than we all think

they're physically inaccessible from the AP afaik

you'd have to send the data from the coprocs to the ap and make that a virtual disk for that to work

not well versed in the driver but i would say so

but it should have been stored in such a way that it's easily accessible by iBoot since it needs the info

well no the kernel should also need it for like the nvram userspace cli and probably also uses syscfg for something else

but not sure it depends on the ans2 driver for those things

How exactly would I hook into SwiftUI classes/functions to for example change text in theos? From what I saw I think it’s pretty different from UIKit so it would work differently

https://gist.github.com/leptos-null/1f7fc9de9f7ae018f149f13446f9c8ae

Thank you

Ty

ty

Iirc it's like nvme namespaces or something

can someone help me

game persivation

don't be this annoying

You asked this a million times before and refused to even give the game name

at this point no one should give you help now

I did man 🙁 its Respawnables

I Said it in #jailbreak

<@&355174844205367317>

Performance

it's in the name, it's a fast path

Before iOS 14, everything not in trustcache went through amfid, which involved the kernel communicating with userspace, and this is SLOW compared to keeping everything in the kernel

Now, if a binary is from the App Store, it's signature validation is done entirely inside kernel code and it saves AMFI having to call out to userspace

and on a regular user's device, the only apps they will be running are either system apps or App Store apps, so in theory, AMFI will never have to call out to userspace

Only when a user starts sideloading or using TestFlight does amfid actually get used

recently opened apps are probably cached anyways

Yes

Or just any Apple binary too

daemons and stuff

And binary on the rootfs

Also while it may seem like a security risk to have the App Store fast path, you have to remember that CMS parsing bugs are not easy to find

Not impossible, but very difficult

I mean ASFP has been around for 6 majors now and only two public bugs have been disclosed

at this point why hasn't amfid been eliminated entirely? (aka, why can't they make the entire CoreTrust out of fast path)

like I always assumed this was just them slowly porting things over to CoreTrust, while also getting a performance win

I would presume because validating provisioning profiles can require an Internet connection and they don’t have the functionality for that in the kernel maybe?

ah, provisioning profiles

And with how provisioning profiles are installed/stored on the FS as well for example, seems like something for userspace to handle

I could maybe see amfid being stripped down to just things like that, but at that point the perf benefit is basically zero

I mean, it basically is

Stripped down to just that I mean

Enterprise, developer and TestFlight certs

All of which can expire/revoke/whatever

Doubt it

It’s quicker than that

it could be CRL checks

cert revocation list

Ich würde dir ja gerne antworten, aber leider verstehe ich dich nicht

vienkārši uztaisi pats savu profilu, nav jau tik grūti

Hi are you interested in possible collaborations with my company in vulnerability research on mobile and desktop?

Most jailbreak developers are already hired at companies like cellebrite/coreillium

Don’t reply to bots

I am not a bot

Thanks

For a second we thought you were when you send the same message across multiple servers at the same time, our apologies

Ok sorry 👍

i love how hes talking like he's talking to one person only

@quaint rain gm

?

gm

Gm

GM

<@&355174844205367317>

@torn oriole

Amazing

They’ve changed the currency value again

Awesome

<@&355174844205367317>

Maxine do your job

any rust nerds see this https://github.com/Batchhh/Alloy-ios

i was banned from jailbreak i dont know why and i need to get unbanned bc im favorite game is jailbreak and jailbreak is my motovation so im really sad that i get banned so can yall teachn me how to get unbanned please help me

can yall help me?

!t roblox you got told in #jailbreak

Hey @patent eagle, have a look at this!

No

how does this compare to ellekit

<@&355174844205367317> (especially @kind herald) do your job

bro

@slim bramble @light owl @native dune @shrewd smelt yooooo, theyre handing out bitcoin

Ok

imagine getting muted

what a skill issue

LMAO

yeah, imagine...

lies

what the fuck, since when is it 4 pings

wasnt it 5 ?

thx rick (i assume it was rick)

reply counts as one

b r u h

<@&355174844205367317> gm

Oh my Christ what is with them all today

<@&355174844205367317> gm

Gm!

gm

hyd

Chilling like a villain. New place, finally unpacking. You?

oh fire how's the new place

doing the best i have in a while

So much more storage and space for jr to move. He’s not fully crawling but doing the army crawl.

Honestly this made my day, glad to hear bro

oh no watch out

gonna be causing trouble in no time

apparently when i was a baby i knocked something heavy over and it nearly landed on my head

Time to invest in protective gear lol

<@&355174844205367317>

<@&355174844205367317>

Modulators

rick

gir needs opencv to spot those attachments

True

mr beast in attachment = ban

https://tenor.com/view/small-mrbeast-funny-meme-hahahaha-gif-14300745468208619201

@hasty ruin yoo they release a irl video of you

Is it possible to strip a process of CS_PLATFORM_BINARY on macOS?

