#development

no appropiater channel

can boot to (internet) recovery / a bootable macOS USB, erase disk, and reinstall macOS without any issue

sweet

oke

T2 and later added activation

i can also do arch right

yeah

might just nuke it

have fun

If you could get a stable CS bypass you could get a “jailbreak” to an extent

More like a semi-jailbreak

That’s what I was thinking

so these are what he found the offsets for and mine is the last one right ? so another ios/phone combo still needs manual offset research ? very lucky for me lmao

That's what it's been tested on, offsets are present for other devices. iPhone14,6 isn't your phone anyways (that's the SE 3rd gen, yours is iPhone15,3)

😭

AI overview is trash sadly

it's genuinely baffling how bad the ai overview is sometimes

what method does springboard call to open another app when you hit a link inside of an app

I think I reversed something close, see how LiveContainer passes url scheme to LiveProcess

It works!
will be doing some more experiments with this soon, hypothetically should be able to make a jailbreak since it's arm64 but I doubt I'm smart enough to do that

All devices iOS 17.0-26.0.x should work,
Not only these device, I reversed almost all of device's kernelcache

rootvnode can be also obtainable from launchd's vnode; by walking down vnode->v_parent.

Or vnode_for_path("/")

To make working proc_self,
I added intentionally
pthread_set_qos_class_self_np(QOS_CLASS_BACKGROUND, 0); and
pthread_set_qos_class_self_np(QOS_CLASS_USER_INITIATED, 0); to between socket func,

Then you can get current thread kaddr.

Interesting

so can a krw be used to achieve arbitary task_for_pid trivially so that we have a way to manipulate other processes via userspace mach apis ? like i know we can implement task_by_proc but that just gives you the kaddr of the actual task rather than a send right to its task port that you can use from userspace.

if not; what about:
using remote call on a process that has task_for_pid-allow entitlement, and then using mach apis from that process.

/*
i was thinking this so maybe we could use tfp on & set a custom exception port for amfid and bypass codesigning but im not sure if this part makes any sense
*/

me when dtsecurity

Amfid codesigning bypass has been dead on iOS 15.2+ (IIRC)

IIRC amfid hooks aren’t enough anymore because the kext double checks signatures if amfid approves them

ok i see, what abt the send right part tho

well i mean isnt remotecall already just getting task ports?

hm, i think it does the exception port method as well yea

do exception ports not equal task ports?

i mean i know that theyre not the same thing but dont they both amount to the same thing?

i meant the way it "calls" stuff on the remote process is by using exception ports, but im not familiar with the codebase yet so maybe im making it up. and to set a custom exception port on a process you need to have access to its task port (or maybe krw can bypass that)

oh im totally tripping

my bad i was thinking of the wrong thing

In theory yes because you can use krw to get code exec in a process that has system task ports access probably

Is the only way of bypassing codesigning injecting to the trustcache?

tc injection is close to infeasable nowadays iirc

CoreTrust bypass

didnt ctv3 exist once?

If you have PPL/SPTM bypass it’s over

@sonic totem does fake blob method still work?

good luck finding that 😭

Fcntl?

yes and no

the blob attached to vnode

Oh no

Csblobs are RO

sad

PAC or PPL/SPTM bypass required

CS is basically unbypassable with krw alone

laughs in arm64

We have one for 17.3.1 and below

well i dont have a device on that version

ergo its useless

Your turn to find a bypass

PPL lowkey easier than KRW

#cope

Get to work jb devs

ok apex dev

Shoutout Sileo for adding Amethyst and Apex support in 2024

2026 release 100%

🗣️ 🗣️

Well yeah that but I’m talking with only a kernel exploit (with a PPL bypass if applicable)

Then yes trustcache only

ctv4 etas0n™

Need v3

ctv3 exists apparently

i was told by someone who was told that someone has it

Is this person a reliable source though

well the person who told me, yes, the person who told the person who told me, i dont know

then manipulate kernel stack memory before amfid returns to AMFI

key word

tinfoil hat

It also means codesigning validation never leaves the kernel

Unless you’re using enterprise/dev signed apps

so what does this mean for the average user

jelbrek

jelbrek

i have not slept in 3 days

Seks

@kind herald This bot sucks

Not my problem

@shut stag
Hi

wtf

So what were you saying about your shit code

well you banned him

Your bots suck

so it shoulda deleted

Gir and your chatgpt ai slop bot

so its a discord bug

Yup ... blame it on discord ... Not the bot ...

should've kept janet fr

im trying launching the whitevers darksword/kfun app, the xpf library is causing issues, i am copying it to the app bundle and signing it (via xcodes codesign on copy feature)

You can remove XPF, it isn't required, I was having trouble with it too

thanks

cloude ai

@shrewd smelt @native dune @light owl

rootfs is the biggest of all

cloid

cloud ai

you should never trust a random person sending you code to run

no bro you just gotta search for terminal.app, open it, paste in this long ass command full of b64 data, then run it with sudo to verify you're not a robot

It makes sense in theory

remember to always press yes for UAC when the yellow window pops up

What if its red

just means extra trusted compared to yellow

uacs are annoying

i just login as Administrator at all times

there are at least 2 people i know who actually do this, one for weird explorer extensions and the other for performance i think

performance?

the same person also uses windows 10, doesn't install windows updates, has removed windows defender and has disabled microcode patches that mitigate spectre/meltdown/etc to improve performance

idk

💀❓

the plot went entirely over your head tbh

?

its nowhere near important enough to explain just move on with your life cut your losses

Just turn UAC off lmao

It’s literally in the control panel

Holy genius

not sure if anyone had noticed/find this helpful at all but theres a retype function in SPTM (14 pm 26.1) which handles retyping memory frames validates new frame type (new_type < 0x40 (must be under 64)) but it never validates the current frame type loaded from metadata (fte->type) before using it to index a function pointer table

so theoretically if we found a way to corrupt fte->type it might be smth

or im just yapping nonsense

@slim bramble not sure if anyone had noticed/find this helpful at all but theres a retype function in SPTM (14 pm 26.1) which handles retyping memory frames validates new frame type (new_type < 0x40 (must be under 64)) but it never validates the current frame type loaded from metadata (fte->type) before using it to index a function pointer table

Stop using AI to try and find SPTM bugs

How did blud know it was AI

💔

he's using a part of his body you're incapable of

Hi.

Long time no see buddy.

