evelyneee / ellekit Goto Github PK

View Code? Open in Web Editor NEW

422.0 422.0 55.0 51.37 MB

yet another tweak injector / tweak hooking library for darwin systems

License: BSD 3-Clause "New" or "Revised" License

Swift 64.24% C 19.82% Assembly 0.37% C++ 4.55% Objective-C 2.61% Makefile 2.49% Shell 1.16% Objective-C++ 4.75%

ellekit's Introduction

ellekit's People

Contributors

Stargazers

Watchers

ellekit's Issues

Installation.md

Are the instructions listed in this file still accurate for building and installing ellekit on macOS Ventura+ (M1)?: Installation.md

If not, is it possible to list what steps should be taken here?

Hook Crash “CODESIGNING 2 Invalid Page”

Im experiencing an issue when using ellekit on a jailed device (specifically m2 mac, injecting ellekit dylib when sideloading an iOS app)

Here is the code im using along with the crash.

It looks like the hook is executing but then crashes.

I think it might be that when the app is sideloaded it doesnt give the entitlement

com.apple.security.cs.disable-executable-page-protection

Thoughts?

CODE

typealias XXXXXX_t = @convention(c) (Int64, UnsafeMutablePointer<UnsafeMutablePointer<Int8>?>?) -> CBool
var XXXXXX_Original: XXXXXX_t? = nil
@objc func XXXXXX_Hook(fileName: Int64, tablePtr: UnsafeMutablePointer<UnsafeMutablePointer<Int8>?>?) -> CBool {
    
    if let orig = XXXXXX_Original {
        return orig(fileName, tablePtr)
    }
    return false
}

public func createHooks() {
// Load the dylib
    let dylibHandle = dlopen("libellekit.dylib", RTLD_LAZY)
    if dylibHandle == nil {
        return
    }
    
    if let EKHookFunction = dlsym(dylibHandle, "EKHookFunction") {
            
  typealias EKHookFunctionType = @convention(c) (UnsafeMutableRawPointer, UnsafeMutableRawPointer) -> UnsafeMutableRawPointer?

  let hookFunction = unsafeBitCast(EKHookFunction, to: EKHookFunctionType.self)
  
  let XXXXXX_Hook_Address = withUnsafePointer(to: XXXXXXX_Hook) { (functionPointer: UnsafePointer) in
     
      return UnsafeMutableRawPointer(mutating: functionPointer)
  }

    let orignalAddy = hookFunction(UnsafeMutableRawPointer(bitPatternInt64: memoryUtility.getAbsoluteOffset(of: offsets.XXXXXX))!,
                                  XXXXXX_Hook_Address)
                                                                    
  XXXXXX_Original = unsafeBitCast(orignalAddy, to: XXXXXX_t.self)
}

CRASH

Exception Type:  EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Exception Subtype: UNKNOWN_0x32 at 0x0000000103558fbc
Exception Codes: 0x0000000000000032, 0x0000000103558fbc
VM Region Info: 0x103558fbc is in 0x103558000-0x10355c000;  bytes after start: 4028  bytes before end: 12355
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      __TEXT                      1020fc000-103558000    [ 20.4M] r-x/r-x SM=COW  ...game.app/game
--->  __TEXT                      103558000-10355c000    [   16K] r-x/rwx SM=COW  ...game.app/game
      __TEXT                      10355c000-105f24000    [ 41.8M] r-x/r-x SM=COW  ...game.app/game
Termination Reason: CODESIGNING 2 Invalid Page