With amfi off basically all procs have it and it can cause this:

i dont know
but that seems to be the same thing breaking dotnet runtime

java is also broken with amfi off

oh what

i dont remember having any issues with it on monterey at least

and i had amfi off for years on there

https://bugs.openjdk.org/browse/JDK-8326663?attachmentViewMode=list#:~:text=Description,not a common use-case.

oh jdk22+

https://github.com/corretto/corretto-11/issues/385#issuecomment-2817199764

well right now i have so many workarounds for no amfi_allow_any_signature

i hooked amfid to platformize dylibs in /Library/TweakInject

If I make it platformize all that issue comes back

I wonder if i need amfi off

entirely

Idk how much shit would break though since i have this

Yeah how do you know this

yup

yeah this comes from the .NET runtime

I debugged this a yearish ago and it is something to do with the JIT engine getting an error back from the system in whatever way, I forget the details

I wanna say this shouldn't be fixed because we shouldn't normalise running with amfi nuked, but, it does actually get in my way on my isolated test Mac 🙃

why does this only happen when the process is platformized is my question

that's so weird

It’s not uncommon for them to disallow certain mechanisms for platform binaries

is it possible to strip platform from a running proc?

With krw?

I just looked into the xnu src no its not possible without krw

can you use a kext

not in the way i want probably not

its fine i worked around

with krw, where was that flag located ? (like whats it called)

in the proc struct ?

CS_OPS_CLEARPLATFORM in dev kernel

yo

is there any hooking library using stikdebug with the txm thing for patching the instructions?

i uh

what

so like

on txm

can't write to executable memory

so u have to use a debugger to write to it with privileged access

is there a hooking library that uses that workaround for hooking

eh

I just made my own

proc->proc_ro->csflags

didn’t see this but absolutely 0 idea i just stumbled across it

<@&355174844205367317>

<@&355174844205367317>

there has to be a way to auto block this shit

Discord will implement any feature except protect their users

Lmao finally after a decade they made load times faster

Can’t make this shit up

Coruna

is your iPad arm64 or arm64e

boutta just send you an iOS version nettop

How the fuck do you do that 😭

Windows 11 ahh bug

https://github.com/userlandkernel/ios-deamon-clients can anyone tell me if i need entitlements for this backboardd xpc logic

i was working on a tool to launch, terminate apps and respring

using backboardd xpc

if i run the app on non-jailbroken phone it just says xpc connection invalidated

but i can't see why in my syslog

I reverse engineered the xpc logic from backboardd the logic should be correct

https://cdn.discordapp.com/attachments/1266535437967691826/1484270855818182906/caption.gif

https://cdn.discordapp.com/attachments/1266535437967691826/1484271228016529498/caption.gif

https://fixupx.com/dankuntz/status/2034324593536877047

You do

So this would work on jailbroken iOS with entitlements

Are all daemons locked down with entitlements or are there also daemons i can talk to without em

I’m researching xpc

I also found that if you set TaskSpecial port in a launchd plist to -1 it will bypass the checks and launchd will accept it as a huge integer

But that wont likely cause issues

Launchd is pretty secure xpc wise

Its pretty nice you can build iOS apps on linux with theos jailed and sideload with Legacy-iOS-kit

I’m now reversing xpc of locationd and writing clients for it

Hey! I did some sandbox research on Delta Beta (iOS 26) with a custom injected dylib. My goal was to find a possible vector for something like TrollStore on iOS 26, but I only found typical sandbox denials. The report is in .md format because I use Linux. I'm not very experienced, so any tips on where to go from here would be appreciated!

None of this makes any sense if you put any amount of thought into it

In what way

Fair enough! I'm still learning. Could you point me in the right direction?

I mean I asked claude about a solution to my problem and asked it to research... but it still feels unlikely that it would work.

I understand, I'm still learning. I was just tired of dealing with certificates expiring all the time and had the idea of looking at some logs on my iPhone to see if I could find anything useful, maybe something that could lead to a TrollStore equivalent on iOS 26. I know it's a long shot, just trying to learn.

Outside of my range of knowledge sadly so I can't really say

The way TrollStore works is with a flaw in how the CoreTrust kernel extension validates binaries

You'd need to find a CoreTrust bypass in order to have something similar, and that's insanely unlikely as Apple hasn't reported patching one recently and it's not a common class of bug really

That makes a lot of sense, thank you! So there's basically no realistic path to something like TrollStore on iOS 26 right now?

Not at the moment no
Your best bet is just dealing with sideloading normally or getting an Apple Developer Program membership

Understood, thank you so much for taking the time to explain! Really appreciate it.

Best tip I can offer is don’t ask AI to find bugs based on syslog

oh, ok thanks

I don't know much about it. I was trying to learn something new, so I ended up asking some AI tools for help to see if I was on the right track, but thanks for the tip and for your attention.

You need to extract and analyze the sandbox profiles

But it wont be good for trolletore

can i have your claude api key

Found my old iphone x running ios 13.7 and it works

sk-ant-api03-YxrH-ZL0G

Sorry youll have to pay me for the rest

nice claude research

the only realistic way outside of exploits is if you can find prime factors of an old 1024-bit public key before Apple realizes and bans it

@slim bramble hey bro we need to utilise the 16player botnet

get them cracking

With checkra1n & blackbird do you guys think its possible to bypass biometrics?