Because you can tell when someone tries to play off an AI answer as their own but clearly doesn’t understand what they’re talking about

Not the first time…

Gulp

Right

Bro @sonic totem Test my escalate code pls

Oops

I still don't have any iOS 14 devices

Forgot

I can test today

All good

Ok wait

I made some changes

Will send in dms

I was deep in Coruna for like 3 days

Nice

Check your direct messages Blud. 👀

bro caught coruna-19

I see what you did there

I would rather catch COVID than keep reversing this atp

have you considered using claude 4.7 opus (1m context)

I would rather not go broke

But in all honesty it’s fine, I can reverse it without issue, it’s just a LOT to reverse

And I’m worried Claude will mess stuff up

oh no

When I asked how PurpleGfxMem/vram located in and if there's any way to see where located,
Then Claude stopped to answer about it. 😩

Idk why AI does this

You would've thought it's pretty obvious if you wanted that information for malicious purposes

you should use Claude CLI

Okay, I submitted application and now got accepted! 🙂

Now I can continue to send prompts.

Hello, anyone got a guide for how to create tweaks for apps such as YouTube? I want to try developing a tweak

I like this
General guide for tweaks in general

https://github.com/NightwindDev/Tweak-Tutorial/tree/main

you can look at YouTubeX’s source and maybe find headers to look at making tweaks for YouTube specifically

https://github.com/PoomSmart/YouTube-X

what happens when you write custom data to ssv protected files with krw ? it restores on the next boot ? it doesn't boot at all ?

it restores on next boot

“Write”?

yeah

idk the correct term tbh, change vnode ?

with krw we can directly modify the virtual fs i.e. write to r/o or SSV protected files

Is it vnode swapping or what?

nope

we mmap the file and patch its memory protections from r-- to rw-

and then write directly

memcpy

Damn

I've not seen that done before

desperate times call for desperate measures

It's nice I didn't know it was that easy lol

vnode redirects ftw

the great part is that were not even redirecting anything, just editing the files memory directly

though, vnode redirection is of course also a possibility

might even be the better approach tbh

That's what I used to use

Idk why

Ah because I had a writable rootfs but didn't want to write to the file directly

yikes i also managed to get myself flagged in chatgpt, and the question wasn't even any good it was some script kiddie level bs 😭

well i mean we can ptrace arbitrary processes i.e. enable jit, no? couldnt we just write like position independent code into jit mem and jump to it via the remotecall you described?

correct me if im wrong

though, we still cant like map a macho binary

well we could

but code signing breaks that i think

Doesn’t the ptrace trick require the target process to have get-task-allow?

true

i forgot about that

uhhh

yep thats no good then (i was typing a super cool plan tho rip..)

Hey anyone use appium? Im having a weird issue where i can't reliably startup the WDA runner on my phone by using uiopen via ssh. Sometimes it works, sometimes it wont start. My WDA runner app is installed via trollstore so doesn't have the normal restrictions. But if i run the app via pressing the icon on the phone physically, works fine. Is there a tweak or something that lets me mimic the way laucnhing apps works via pressing vs uiopen

#jailbreak message

init_remote_call causes a panic for me consistently on 14pm 26.0, i tried both with and without using the mig bypass option, and with and without being debugged/monitored by xcode. panics everytime

Wrong offsets

You've got some NULL deref

Anyone has an idea why the google login in YouTube is not working when I inject my own .dylib into the decrypted ipa?

It works fine if I use some known tweak such as YouTube Plus (former YTLite)

https://github.com/dayanch96/YTLite/blob/main/Sideloading.x

Not sure how up to date this still is

Oh I see, thank you

No problem

This might be more up to date:

https://github.com/PoomSmart/IAmYouTube/

I guess I can use classdumpios or something if this doesn’t work anymore to analyze it myself. Will test this first though, ty

no problem

Reason why something like that is needed is because sideloading apps inherently changes their bundle identifier (appends your team ID to the end iirc), unless signed with an enterprise certificate
On a jailbroken device just tweaking the app directly that shouldn't be an issue, and with TrollStore that shouldn't be an issue either, only with normal sideloading

signing an app with the same bundle id of an app store app will get your developer account banned

yeah assuming you're on like
an actual paid Apple Developer Program membership

so people use ppq check in feather or whatever and add 4 characters to the end so it doesnt match anymore

Truthful

@wooden yarrow are you still reversing sep these days

i have an interest for reversing the chip on my macbook

for asahi

cc @crisp frost

(what i'm asking is if anyone has somewhere to point me towards to start before i bug the asahi people)

you can certainly see what's still missing then RE the corresponding SEP modules

idk anything about mac sep internals ngl

welcome back tho

bro is prob gonna despawn in 3 days to return on another alt later

uint64_t firstPortAddr = task_get_ipc_port_kobject(task_self(), firstExceptionPort);
panics on this line fwiw

Well it’s something inside that function

yeah

a new alt in 67 days

following more, crashes in kreadptr part of task_get_ipc_port_object. arg looks like a valid kaddr, so i assume task_get_ipc_port_table_entry works fine. and the ie_object offset is 0, so idk whats causing the issue here

Hm no that’s correct

ie_object being at offset 0

yep.

kread64(arg) also panics tho, so maybe task_get_ipc_port_table_entry doesn't work after all

What’s arg

Like its value

8?

nah, its a 0xfffffffaa... , i.e an address in kernel

0xfffffffaa doesn’t seem like an address in the kernel lol

This makes no sense unless you’re getting a different panic

Because the panic said you tried to kread address 0x8

lemme check latest panic log

Ah no

I misread it

0xfffffffa… seems like a bad address

But that is the address in the panic log

i haven't rejoined this server in nearly a year

occasionally i check hd

could it be that t1sz_boot is 0x11 on a16 in whitevers fork, but it should actually be 0x19

lara's remotecall seems to work

Yes actually that’s probably the issue

ok cool, now it doesn't panic and init remotecall actually tries to do stuff.

however while lara's 5 icon dock tweak works, mine (exact same code, one uses @frank fossil 's objc wrapper class implementation the other uses whitevers impl directly) seems to crash springboard

@obtuse hornet cc ^

whats this tool you used to parse the panic?

console.app on mac

oh

as in you dragged the panic into it or you were watching the syslogs

former

I would do some basic remote call to confirm it actually works

Set X0 to 0x41414141 and jump to a LDR X1, [X0] or something

this is a known issue. on a15+ and m1-4, t1sz_boot is 0x11 though it should be 0x19 or vice versa.