Or does the touch id have something we need?

we can't discuss that here

its not what u think it is but ok np

is it possible to automate entering a passcode instead?

yeah

always been

@modulators

they arent gonna do anything

based stance on vibecoding

Rubber ducking goated

It’s so helpful

Just don't have a skill issue

Hey duck how do I pwn iOS 26

use checkm8 with dmaFail

i used to give models the shit but they are good as long as you don’t hit the ethics barrier

it got me to where i wanted and much faster than i thought but i still had to think

if you want to build an app and install it with custom entitlements but don’t want to deal with a persistence helper i assume its ok to just use the exploit chain of trollinstaller and then have my app be the system app?

how are you going to install it as a system app

just give your ipa the entitlements and it's a done deal

if you're on a trollstore-able version just install your ipa through that...

build my own minimal installer using trollinstallerx

what for

just use trollstore

i mean sure but there’s a reason i want to avoid it. the code looks fine i guess

yeah like im just wondering what the reason could be

trollstore is not detectable...

💔

Trollstore is literally goated

CVE-2025-31207… unless someone backported the patch to a tweak

yeah but you can bypass that by changing the identifier no?

are there really apps that check if trollstore is installed

thats crazy

there were like 1-3 apps

this wasnt my concern either to be honest

what then

i dont see a reason why not to use trollstore

i was writing something that does operations with the secure element by having access to the pin. i was thinking although it is risky i can reduce some of the risk by not using trollstore and just using the way it installs itself to become a trusted app

risky being what the app does kinda breaks the trust model

but how does that differ

like it still has the same permissions and entitlements

i mean its probably unlikely anyway i’d probably setup mdm to disable certain things on this device and have a firewall in place

without LLMs i would totally agree with you but it would probably take it 30 minutes to have working installer without input from the human

i dont think a mdm profile can stop an app with the highest entitlements

im saying i would use it to lockdown the phone after i install it

like for example no safari or no messaging (idk if this is possible) and no installing of apps

and one to prevent updates

at the end of the day this is all over the top

its v unlikely i would be a target of anything

have most jb’s been found by state actors exploits being patched or indepedent researchers debugging?

any way to use xcode on windows? or get a free macos cloud vm? since virtualising using own hardware is far too laggy. just trying to modify vlc for ios so it mixes audio when a second audio source plays on top of vlc, which lowers vlc audio volume while the second audio source plays then restores the vlc audio volume once the second audio source is paused or finished

no

gg hacked account

<@&355174844205367317>

use WSL for development, then github or bitrise macos ci to build final release

kernel_base: 0xfffffff04b848000
kernel_slide: 0x44844000
Mach-O magic: 0x100000cfeedfacf ✓
uid before: 501
seems like u can get llms to vibe rebuild exploits

yeah but whats the point

if this is the darksword chain there are 2 already public objc implementations anyway

ye i mean it doesnt mean much to me but it gets rejected by chat but works thru claude code

seems odd to me

the thing is once u have krw thats cool and all but then what

without a base for the llm to build upon its gonna start hallucinating

and if u dont know what the previous steps do the latter steps will become 100x harder

sorry if this comes over as mean btw its cool its just a bit silly imo

ur right

im bored

lol

is there like a guide i can follow for more info on this? a youtube video, blog or some documentation?

for WSL?

well i’ve never used WSL and i’m not really familiar with bitrise macos ci

https://theos.dev/docs/installation-linux

what about github or bitrise macos ci to build the ipa?

let’s say i use github, what would i do?

i dont have time to explain, chatgpt it 👍

ye u were right lol stuck and im not an ios re person

osxcross my beloved

While my MacBook can certainly compile various things and run them, both osxcross and darling (the latter for CLI binaries only) work fine on my beefy Linux desktop. I exported my XCode SDK under the right license terms and ofc can’t and won’t re-share, but the binaries the clang installation produces run just fine on real macOS and iOS if you really get into the bare metal and toolchain stuff. And you can just sign the binaries and be off

@lime pivot@main nexus care to explain why u are thumbs downing?

ai is known to hallucinate and give wrong/incorrect information

thats why you tell it source online sources

also github ci is not complex

if u dont know how to use chatgpt to prevent hallucination on simple topics then u might as well give up

there's a better source it's called google

where do u think chatgpt sources online information?

you think ChatGPT sources info from Google?

no it searches the web, which google does too

!t ai

.

did you miss the part where ai can search the web?

why would you rely on second hand information that you then need to verify for yourself regardless

useless

use brain

ok then ill tell the guy to google it instead of chatgpt, happy?

yes stop telling people to use chatgpt to offload their brain power

it's already weak from being in rjb

guy didnt have any brain power in the first place so thats why i told him to chatgpt it

and you didn't think to help them improve that?

smh

no

guy was asking questions he could simply google easily so clearly he doesnt know how to use google anyways

i did google, and most results ended up saying you need a mac to build an ipa, hence why i came here. there's no need to be so rude

then you werent googling correctly, so telling u to use chatgpt was the best choice

It will only search the web when it believes it needs to or you tell it to

At least for GPT and Claude

you didn’t tell OP that before hand

Plus not all ai tools can source the web, basically only the office instance of the main ones can, at least effectively

Tbf I don't think any decent LLM would need to search online to get the original question correct

Decent LLM being ChatGPT or Claude specifically

do u guys not like LLMs?

I do

LLMs are fine

I use them

thats what i said but everyone here thinks llms are too dumb to explain github ci

Telling other people to depend on it for a basic question is not

i completely agree they have issues but i think they are better than searching the web

theres a reason why google shows gemini in the response

I don't think they're better than searching the web for everything
There's things they're good at and things that they aren't

Development and programming stuff though. Is something that they're good at

for example jailbreaking they are probably good enough

Hit or miss

I wouldn't take jailbreak advice from ChatGPT

Too niche of a topic

^ agreed. i said chatgpt cus i know github ci is an extremely simple topic so llms are more than capable enough to tell u about it

From me and from what I’ve seen from others, nah

I’ve seen it recommended make tools

And/or just make a up a jailbreak/support for it

but the jailbreaking guide thats so often linked in here, would that not be its primary source of truth lol?

That is absolutely a legitimate area where it will hallucinate constantly and I've experienced this myself before asking rather simple stuff

It's not really, no

https://claude.ai/share/60b56489-3e7b-4546-9b2b-e4a910831bad

this isnt too bad

They don’t get trained off days here

They get trained on sketchy websites that allow ai to scrape off of in the case of a few more clicks

its not that

they get fed a shit ton of data

you cant and probably dont know exactly what goes in to an llm

Data not from here; or if it is it’s so little

but u can prolly guess

The sources it was checking online was not really the most legit things
It is somewhat impressive though that it was able to filter that out and come up with a pretty much accurate result, but it is way more 50/50 than something properly officially documented in detail

Anyways this is probably getting a little bit off topic now

sure

On this specific paragraph they forgot dopamine exists

Would like to add that Claude would be better on this then ChatGPT which will suck your dick as it’s spitting misinformation

yea and on the first one the llm assumed ios 18 exists for the 17pm

i know its not completely accurate

Claude did impress me again here
Acknowledged it needed to do a web search at least

ChatGPT is pretty horrendous if it doesn't know what it's talking about
When it does know what it's talking about though, it does pretty okay. It just won't tell you or try to search online if it doesn't know what it's talking about really

claude helped me write an ios app & reverse engineer some system binaries

and it eventually worked

Well that is a older one and doesn’t have as much fakes/misinfo as palera1n, checkra1n, and unc0ver

Aquila came out like last year lol

That's why it impresses me

and the way I wanted it to, but i had to know how the RE & i had to think too

i heard claude found zero-day exploits on ms edge or something like that

it has definitely found exploits

it did in firefox

I’m not saying LLMs themselves are bad, it’s bad if your telling other people to use it for a topic it can hallucinate on and which the person can’t really be held much accountable

they are getting much better

though

github ci?

https://www.anthropic.com/news/mozilla-firefox-security

@main nexus

Especially for ChatGPT in particular

wdym by held accountable, are you saying if you want to offer help you better offer the best help possible not just "use claude"

I do think that is kinda true
Offering help isn't super useful if you're just going to directly cite AI or tell someone to just use AI
Pointing someone in the right direction / knowing roughly what to do is good

that's actually wild

free bug bounties

you are right however current frontier models are better generic knowledge stores than any human

if you are going to offer help and use ai in the answer you should have some familiarity with the topic

I agree with that as well yes

i personally have never helped someone by using ai to help them

#779145909886910474 message confused on "An app may be able to enumerate a user's installed apps", can apps not already do that, like shortcuts and others

js wondering

A sideloaded app can’t

It counts as accessing sensitive data

oh i see

do appstore apps just automatically get the permission for that then

or, how do developers test that functionality then on a real device

neither can appstore apps

https://medium.com/@pplcallmesrkor/reversing-anogs-how-delta-force-mobiles-anti-cheat-enumerates-your-installed-apps-on-ios-9b7d6a3ec157

i downloaded an app yesterday that did

it controls screentime though so probably something using that

you see why there is no public API to detect TrollStore

yea

interesting

i assume it just did it using screentime or something then, since that's the purpose of the app

oh yeah there's an API for that

but like not all apps can use it since it's behind an entitlement

makes sense

thanks guys

and requires user approval

yeah i do remember approving that

thanks for the explanation

you are very misinformed if you think this fixes hallucination

brother the topic was about github ci, not how to create exploits for ios 26

not the reason though, your original message was condescending and could have been worded better

so is this one

which original message exactly?

#development message

HOW IS THAT CONDESCENDING 😭

idk, chatgpt it

holy shit if u think thats condescending ur either being disingenuous or soft af lmao all i said was i didnt have time cus i really didnt, and said chatgpt it

i tried to be extra nice with the 👍 too

keyword public

https://www.rxddit.com/r/Trollstore/comments/1s2jl44/deliveroo_yet_another_popular_app_that_ships/ thought I would leave this here

tl;dr another appstore app uses a sandbox escape to detect trollstore

actual insanity that's allowed

pretty sure no that's just due to static analysis could not catch them

https://blog.verichains.io/p/technical-analysis-improper-use-of

by analysis it can be easily hidden, by the policy enforced by humans it shouldn't be allowed

apple should install trollstore on all app store testing devices to make sure this never happens again

No, it genuinely is just a stupid response to give

ok cool

“You wanna play at your own game” ahh app

is this not against apples terms?

why would they approve this

cus apple

heck even for a sake of trollstore

its just a trollstore

bank apps even trolled us🙃

because app review barely reviews anything, these days they're mostly just there to enforce that you're using in app purchases correctly. they only enforce other rules when someone reports someone breaking them