XPF update required

not even an xpf situation, the value is hardcoded 💀

Yeah I know lol I just mean XPF has a metric to patchfind it

oh

But it doesn’t support iOS 26

nah i fixed that, with 0x11 it straight up kernel panics. i changed it to 0x19 and it doesn't panic anymore. but it doesn't actually work either, lara's 5 dock tweak works but i can't reproduce it in my own code, i wonder if theres anything special that lara does

so does lara work or not?

i tried to simply call malloc and it still crashes. not sure how to do ldr x1 thing

it does

is your app built for arm64e?

cause it needs to be

oh..

that was it lol

i have some ideas myself but can someone explain whats the reason behind this

might be a pac thing?

no clue honestly

yeah pretty sure it is, but like what specifically i wonder

xpaci

So apparently protobox disallows springboard to call task_for_pid,.

Warning idk what im talking about below:
can i use krw to add my apps ipc_entry/port (whatever), to springboards ipc_space->is_table and generate a mach_port_name (send right) manually so that i can call vm_remap or other mach api from springboard with my apps task port name as the target ?

no clue, but i can tell you that just "adding" it isnt possible. we dont have kalloc. you could overwrite (?)

oh right

You can use the DarkSword method to bypass Protobox

That’s what the MIG bypass is

You can do a local kalloc very easily (local meaning it is freed when your process exits or you free it)

how come ?

oh i see

i guess you can call malloc in ur process and remap the corresponding phys address into kernelspace

That is one way I think yes

Or another easy way that comes to mind is create a pipe and steal its pipebuf pointer

When you close the pipe, it’ll free the buffer

do u have free time

what are tz0 and 1

exception levels? tbh i don't even know what exception levels fully are

TrustZone

Isolated memory regions

SEP uses TZ0

and TZ1 is on the AP?

tz1 is for KPP

It’s unused

There are also references to TZ2/TZ3 which afaik are also unused

A8 tvOS 26:

KPP bypass for tvOS 26 confirmed

Has it always been unused

A10 and later, yes

(Idk about recent devices)

KPP used it on A7-A9

does anyone know if dns profiles are stored as files on the fs somewhere and if yes, where? or are they somewhere in profiled memory

I’m 80% sure they’re done on the filesystem just from my experience with other profiles (elite tvOS update blocking experiments)

I can look into it later for DNS profiles specifically but yeah. Just monitor the filesystem while adding a DNS profile or search for a specific string you’re using as a DNS server on the filesystem

i tried /var/containers/Shared/SystemGroup/systemgroup.com.apple.configurationprofiles/Library/ConfigurationProfiles/ (to no success)

like a nextdns profile or?

Yeah no it’s not there, that just stores the actual profile and its metadata and such
I’ll investigate it soon
I wouldn’t be surprised if it’s maybe stored via UserDefaults?

a normal dns profile, i dont care which provider

that would be bad

but ive heard multiple people tell me its somewhere in var

i mean those are just like any other profile you install right

why?

would just be a normal plist lol

wouldnt it be a .mobileprofile

for real? i dont know how userdefaults/appstorage is stored

That would be for the profile itself but not for the actual settings the profile applies

oh

i mean maybe grep for it

i dont exactly have a terminal lol

i just have arbitrary / read thats it

rip

UserDefaults and SwiftUI’s AppStorage wrapper just pretty much store a (usually binary) plist file containing the keys you’re saving in a folder depending on the domain

bplist my beloved ❤️

Hate bplist so much
XML supremacy

just convert 😎

you don’t have any other jailbroken device?

openstep plist format.
until we meet again.

i do, but they take like 3 days to charge 😭

rip

it's probably in sc framework

SystemConfiguration?

yes

so in /System?

no

but exactly where i can't confirm

i would have to dig a device out for that

@obtuse hornet try /private/var/preferences/com.apple.networkextension.plist

It's a binary plist (NSKeyedArchiver specifically) which is not super fun to work with manually

just convert and convert back no?

thanks by the way

NSKeyedArchiver is the relatively painful part
you'll see when you get there, it's just really annoying to work with

no problem

I'm pretty sure you can work with it easily within an app but I haven't had to really deal with it much before

What the hell am I looking at 😭

Yeah it's annoying.

https://stackoverflow.com/questions/56215273/round-trip-encoding-and-decoding-with-nskeyedarchiver-and-nskeyedunarchiver

Probably a helpful stackoverflow thread just briefly looking into decoding NSKeyedArchiver stuff. It seems somewhat easy to work with if you intend to integrate this into an app or something

https://github.com/michaelwright235/nskeyedarchiver_converter etc

to clear up some confusion

second argument to init_remote_call is bool useMigFilterBypass, were you talking about that ?

or was it the other functions in MigFilterBypassThread.m ?

i tried to pass true to the first case but it didn't help, i still get Protobox: SpringBoard(35) deny(1) syscall-mach 45

hey i did the opposite of that ages ago

xkcd 927

That is the bypass I’m talking about yes

Idk how remote call uses it

But it’s a per-call usage

does anyone know of an entitlement that would allow jit on 26

com.apple.private.cs.allow-jit is not working

dynamic-codesigning

didnt work either

wait

i'm so unintelligent

disregard this entire conversation

Debugger entitlement required

i forgot to include substrate

oops

isn't it developer instead of private

theres both

Fake JIT isn’t even possible anymore no?

Unless you have debugger entitlement

let me just add that then

com.apple.private.cs.debugger?

I guess

ok let me see if it works

still not working but probably for another reason

can't imagine how you can make NSKeyedArchiver even less readable

It’s a simple true/false flag

Just call rc_stable(x, y, z, hasMigBypassThread: true)

I more meant I don’t know what it uses the MIG filter bypass for

is the way remotecall sets an exception port in a remote thread as such:

1. create a pthread on our own process.

1.5 set its state to:
pc: thread_set_exception_ports
x0: self_machThread (obtained through pthread_mach_thread_np)

2. use krw to write target/remote threads TRO into somewhere near our threads thread->kstack->sp (which i assume is where our threads original tro was)

tbh now i am confused, a better question -> how does remotecall set an exception port on a remote thread

it replaces thread_ro pointer in kernel stack while having krw hold a lock of dummyThread

Let's say you have 3 threads: main thread, setter thread, dummy thread
Main thread has krw hold lock of dummy thread, then spawn the setter thread calling thread_set_exception_ports(dummyThread) and wait a bit till setter thread hangs because of the lock. Then main thread gets the setter thread->kobject->kstack->sp and locate dummy thread's tro pointer in it, then replace it with victim thread's tro pointer.

to be clear, check out thread_set_exception_ports_internal src:

    tro = get_thread_ro(thread);
    thread_mtx_lock(thread);

oh i see, makes sense

Ok

im kinda conused if darksword can do physical read/write ?

the fork i have doesn't have dedicated functions for them, but CVE-2025-43520 analysis says it does physical rw as well

https://gist.github.com/Muirey03/8c8370258e32bafaf99e72ec90258c8d#:~:text=7. This is a TOCTOU. An attacker can remap the virtual address range so that the region is no longer physically contiguous after the first call to vm_map_get_upl%2C causing an OOBR/OOBW to physmem

with darksword you're reading/writing to a physically contiguous page that may or may not belong to your process
the stable primitive is a virtual rw primitive with sockets

It’s relative physical r/w because it’s only out-of-bounds from the start of your mapping and you don’t know the base address of the mapping

But the actual OOB access is in the physical address memcpy

it's at the offset you're at in the mapping, not only at the start :p

each mapping is like 128mb iirc

Oops yea

Good point

alfie

i have a suggestion

release apex

I have a suggestion, let him finish reversing the stuff regarding to arm64e 17.3.1 and lower

i have a suggestion aswell

i want to use ape

x

Are you offering to finish it for me? Thank you so much 🙏

I wish, they’d probably make it even more unstable

Honestly I’d love to see it done but I know it’ll be a while, you have higher priorities but I hope it doesn’t get tucked away and forgotten.

you dont know me son

im a professional jailbreak creator that knows every end of the kernel of the iOS

i literally have 30 ppl and pac exploits in my hand right now

i am the exploit god

do not challenge me

i will end you

Yeah… sure keep talking your dad is also the ceo of discord right?

I think he's joking bro

I know

yes

john discord is my dad

you got a problem with that pal?

i hope someone dies and goes to hell today

@kind herald Bye bye 😁

What?

Might be a little fast sorry

Reminder to check your vibecoded apps you put on the appstore

What ?

Message sent before video

Piracy

Mods

No I didn't even tweak it

It's just like that

App is supposed to be limited to one domain for free, yet you can just search for the other domains and click on them fine

MaxineRole icon, Administrators — 7:59 PM
Piracy
Mods

Also discovered a capcut jailbreak "bypass" in the mean time while editing it

You can literally just use flex to move the pop up out of the way, but it breaks some things like anything that interacts with wifi directly (afaik)

its so fucking annoying to get rid of that

you have to clear the keychain for the app

and reinstall it

and make SURE nothing injects into it

That would explain why hide jailbreak does nothing then

lol

1. there is no such thing, it's on provisioning profiles, not certificates
2. one of the following:
   a. Be grandfathered in
   b. Choose the 7 day validity option

have ancient dev account

2021

New Apple Developer Program memberships created after June 6, 2021, require development- and ad-hoc-signed apps for iOS, iPadOS, and tvOS to check in with the PPQ service when the app is first launched.

rip

I’ve never had problems with CapCut

I’ve just been hiding Choicy

Last used the app literally yesterday

If you've been having choicy not load the tweaks then you wont notice anything lol

Oh lmao

Is there a way to check my account to see which side it's classified as? Something to check in the profiles, the keys, the online portal, etc? I don't remember the exact date so

create a profile

https://cdn.discordapp.com/attachments/779134930265309198/1333290680683859968/image.png?ex=69ece9f5&is=69eb9875&hm=ea99a64ce73ff9a3f3ebbb7f7b6901fdac1448cbd02706e43795e7cbbc3b5bcb&

afaik, the bottom should only show on accounts with PPQ enforced

Ah. I don't see the bottom section on my portal. I guess that means I'm locked to paying apple essentially for life then. unfortunate

old screenshot so UI may have changed

rip

indeed. What exactly does enforcing PPQ actually do, that actually matters? Ability to sideload decrypted app-store apps?

I don't know what the situation is now, but I registered in 2019, didn't pay in 2023, and paid again in 2024, and PPQ check is still not enforced.

Random question, does anyone know where these certificate icons are located on macOS? the ones that look like this:

Coreservices is my bet

/System/Library/CoreServices/CoreTypes.bundle

@lime pivot do you know where MacOS checks for the city name on About This Mac?

it displays a city name?

I think he means like "Tahoe 26.1"

yes

as in the marketing term

Big Sur, Ventura, Somona, Sequioa, Tahoe, etc

ooooohhhhhhhhh

i was a bit unclear

i cant find it anywhere 😭

i swear ive seen it somewhere

the closest i found was like the about urls

and ofc the version number in coreservices or whatever

not sure why I ran this as 2 commands, but im genuinely intrigued now

i thought about changing it to macos weed for funny hahas but now im way too invested in where that damn string is at

SystemVersion.plist for example has the version numbers and copyright year, however no marketing version name

tried looking in how About this Mac works

it literally just makes an xpc client to "com.apple.systemprofiler" with the message "showAboutThisMac"

I noticed it was basically just system profiler under the hood too, you can tell on activity monitor

this is the open files and ports on it according to activity monitor

/System/Library/CoreServices/SystemVersion.bundle/English.lproj/SystemVersion.strings just reads bplist00”

WVersionUBuild_FullVersionString_Version %@ (Build %@)1������

����������������������I

The sibling plist to the systemversion bundle once again only has version number and build number

As far as i can see AppleSystemInfo.framework only has shit for processors and model names

@grim sparrow anything new or nah?