I feel like someone might know what Xcode version this error started happening with error: The armv7 architecture is deprecated. You should update your ARCHS build setting to remove the armv7 architecture.the toolchain supports armv7 just fine I'm pretty sure but Xcode refuses to compile if that's found in ARCHS

@mossy bobcat

@magic hazel

mfer has an alt with the same namae

lmao

14

Iirc

Actually

Well it depends

Yeah 14

thanks, yeah that matches what I found

had to set up a macOS 12 VM for Xcode 13

can this new krw exploit also be used to kcall stuff ? or does that require a pac bypass or another stuff like that

We have a pac bypass btw

Also, I’m patching this ucred struct:
0x00: 00 93 20 f5 df ff ff ff 40 9a 20 f5 df ff ff ff |.. .....@. .....|
0x10: b6 02 00 00 00 00 00 00 2a 07 00 00 05 23 00 22 |............#."|
0x20: c0 bd 07 f8 dc ff ff ff 60 0d f7 45 dd ff ff ff |........`..E....|
0x30: 02 00 00 00 00 00 12 00 00 00 1a 00 00 00 00 00 |................|
0x40: f5 01 00 00 f5 01 00 00 ff ff ff ff f5 01 00 00 |................|
0x50: f5 01 00 00 f5 01 00 00 f5 01 00 00 b6 02 00 00 |................|
0x60: 00 00 00 00 2a 07 00 00 00 00 00 00 00 00 00 00 |...............|
0x70: 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 |................|

I’ve verified all the offsets I’m patching but the changes don’t seem to persist

write: kwrite32(ucred + 0x40, 0)
read: kread32(ucred + 0x40) returns 501 (unchanged)

Does anyone know why the changes don’t stay? Are these structs in some special zone or could it be a pac issue

ucreds are PPL protected

We don’t

Shouldn’t it trigger a data abort?

Damn. So elevation to root is not possible without a bypass

Well, user mode at least

Yeah for kcall it needs to be a kernel mode bypass

Makes sense

and we can’t patch the proc structure's cached credentials either? Or will that just not do anything

Won’t do anything

Damn

nice seems like all of these iphones i bought are unused ios 16.3

now i'm wondering whether it's even possible for an ios app (vlc) to duck its own audio when a second audio source plays, so both audio sources play but vlc is quieter until the second audio source stops. there's mixWithOthers and duckOthers, but it seems like there's no duckOwn or anything like that?

nice read on the private apis

I'm working on xpc clients for common daemons

somewhat the lower end of private apis

So far I have a coreduetd client out there already

Ah shit that ucreds are ppl protected

that explains my panic

So how does darksw0rd get privileges to access passwords then

if u cant patch ucred

i'm currently using diaphora to load kernel symbols

Dont ask where i got the symbols from

I'll store the sqlite3 database with the functions that have symbols from iOS 18.4.1 online

so anyone can do this

for development

Finally, the exploit loaded one last module, pe_main.js. This uses CVE-2025-43520, a kernel-mode race condition in XNU's virtual filesystem (VFS) implementation, which can be exploited to build physical and virtual memory read/write primitives. This vulnerability was patched by Apple in iOS 18.7.2 and 26.1.

according to the google write up

darksword uses exception ports to create an arb call window on any processes, similar to TaskPortHaxx, which is based on a technique used in psychicpaper post-exploitation

That was my initial idea

Nice to see it implemented

Like I had that idea about half a year ago

that explains the xpc service they drop

I mean use

Ref: src/libs/TaskRop/RemoteCall.js#L347-L348

what can you do with darksword besides steal data

can you inject frida into a process?

no as everything is rop

arb call sandbox_extension_issue_file -> /var r/w

Ah that explains the file r/w

You cant load unsigned code so frida injection won't work

inject to installd and you get 3 app limit bypass

hmm

Maybe u can use safari to load unsigned code

with jit

but u cant load code into running processes other than safari

only rop/jop

Coruna allows unsigned code on victim processes and injects dylib to them

what iOS version is that

I'm on 18.3

i think its 17.x not 18

yeah thats what I think too

how does jit work

does only safari use jscore with unsigned code

or can u just use jscore anywhere

for unsigned code

only safari has that entilement right

for these safari js exploits are they just abusing processes connected to the sandbox?

with their own code obviously

also don't the exceptions create crashlogs

in the exploit

would be nice for some yara rules

i think darksword specifically deleted those

what about global kernel r/w through maliciously crafted iosurface

or is that a bad idea

as in all apps can access iosurface buffer

so u can use it for global kernel r/w

Can’t work

PAC

Giving all apps access to kernel r/w primitives is relatively unsafe too

<@&355174844205367317>

Probably not

What even is the tweak?

Nebula

Interesting

I may dabble idk

The dot is probably rendered as a shape and not a image, you would probably need to overlay it in some way
Tho I am talking out of my ass

Yeah I do doubt it’s an image

claude tried telling me an identifier applicationId was not related to the application and it was internal from some daemon lmao

but it is quite good IF you know what you are doing

its made many mistakes which if I didn't know I wasn't doing I would surely be kicking my pc rn

hmm ig i would be hesitant

i don't write tweaks but if apple changed their graphics api from 16 to 26 its gonna be annoying

my guess if you find the way it creates the system creates the cursor shape and replace it with the shape you want it shouldnt be too difficult

but idk if theres multiple states and transitions it does on it

do that the wrong person

and u face jail buddy

😭

if you do it now, you will be pinned for conspiracy too

How do I locate vm_map_entry for a specific vm_map

vm_map->hdr->links?