No

😭

Where the fuck can this single word be 😭

@grim sparrow @quaint rain

NSString* +[SystemDesktopAppearance OSName](id a1, SEL a2)
{
  NSString* v2 = _OSVersion();
  if ([v2 hasPrefix:@"26."]) {
    return @"macOS Tahoe";
  } else {
    return [@"macOS" stringByAppendingFormat:@" %@", [v2 substringWithRange:NSMakeRange(0, 2)]];
  }
}

higher level code strips out the macOS prefix

enjoy this absolutely useless information

Where is this located? I already checked the SystemDesktopAppearance framework in /System/Library/PrivateFrameworks before and didnt fine anything

it's in the framework

the binary is in the dsc

well yea

i hope they knew that

not going to get far in *OS RE otherwise

dsc worst invention in human history

which means would have to decompile it and shit even at the thought of changing it

Fuck it, going to see if i can extract edit, and resign it

its 1 (one) word

maybe it's not a thing any more or maybe it's #if'd out to only early beta builds, but the name can also be determined by an http request

at least a few times on the initial WWDC beta 1 build, for a few hours the about screen only displayed a version number. later on, the name appears

I remember disassembling this code a long time ago

Bless

imagine they did this for visionOS and it switched from xrOS to visionOS during the keynote

seems like that was so last minute they didn't even have time to throw in something like this

how did it even get so close with such a terrible name

guess they were too busy failing with apple intelligence

26.0? or older macOS?

i'm really curious about this now

older is when I saw it. I don't know if it still happens

when I say older, I looked at it around macOS 10.12

but I'm pretty sure I've seen it fetch the brand name for years since then. just don't know about recently

ohhhhhhhhhhhhhhh

it shows the name as just "macOS", and then after a few seconds it finally shows "macOS" + brand name

yea that's not relevant anymore

i looked into this a while back when trying to figure out all of the system profiler apis

https://iphonedevwiki.net turned into moltbook lol

https://community.iphonedevwiki.net/

looks like dhowett lost control sometime between may 2020 and march 2022

@lime pivot probably knows a more precise time

cynder took it over from him a few years ago, losing the domain was a lot more recent. sometime last year I think

but even then, I recall he nuked the server before cyn had a chance to properly pull everything

I'm considering it very lucky we grabbed everything from devwiki and put it on applewiki, but we trampled on what cyn was trying to do in taking over devwiki and I regret that

anyone know kernel offsets for hypervisor

stop making fortnite cheats

noob

true...

Anti-cheats hate it when you hook hyper-v

good night jailbreak nation

gm

what are your thoughts regarding Nix

I want to try it, looks good on paper

exactly, on paper

are you a tinkerer? do you value your time?

I don’t think im autistic enough nor do i have enough free time to write nix cfgs

do you have an idea about how it works? aware of devshells? flakes? home-mananger? nix-darwin?

Brother. What.

fr

correct opinion

well if you try it out some day don't try using the useless abstractions like home-manager stick to flakes

maybe the occasional devshell or nixpkgs override in your system flake for a package that's out of date like limd suite or utm's qemu fork

so much easier and less complex to just copy over your dotfiles and only use nix the way I do

ostree on the other hand….

I should try guix next in a vm

I think nix would be real neat if I commonly used multiple machines so I could keep my setup in sync for all of them

Damn shulkk did not like nixos

In the future I might use nixos for my server PCs to make them kubernetes nodes but time will see

Too complex

And the 3rd-party abstractions like using Neovim as a Nix module can be buggy

Anyone know about any free network request loggers for ios

FLEX isn't working for me for some reason

Mitm proxy

webproxytool

yea

not telling

so then don't mention it

https://github.com/nix-community/nixvim

Why are you trying to get free McDonald’s points

It is not that

I'll explain later kinda busy rn

@harsh junco i would only realistically suggest someone to use nix if
a) macports and homebrew on macOS aren't cutting it
b) you have a desktop/server that has some computational power (if tight on resources try Alpine Linux)
c) you have adhd (don't value your time), autism, or ocd (you value excessive containerization and abstractions)

remember to run nix-collect-garbage when you remember it exists

real

i dont get the point

tbh

so now that it is expired, there is literally no other known way to block these ota updates? i'd be fine supervising my own device but i remember that only delayed them by like 90 days, and i have not updated in a year, so pretty sure i am far past that. would do almost anything by this point tbh. ye old dns proxy isn't so great for me because i kind of want to actually use a real dns proxy - and ios does not allow you to use both at the same time, it can be pretty annoying sometimes

https://x.com/MasterMike88/status/2050221978313744810

iOS allows you to have more than one DNS profile enabled at once

you can replicate the effect the old ota profile had by doing:

defaults write com.apple.MobileAsset MobileAssetAssetAudience 0fded8f8-415e-4dd2-8924-02fd0fcd4f74
killall softwareupdated -9```

There's many, many ways of blocking updates in 2026 and you're not lacking options
If you're on a jailbroken device OTADisabler is the easiest way possible. It does the exact equivalent of just writing to com.apple.MobileAsset's preferences.
Besides that, you can do it with backup modification (Either disabling softwareupdated entirely, or writing to com.apple.MobileAsset's preferences as seen above)

The tvOS profile has really never been the actual best way of blocking updates and I never liked using it

did anyone ever figure out what happened to JTV

iphone, not mac

that will work on an iPhone if it's jailbroken

Disappeared from the face of the Earth

ain't no jailbreak on ios 18 my g

humble iPad 7

just use nugget then

true, but sadly the MDM dns profiles only support DNS-over-tls or dns-over-https - without any ability to use ye old standard DNS over port 53, so sadly a dns profile cannot help for this dns server. only a dns proxy, through a custom app with code, can achieve standard DNS:53

(the opposite side of the problem is, the majority of network routing (including safari browsing and the OTA updater), route through public DNS first, and only fallback to a dns proxy app if the system doesn't find it. which sadly means that this app proxy cannot accomplish blocking DNS to the OTA update server)

pretty frustrating double-sided problem from apple

1. not seeing any documentation on blocking OTA updates
2. either way, it says its gestalt spoofer only works to 18.1, that's not me

It can block OTA updates and supports blocking OTA updates up to 26.5 still

I believe it has two ways of actually doing it
One completely disables softwareupdated, the other will just write the plist like the profile did and like OTADisabler does

sounds like the better option is backup modifier

that's what nugget does yes

i don't suppose there's some writeup on how to modify the backup myself? if not then i guess i can just comb through its src

if i overwrite that plist key, does that also hide the red 1 badge? or just stop softwareupdated from doing stuff?

Modifying backups isn't an impossible task
You'd have to take an unencrypted backup of your device first, and there's a writeup going into more detail about how the backup system and domains and such work

https://gist.github.com/leminlimez/c602c067349140fe979410ef69d39c28

Nothing does anything about that to my knowledge

badge whatever, as long as i'm safe from apple, then i can live

if i bootloop doing this, can i blame somebody? tim perhaps?

why not just use some darksword sandbox escape? if can

In older versions of iOS, this badge and the table cell in Settings come from the corefollowupd/CoreFollowup.framework. I was able to permanently hide the these on my jailbroken iOS 14 device by killing that daemon permanently. The same is probably true on iOS 18 using nugget to disable the daemon. I need to investigate this at some point.