I'm going crazy I'm trying to learn how to make gadgets works on ios jailed but the documentation is kind of shit the .js file I have to put in path that I use the config with script where the fuck do I have to put that file inside the ipa?
Because I tried with listen and everything works if I manually inject the .js file via frida with pc to it, but with script without pc it doesn't work...

{
"interaction": {
"type": "script",
"path": "agent.js",
"on_change": "ignore"
},
"runtime": "qjs",
"teardown": "minimal",
"code_signing": "required"
}
I have the .config inside the ipa so inside the framework I have all 3 file agent.js MgRt.dylib MgRt.config
But when i start the app it open fine but my agent.js doesn't automatically load...
On jailed device.

is there anything i can do to contribute to development? i don't have a mac and in the past i've tried but theos was a pain to setup

Development of what?

jailbreaks

You don’t have to contribute, jailbreak development requires lots of knowledge about iOS security

it seems really interesting and i want to

!t becomejbdev

wtf i thought this was general

theos is extremely easy to set up with WSL

https://theos.dev/docs/installation-linux

you can develop whatever you want honestly

like just start developing

find an empty field and just develop all over the place

develop all over your school's bathroom wall

etc. etc.

hmm

upvote

https://tenor.com/view/developers-ballmer-gif-5359434

Can someone help me create my jailbreak? More specifically, I am creating a jailbreak/tweak for iOS 26.0 and below, with the darksword exploit, and I am trying to get kernel r/w. Currently I have gotten kernel r/w on iOS 15.7 with this exploit BUT on iOS 26.0 no one had done it yet and I need the so_count hex value for Darwin kernel 25.0 to properly get kernel r/w access.. not sure if anyone here has any knowledge on this but it would be a great help, my question is, does anyone know how to get the so_count hex value for Darwin 25?

26 nerfed exploitation offsets aren’t the issue

wdym?

how do you know

he's smart

from real testing

You can get kernel r/w easily on non-MTE lol

Yes

So 26 didn’t really nerf anything, MTE did

Just need to change the exploit

Use lara

It has the right offsets

No just need different spray device

It worked OOTB for me apart from socket offsets I think

For iOS 26.0

But you won’t be able to make a jailbreak with this

The closest we can get to a jailbreak using this is springboard injection

Or just find a PPL bypass 🗣️

well not really

But nobody has ported remotecall.js to c yet

Im working on it currently but it’s painful and slow

Well absolutely really actually

I know someone else is

With kernel r/w there’s much more you can do than just springboard stuff

But idk if it’s public

Lisa?

But still, full tweak injection isn’t possible with this

Because you can’t hook C functions

No

True

with r/w you can basically control the whole kernel

if you know what your doing

Not teally

PPL/SPTM

PAC

Will all get in your way

For arm64 devices at least

Sure, you can have a lot of control, but not a jailbreak

Well that’s different

(no arm64 devices on 26)

I’m confused IOSurface works out of the box for a18 on 26?

Worked for me just fine

26.0.1

Hmm

I guess you can still do some stuff without ppl/pac bypasses

this is crazy to think about tbh

rip iPad 7

Rip armv8.1

tvOS:

Well you clearly don’t

tvOS 26.0 jelbrek wen

s0n

well arm64 jb is easy trol

ok but like

be honest, whats the point of a tvos jailbreak

trollstore is argubaly useful, but a jailbreak just doesn't seem needed

because all you're doing is sideloading apps for piracy

what if i want to open Youtube if right left right left on the d pad

Still no watch jb

I would much rather a watch jb

what are you watching on your TV that requires you to rapidly switch like that

A watch JB would just be useful overall tbh

• Constant HR monitoring
• Custom watch faces that aren't just apps
• Aemulo

my top 3

well no idea
it might be useful if could extend the airplay funtion? trol

I don't like pressing multiple buttons when I can press just 1

so I remapped youtube and netflix buttons on my TV remote to smarttube and stremio

are kcall primitives eve still possible?

On arm64e?

You need a kernel PAC bypass

And that is not easy nowadays

Kexploits

Well we have one for 26 and 0 PAC bypasses so

how about using physmem hardware registers

I know some hardware registers are mapped in physmem

Maybe that's a lead

Almost none of them are useful for PAC

Or have anything to do with it

Also, mapped registers are at random physical addresses and we often have no idea how they work, so

Well I hear the market for a PAC bypass is pretty nice so makes sense we won’t get one for awhile

I can imagine so

I don't even know when the last one was patched

Most recent I know of is 17.4 iirc?

has anyone made a poc for the darksword pac bypass yet

cant figure out the pacia shit

Don't think so

I know it uses WebGL

@frank fossil

I believe it just hijacks WebGPU process since it shares PAC keys with the rest of the system

Yeah, logs say something about webgpu too

@kind herald

do your job

useless

so is the idea overwriting a function pointer that can be called at will ? and pac is preventing that ?