That's a different way of doing it than I was originally going to look into

There's a file at /var/mobile/Library/CoreFollowUp/items.db and deleting it makes everything go away

I need to actually test this though first

That works too, at least on older iOS. I'm not sure the easiest way to do this on un-jailbroken iOS 18. CoreFollowUp is such an evil framework, it does all the marketing "try Apple Music for 3 months" spam too.

I was able to remove the badge on an un-jailbroken iOS 18 device by setting the date to April 2026, re-installing the old AppleSeed profile, disabling the DNS profile, checking for updates to clear CoreFollowUp, re-enabling the DNS profile and removing the AppleSeed profile, then restarting again. Phew.

yo anyone was able to fix this issue? https://github.com/ProcursusTeam/Procursus/issues/1427

it's been 3years 🤣

this is what I’ve been doing

1. install TrustEvaluator https://github.com/dlevi309/TrustEvaluator
2. remove the signature from an old OTA profile (and the removal date, etc) https://haste.zneix.eu/busimygogi
3. install the profile (and remove TrustEvaluator if you want) then you can checking for update will remove the badge, the profile doesn’t have a removal date

interesting, is this closer to installing a tvos profile, or to install an profile that can edit preferences to write the usual MobileAsset prefs key?

and the more important question......do installed profiles survive restoring itunes backups?

why do this if you can just jailbreak and use OTADisabler?

and @tribal path i have nugget up now, just the Disable OTA toggle under daemons?

yeah

any other useful/cool keys i should try too?

what does Enable Lock Screen Clock Animation do exactly anyway

i suppose hiding the annoying VPN icon in the status bar would be nice too

It does this effect for the Lock Screen clock when the time changes iirc https://sarunw.com/images/animating-number-changes-in-swiftui-new.gif

lol

isnt that default

no

I don't think so no

damn a minecraft chest wallpaper too

oh its a weird animation

like fades but not

@tribal path do i have to touch mobilegestalt at all, and/or provide a gestalt file, even if i'm not using anything in that section?

you dont have to, no

for both

what's Enable Internal Storage anyway

I have no clue

ah yes, i can force my device to be an apple-store demo model. lovely

ok, i turned off find my....gonna have nugget restore it now.....i ain't gonna bootloop right? ios 18.6.2 iphone 14 series

You shouldn't bootloop whatsoever especially since you aren't touching MobileGestalt

shows more details about the storage used on your phone

ok, rebooted

yay software update is sent to hell

now i just have to either figure out a way to remove the icon badge, or just suffer and live with it

When I stop procrastinating it'll be figured out

amazing, really thank you for looking into it. just make aaron put something in announcements or just ping me anywhere or whatever if you ever figure it out?

@tribal path oh no ios 15 support on nugget?

I don't think 15 is really supported no

sad, i suppose my alt device can just use a dns profile since i dont ever use real dns connections on those anyway

Ignore the fact that I have -132mb of system data (I have no idea how but it's accurate iirc, also the apps counter next to the storage is from
a separate tweak)

This is just for ios 16 though idk how else it applies on newer versions

interesting. though you should be in jail for a font like that

Hey I used to have comic sans as my font

In the misaka days of jailbreaking

change it to LastResort and you can stay

nvm

lastresort is the super old font used by apple when the standard english fonts are missing. it's basically unreadable egyptian hieroglyphics

oh

:/

What if last resort is missing

https://boingboing.net/2020/08/17/lastresort-the-macs-weirdes.html

It just shows question marks

excellent question

It also spams tf out of the syslog

I had assumed that was part of last resort

What if that is also missing

It's somehow not

is that OTADisabler tweak on a repo?

[[OTADisabler]] yes

is it literally just defaults write

I mean technically no but the effect is identical

i'll just defaults write for my jailbroken device then

what is that uuid? does that correspond to something, like to the old tvos profile? or can i just use any random UUID?

It probably corresponds to a tvOS beta

ugh, i had the old OTA DNS profile installed before i ran nugget, and now afterwards, it won't let me remove that profile. any way to force remove it?

it shows up in the list in Settings > Device Management > DNS, but the typical menu to remove it is entirely missing. if i connect to apple configurator 2, also doesn't show up in the list. if i reinstall the same profile, it just adds it as a duplicate profile, hm

erase all content

I had
And by had I mean still have. This issue, on my main phone at that. It could almost definitely be fixed with more backup modification, but I just don't really know WHERE and my phone isn't vulnerable to DarkSword so it isn't really easy to go and search to look around for it.

so i'll have to erase all content to get rid of it?

or maybe erase all settings

at the least it'd be easy to put a note in the app directions or whatever saying remove your profiles before running, would save some headaches

No
If it's a DNS profile you can just change DNS to Automatic and it'll be the same as disabling it

A way of completely removing it is almost definitely doable but just hasn't been done yet. I'd imagine it truthfully could be at /private/var/preferences/com.apple.networkextension.plist but that file being completely removed would probably be problematic.

maybe something to do with skip setup wiping Library/ConfigurationProfiles/CloudConfigurationDetails.plist

i mean i guess i can just take itunes backup, erase, restore backup, maybe then i can figure out if profiles survive backups

yeah that seems likely

Profiles do survive backups

That checks out yeah

should i have unchecked skip setup?

I've had the same DNS profile just sit on my phone for legitimately maybe 3 years across multiple iPhones at this point

I just haven't cared enough to remove it

i don't have that much junk on my phone, it's just annoying having to re-setup everythiing, takes a few hours

i mean do profiles survive icloud backups?

seems less likely?

Yes

man

stupid apple

my guess is it's saved to some db

im gonna grep the entire /var to see

i had hoped installing the exact same profile, uuid and all, would just make it overwrite the db entry wherever it is

I assume it's here as I stated since that's where DNS profiles end up installing their preferences to

unfortunately it doesn't work

I don't know if deleting that file is safe or not, nor do I know how it would be stored in terms of backup domains

/var/preferences/com.apple.networkextension.plist

ah yes network extensions

what

OTADisabler hooks the Preferences app, the method I just mentioned works while unjailbroken and the profile never expires or removed (unless you do it manually)

53 gigabytes of TikTok? do you not have iCleaner installed? all that used storage is probably a buildup of app caches

okay yeah I just noticed the 3rd pic with 2 gigs of CrashReporter storage. Use iCleaner, it’ll probably free up a 100 gigs lol

its 5.3 gb

theres a decimal there but the font is ass so you cant really see it at a quick glance

fr

I do but

it crashes for some reason and I have no idea why because there is no log generated

Probably something to do with my environment being fucked considering I have now -150mb of system data and opa also told me to reinstall my whole jailbreak environment on a seperate issue

@rocky oriole run these commands in a shell and see if it fixes it

rm /var/mobile/Library/Preferences/com.ivanobilenchi.icleaner.plist
ln -s /var/jb/var/root/Library/Preferences/com.ivanobilenchi.icleaner.plist /var/mobile/Library/Preferences/com.ivanobilenchi.icleaner.plist

as root

Do y’all think I can modify /var/preferences/com.apple.networkextension.plist to block/unblock a site without having to go through the manual profile install process?

Or at least install a profile that blocks the site once and then enabling/disabling that profile using the plist

that’s what the DNS-based OTA blocker profile can do.

(ignore duplicated entries, I’m having the same issue as this)

i know, but can i enable/disable these profiles without having to go into settings simply by modifying com.apple.networkextension.plist on runtime?

thanks, but it didn't work

what’s the actual problem? specifically that separate issue you mentioned

I'd suspect you could
I might have to look into if the file gets modified when toggling profiles or not

icleaner crashes on launch with no crashlog generated, that seperate issue is that newterm doesn't work at all but ssh and mterm do

#dopamine message

i dont have a single jailbroken phone 😭

cant monitor this kind of shit that easily without jb unfortunately

does anyone know where sideload related data is stored by the ios system >17.0? i've been digging around and even jailed, darksword's read/write can be used to modify files to loosen sideloading restrictions...

/var/db/MobileIdentityData seems to be blacklists from apple and can be cleared, is there any place that tracks the expiry date of certificates?

i dont have a mac but it'd be cool if i could write an app that uses darksword's r/w abilities to help people modify system files, beyond just a file explorer like filzajailedds

(pls ping if replying)

thats embedded into the cert

cryptographically secure

ah i see

mis.db in profiles table

If you're familiar enough with sql, you know what you can do to prevent the record from being deleted

anyone know why when i hit an ios notification on my mac it just opens quick look simulator

like the ios app running on my mac not iphone mirroring

ended up making a tweak to rewrite the path to the main app bundle from whatever appex it tries to open

i see. better than it getting deleted. thank you for your service

even if most of this is incredibly out of date, it's still far better to have it easily accessible than not

honestly wish I could get paid to do nothing but update the wiki

Following up on this. I modified Nugget to disable followupd. That gets rid of the banners/nags inside of the Settings app (the ones that show up a few seconds after you launch settings, as Settings will query CoreFollowup after launch). However, it's not getting rid of the Settings icon badge, as that seems to come from elsewhere in the Settings code.

It's a partial win, as that will also get rid of the "non-genuine battery" messages and other Apple BS.

are there any gotchas when trying to hook SpringBoard w/ opainject? im able to hook mediaserverd and appstore apps. but when i try to inject SpringBoard, it restarts

iPhone X, iOS 16.7.10, palera1n 2.2.1

heres the opainject output, ill pull up the syslog later

mediaserverd: https://gist.githubusercontent.com/rweichler/246dd00621c5ac11f219f48f5932afef/raw/da00f36dfeab7f05f17cff8c664707ffe7556875/gistfile1.txt
SpringBoard: https://gist.githubusercontent.com/rweichler/7663828b51a25370aca40df595ccde93/raw/55277534cf3fc54b9d8b9bcc75654899c33a3f10/gistfile1.txt
Spotify: https://gist.githubusercontent.com/rweichler/2ab1527ac0b0f29da1d76bac699d848c/raw/ebf022d29a463be4d565b28b2fd03bcd7baa596a/gistfile1.txt

tried https://github.com/opa334/opainject/issues/2#issuecomment-1601572642 ?

ty. added that entitlement and didnt seem to make a difference: https://gist.githubusercontent.com/rweichler/348dbb3781c38ed399addccbbbc9c4e2/raw/db583c314668c8ea08a25849ffb475c0de71a518/gistfile1.txt

worst-case scenario, i can just special-case SpringBoard and hook it with ellekit

SpringBoard crash log?

that entitlement is already a thing?

crash stopped to repro after i installed ws.hbang.common and com.muirey03.cr4shed

from /var/mobile/Library/Logs/CrashReporter:

ah ok its reproing again, 10 times in a row

at least it sometimes works

That looks like your dylib is causing a deadlock

you are 100% correct

1000%

ty

i was wondering why it was taking forever to hook

blocked for like 10 seconds

i stubbed it and now its instant

alright i stubbed pretty much everything and it still crashes

it sometimes works randomly but i cant find a pattern

at least now it doesn't block for 10 seconds

I would recommend creating a new detached pthread in the constructor and doing anything in that thread

EXC_CRASH SIGILL

"mach_msg2_internal"
"mach_msg_overwrite"
"mach_msg"
"__CFRunLoopServiceMachPort"
"__CFRunLoopRun"
"CFRunLoopRunSpecific"
"GSEventRunModal"
"-[UIApplication _run]"
"UIApplicationMain"
"SBSystemAppMain"
"start"

constructor is empty

__attribute__((__constructor__)) static void _MSInitialize()
{
#if 0
    char serviceName[4096];
    sprintf(serviceName, "pidproxy%d", getpid());
    ttStartProxy(serviceName, runLuaCode);
#endif
}

ok im able to consistently repro now. lemme narrow it down

ill come back to this later

Anybody know if there are any unintended side-effects of deleting Library/FrontBoard/applicationState.db? I'm working with a Nugget fork to try to disable the Software Update badging after you apply the blockota mobileprofile on a non-jailbroken device. I got followupd disabled, but that kept the badge on Settings. If I nuke applicationState.db, it resets the badge and everything Just Works™. But I'm not sure if there's actually anything important kept in that file.

how do i get libkwr on ios12 with checkra1n?

does procursus just not support ios 12 anymore

checkra1n doesn't use Procursus

is that even needed as a package on checkm8 environment or below iOS 14 anyways

theres a bunch of broken repos and im like in a mix apt state between iphoneos-arm64 and arm

i might try fix shit with Odysseyra1n

did you strap over a Chimera setup

or whatever

On checkra1n not really since it has a tfp0 patch of course

Other than trying to maybe use something that depends on libkrw or trying to develop something for not-checkra1n jailbreaks

noh i just used checkra1n

You shouldn't be? You're on iOS 12 which is very much so rootful, there should be nothing iphoneos-arm64 at all on the system

fah

personal opinion here: any reason you’re not using Chimera(/TNSv2) instead of - just seems like you’re putting extra effort on yourself

im tryna load my kernel patches

What kernel patches do you even need that checkra1n doesn't already have?