even if it didn't how would you pass custom arguments to registers

Well historically you’d get a limited calling primitive, maybe where you can only control one or two registers, and find some gadget to build it into a better calling primitive

Then you’d want to setup a stable bypass by calling ml_sign_thread_state to sign a completely arbitrary thread state that you can invoke from userspace

But not only have they removed a bunch of kernel PAC attack surface in recent years, but also removed the gadgets iirc

Weneta full arm64e kcall primitive for darksword

already done

I mean, if you’re on arm64 it’s easy

me when i lie

no i didnt lie

im just on ipad 7 lol

you edited your message it used to not say arm64e

Lies

All lies

i have full userland jailbreak for ipad 7 🗣️

18.7.8:

noo who deleted it i was about to type mr beast into the text box to confirm payout

wthh

how to install ios 9.3 xcode simulator on xcode 13

https://old.reddit.com/r/jailbreak/comments/1oyk47y/is_there_any_working_safari_user_agent_changer/

this tweak spoofs safari ua to ios 18.6.2, which is vulnerable to DarkSword

I wonder if spoofing it to >=18.7.3 would prevent some DarkSword payloads from delivering

(screenshot taken from here https://www.lookout.com/threat-intelligence/article/darksword)

No, it would default to rce_worker_18.4.js

The exploit offsets are hardcoded for those versions so if you’re spoofing from an earlier version they shouldn’t work anyway

So if I'm on 15.8.6 (Dopamine) and the exploit runs rce_worker_18.6.js because it detects my Safari UA as 18.6.2, it should fail

Sounds good

Yes

Also it only targeting arm64e

Coruna has hardcoded targets for iOS 13-17.4 only. Assuming it uses the browser UA to detect the version, it shouldn't run RCE on spoofed 18.6.2. I don't know if it uses other browser fingerprinting techniques, I'm guessing not because 99% of users don't jb and have no way of changing it
https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit

Well the exploits don’t work on iOS 18 anyway

But I'm on iOS 15 (not 15.8.7) so if it sees through the spoof it's still vulnerable to Coruna. And DarkSword is still unpatched in 15.8.7 hence the Dopamine beta jb using it

I'm just theorizing since some people will probably say it's still technically unsafe and a simple UA tweak can't possibly be a foolproof solution

If there was a tweak to patch the WebKit bugs that’s the only foolproof way

I saw someone hacked together an updated WebKit on twitter dot com for the purpose of backporting the security patches :P

https://github.com/Lessica/WebKitPlayground

spiritually similar

What if I start working on Procursus again as an April fools joke

if you do you should update neovim

for april fools bring back Elucubratus instead

thanks

settings > safari > request desktop website, done you're a mac catalina 🙂

anyone know where splashboard denylist is

Snapshot generation request for bundleID: com.atebits.Tweetie2 rejected due to the app being denylisted.

i dont wanna delete and reinstall

I figured it out theres api that removes the flag

that would be a good joke

it would be even funnier if you continued on april 2, 3, 4, 5, 6

actually it would be an absolute laugh fest if you kept doing it every day for years

Definitely not going to do that

I’m not even going to do it for one day

do it for 23 hours, 59 minutes, and 59 seconds

is this a system denylist? sounds new

Its been there for a while i think

Ive had it happen on 16

Probably happens earlier

@visual meadow I’d explore lsaw / xbappmanifestctl for anything related to that (xbappmanifestctl is a tool for everything related to splashboard)

oh I see you figured it out, didn’t notice your second message

Ok

Is the new os18 update for os26 devices ota only ?

probably

we'll find out in 13 hours

Does anyone know if DarkSword is compatible with iOS 18.1? The PoC on GitHub isn’t but not sure if that’s lack of offsets or not all the vulnerabilities existed on that version
I’ve looked at the CVEs and none of them say they started after 18.1, but most of them just don’t have a starting version so idk

yes

<@&355174844205367317>

Nice
Is finding offsets for iOS something that’s at least doable if you have some reverse engineering experience or is it just a massive pain for iOS? I saw a really old blog post which afaik was saying you mostly need the ipsw file + some custom tooling, is that still the case?

Are you trying to use the WebKit exploit?

I want to yeah
Probably will not be successful but just want to at least try the PoC on my 18.1 phone if it’s possible, it’s just missing offsets

I guess you can I theory port it by just looking at what they point to on a compatible version and then finding the same sequence in an older version

Hey i have a question, could i possibly develop a tweak to get liquid glass using https://github.com/DnV1eX/LiquidGlassKit ?
im already halfway and a sucessful build is there, but i enter safemode as soon as i install the tweak

(update i gave up and made smth else - https://github.com/portonvpn/Dockremover)

on accident

unoptimized as hell btw

its not even public

has anyone did the offset finding for 14pm on 26.0 ? (planning to do it sometime if not)

im assuming these are kernel offsetts
are these offsetts required for the actual exploitation that gives you krw or are they just for PoC purposes ?

They're for either krw or finding kernel base

Because it goes through some structures to find a __TEXT pointer

wdym

sources

the link to ur repo

its either the wrong link or a private repo

oh yeah mb it’s private (was testing)

dont use it

unoptimized as hell

just removes dock

i dont think he was planning on using it

lmao

more just wanted to look because you posted a link here

oh okay

i js wanted to ask if it was possible to implement that liquid glass kit in older ios

you could in theory, but it would be a lot of manual work

oh okay👍

<@&355174844205367317> gm

https://cdn.discordapp.com/attachments/688121419980341282/1264427817366454323/discord-scam.gif

@kind herald

@rotund magnet

<@&355174844205367317>

Lmao you got got

No, I ping hdml on purpose

Suuuure

🙄

Hey you can ban him for useless ping now

on it

pinging staff is fine but pinging me is a bannable offense

@rotund magnet

die bitch

ok sorry

<@&355174844205367317>

hey guys, I just began developing for ios and I wonder whats a good method for getting the current media's title and artist, I am right now hooking into MRUNowPlayingLabelView but its really inconsistent, sometimes giving me the song name and sometimes the song name and artist name, I tried MRMediaRemoteGetNowPlayingInfo but it just crashes, gpt is telling me it's a PAC error since it is actually calling MRMediaRemoteGetNowPlayingInfoForOrigin and I haven't been able to figure that out, also somehow parsing the song title with artist name might be a challenge due to certain songs having their own '-' in the title

MRMediaRemoteGetNowPlayingInfo is correct

what crash are you getting

should be in here, didn't look at it myself just sent it to gemini, it told me it's actually calling MRMediaRemoteGetNowPlayingInfoForOrigin, which takes some additional parameter for the origin, I am using theos with the 16.5 sdk and compiling on my iphone

can you show the code for this

#import <os/log.h>
#import <MediaRemote/MediaRemote.h>

%hook SBMediaController
- (void)setNowPlayingInfo:(id)arg1 {
  %orig;
  os_log(OS_LOG_DEFAULT, "[geniuslockscreen] Caught setNowPlayingInfo call");
  MRMediaRemoteGetNowPlayingInfo(dispatch_get_main_queue(), ^(CFDictionaryRef result) {
    if (result == 0) {
      NSDictionary *resultDict = (__bridge NSDictionary *)result;
      os_log(OS_LOG_DEFAULT, "[geniuslockscreen] %{public}@", resultDict);
    } else {
      os_log(OS_LOG_DEFAULT, "[geniuslockscreen] MRMediaRemoteGetNowPlayingInfo returned nothing");
    }
  });
}
%end

mediaremote is included in the private frameworks in the makefile

is arg1 one not what you need

uhh dont think so, when checking with FLEXing it just shows some 2 values like is first track and is last track, I am on ios 17 though

atleast for the actual value that is under sbmediacontroller didnt look at what it actually gives when I hook it

just print arg1

It's underlying type is NSDictionary

okay imma try I gotta go so I will try to do it on my iphone 😭

I would not be surprised if its an NSDictionary of the MRNowPlayingInfo

btw how do I get the os logs on iphone, I cannot run the oslog command it just gives errors I gotta check it via cable

on pc

windows?

nono I can get logs on linux with the idevice stuff, just on iphone I cannot get them cuz with the terminal oslog just gives me something about corrupt errors prob because I am running nathanlr which is rootless

oh

lol

fwiw this isnt the code thats crashing, you know that right?

ik that, I can os log just fine, it crashes once it hits the mrmediaremote method

just checking

yeah sorry I am gonna tell you if it worked once I get back, I already need to go

yup arg1 is empty, still haven't figured it out unfortunately

can we use darkswords remotecall on springboard with dlopen to achieve springboard tweaks ? or library validation etc disallows that

Anyone know how to grab a file from the FDR server?

Or rather what is the url to it

of course you can't

anything involving mapping executable code is behind PPL

JavaScript interpreter is all the "code execution" you will get

<@&355174844205367317> good evening

bro

meow

vro

https://tenor.com/view/federal-gif-21422736

meow

can someone explain this more in depth in their free time.

my thoughts (on calling dlopen from springboard on an unsigned/locally signed dylib):

since springboard is unsandboxed the "file-map-executable" sandbox rule is irrevelant.

"library validation" feature could be an issue (dylib needs to be apple signed)

other than that simply "remapping rw memory as rx memory" itself might need jit entitlements or bypassing ppl/sptm. although i think mmap has exceptions for that for files (mentioned in the middle of this video https://youtu.be/SuQGQ1vh9k0?si=0fc8w4-L6P_kHN58)

If you want to inject a library, it needs to be the same trust level as springboard, so in this case the library must be in trustcache

If you want to remap memory from RW -> RX and execute it, at least on 18.x, you need the wx_allowed bit set on your pmap, which requires a PPL/SPTM bypass in this case

@kind herald

@kind herald

Maxine

<@&355174844205367317> gm

gm

Alfie wen eta libgrabkernel2w with .aea ota update support

Does it not work with AEA?

Why wouldn’t it? The kernels are unencrypted

how are you supposed to partial zip a .aea lol

the kernel is within

Oh right OTAs are entirely AEA’d

@timid furnace thankfully we have your aea lib too

piece of cake
ipsw ota extract --key-db ota_fcs_keys.json 801e486d28bb9952372d751114662165d7990d9fa20df048c7dac4f386ee3ad0.aea --pattern "AssetData/boot/BuildManifest.plist"