im just changing two functions inside AppleBCMWLANBusInterfacePCIe before the patch the broadcom driver checks if the firmware hash verification returned a good result in X19. If X19 0 it fails and rejects my firmware patch if its is nonzero it has success

im tryna load my kernel patch to let my broadcom driver patch load

i got it installed my apt was just fukt

i just realised im gona have to compile on the phone against the library

Does checkra1ns tfp0 usually allow mach_vm_write to __TEXT_EXEC or is AMCC blocking it
the panic ESR was 0x9600004f (unexpected fault in kernel static region) when i was writing via libkrw and 0x96000006 (permission fault) when i used mach_vm_protect + mach_vm_write directly
im on iPhone 6, T7000/A8, checkra1n iOS 12.5.7 idek if pongoOS bypasses kernelcache signature verification on T7000 to let me replace the kernelcache on disk with a patched one

theres like nowhere with this information 😔

gota make an ios wiki

lmao sigmah

forgor to compress kernelcache befor reboot

💔 🫡

Thank you for being a Binary Ninja customer. Unfortunately, your Binary Ninja support will expire in 5 days. If you wish to continue to receive support and updates, you will need to renew via the following renewal link:

https://binary.ninja/renew/?serial=69420694206942069420

You will only be able to renew your license for up to 30 days after your support ends. If you miss this renewal period, you will need to purchase a new license and will not be eligible for the renewal pricing.

Please note that you will only receive three of these notifications: 60 days, 30 days, and 5 days before your support expires. If you do not renew your support, you may continue to use the last version of Binary Ninja and you can download old stable installers from the Binary Ninja Portal (https://portal.binary.ninja). However, you will lose access to the following:

 - Development Channel Updates
 - Support requests
 - Installers for versions released after your support ended

If you purchased your license through a reseller, forward this email to them. They can use the included renewal link and you will receive the updated license and download links while they will receive the purchase receipt (if they use their email address during checkout).

If you have multiple licenses, note that this renewal link will only renew the support associated with this serial number (your license file has information about which serial is associated with which product). If you wish to combine licenses or make any other changes, contact support at https://binary.ninja/support

If you purchased your license on a student discount, you will need to re-apply for the student discount on the renewal to receive discount pricing. Please see the student discount FAQ entry on our site for more details: https://binary.ninja/faq/#student-discount

--
Vector 35
https://binary.ninja/

No checkra1n does not disable KTRR

Oh wait this is T7000

Well the kernel is all mapped as R-X for starters, hence your panic, and the KPP will stop you patching it anyway

Do you patches inside PongoOS, that will work

yea you need to flip pte to rw

and disable KPP if you want to do it from booted OS

xnu spy has code for this

Yeah

But probs easier to just do it from Pongo

aight so i can repro the crash like this:

#include <netdb.h>

void lolwut()
{
    struct addrinfo hints = {0};
}

or this:

#include <netdb.h>
#include <string.h>

void lolwut()
{
    struct addrinfo hints;
    memset(&hints, 0, sizeof(hints));
}

this does not crash:

#include <netdb.h>

void lolwut()
{
    struct addrinfo hints;
}

im not even calling this function, the mere existence of that function causes the crash
also that entitlement from the github issue made no difference

very strange... im just gonna special-case SpringBoard and use ellekit

oh wierd

Termination Reason: SIGNAL 4 Illegal instruction: 4

are you on arm64?

iPhone X, iOS 16.7.10, palera1n 2.2.1

Honestly just check the assembly

Match it up with the crashlog

im prolly just gonna give up tbh sry, i already burned too much time on this

special casing with ellekit isnt too bad

If you wanna drop a dylib I’m happy to have a look, but nws if not

depends on a launchdaemon

ill upload that l8r

if needed

sorry that one is no repro

i think that repros but i cant test rn

i asked this in #general earlier, but i got no response

i'm trying to add my cydia repo to my iphone 7. it's jailbroken using odysseyra1n and it runs ios 13.1.3
on sileo, when i add it/refresh sources it gives me this, a dpkgarchitecture error. i've heard this is relating to rootless/rootful jailbreaks
it doesn't have any rootless tweaks
on zebra it doesn't show anything but adds the repo with no errors
on cydia it seems to work just fine

how can i fix this?

Is your repo's Release file specifying Architectures: iphoneos-arm?

It very probably is relating to rootless/rootful jailbreaks

The issue is that this line contains a comma ^

they’re supposed to be space separated, not comma separated

this might be it

because i think they're seperated by commas

I didn't even think to actually go and check the repo

yeah you have iphoneos-arm, iphoneos-arm64

i do

Yeah that's it I also just checked

just delete the comma and then commit

?

Yes

okay thanks

Np

(if you don't have any rootless tweaks you don't need to include iphoneos-arm64)

i probably will make a rootless version

ok then yeah keep it

okay yeah ipad 7 isn’t showing any tweaks but iphone 7 is

cuz you don't have any rootless tweaks

that’s what i was about to say

also you have two debs but only one in /packages

need to edit that too

so everything shows up properly

packages.bz2?

no

https://github.com/penn76/penn76.github.io/blob/main/cydia/packages

what does packages.bz2 do anyways

are they just the same thing

pretty sure that is just an archvie of all of your deb files?

because i added the other packages file myself

idk i haven't touched my repo in like 20 years

wait do i only need to include the filename in the releases file?

im speculating here, so dont quote me on this, but i think debian made their package manager before it was common for http servers to support the header Accept-Encoding: gzip

i dont see any other reason why

apt was released in 1999, apache added gzip in 2002

bro fah

thx

im just tryna unbrick my phone rn bc my dumahh tried to load kernel patch from the disk that was twice the size of what it shuld have been

???

crayz lol

I'm tryna find a way to restore/update with 12.5.7 ispw even though its unsigned

imazing is giving me problems bc im on sonoma

if you have blobs just use Legacy iOS Kit

!t bluetool

Hey @verbal pebble, have a look at this!

i forgot to get the blobs 💀

ah

you can dump onboard with ssh ramdisk

W

everytime i reboot its stuck in recovery i think bc i forgot to LZSS compress kernel before loading it