Triggered by Thread:  8


Thread 8 Crashed:
0   game                                     0x103558fbc 0x1020fc000 [+ 21352380](tel:+ 21352380)
1   game                                     0x103b2ad9c 0x1020fc000 [+ 27454876](tel:+ 27454876)
2   game                                     0x103b2a874 0x1020fc000 [+ 27453556](tel:+ 27453556)
3   game                                     0x103b20a0c 0x1020fc000 [+ 27413004](tel:+ 27413004)
4   game                                     0x1034c2174 0x1020fc000 [+ 20734324](tel:+ 20734324)
5   game                                     0x1036bd254 0x1020fc000 [+ 22811220](tel:+ 22811220)
6   game                                     0x1036bee84 0x1020fc000 [+ 22818436](tel:+ 22818436)
7   game                                     0x1025a5590 0x1020fc000 [+ 4887952](tel:+ 4887952)
8   game                                     0x1032a0194 0x1020fc000 [+ 18497940](tel:+ 18497940)
9   libsystem_pthread.dylib                  0x18e04ffa8 _pthread_start + 148
10  libsystem_pthread.dylib                  0x18e04ada0 thread_start + 8

"loader" got killed immediately when running on Mac M1 (Ventura)

Hi @evelyneee,
I've tried to run the loader either built from Xcode or the one you attached in the "issue-2" on a Mac M1 mini terminal and it got killed immediately. I also setup the plist to run it with launchd like you show in the instruction. Both the output log and the error log were empty so I assumed it also got killed during the startup process. I tried to disable SIP but still have the same result when running the loader. The only thing that got me a little bit further is creating a new Command Line Tool target and moving all the code of loader to the new target. That got me as far as to the set thread state as following:

[+] got task 7427
[i] using path /Library/TweakInject/pspawn.dylib
[+] loader: started thread
[+] loader: converted thread state
[-] loader: failed to set thread state

Is there anything specific I need to do for the loader to work on the Mac M1 (currently on Ventura)?

Works on Jailed Devices?

As subject says.. does this work on jailed devices?

xcodebuild -target ellekit-mac issue

I got this error on my M1 - 13.3

xcodebuild: error: The project 'ellekit.xcodeproj' does not contain a target named 'ellekit-mac'.

The project 'ellekit.xcodeproj' does not contain a target named 'ellekit-mac'

When I run this command xcodebuild -target ellekit-mac in the solutions folder, I get this error xcodebuild: error: The project 'ellekit.xcodeproj' does not contain a target named 'ellekit-mac'

If I try changing to xcodebuild -target ellekit, then it successfully builds, so how can I make a new build for mac?

SIP disabled
arm64e abi enabled
M2 13.5.1
Xcode 14.3.1

MSHookFunction Crash

I wrote a tweak that I've ran on checkra1n in iOS 13/14. After porting it to run in rootless theos, all the functionality works except for MSHookFunction

According to the readme, the Substrate API header should be supported.

Example usage:

MSHookFunction((t_voidOne)getAddress(0x032912), n_New, (void **)&o_Old);

AppSync Compatibility Request

This tweak injection doesn't support AppSync correctly - it needs fixes - even the AppSync creator itself says that this incompatibility problem we have is due to the Ellekit itself, not to the AppSync Unified tweak.

Please, look at the following: akemin-dayo/AppSync#174

[Enhancement] ellekit should block obj-c swizzle methods from running to early

Not really a bug but apps like paypal are terribly made and swizzle NSData initilize to call their debug logger class.
Who tf knows why their debug logger is enabled in a release build.
When ellekit's libinjector is loaded into the app, corefoundation is called which in turn calls nsdata, nsdata initilize. But since the app swizzled that function, their version is called instead. This in turn jumps to apps code to early before anything is setup and goes into an inifinite recursion loop.

This can be resolved by just blocking swizzling until tweaks are done loading.

Simply installing the Ellekit plugin will put it into safe mode.

At the time of a FaceTime video call, I upgraded the ‘Call Assistant’ plugin, and after restarting the springboard, it entered safe mode. After deleting all plugins, I found that simply installing Ellekit would trigger safe mode.Even after clearing the jailbreak in jailbreak mode and then re-jailbreaking, the problem persisted.

Injection broken on Rootless Palera1n since Update 0.6.1

Heyya

Got a few reports from my users, that the tweak didnt inject anymore. After some debugging, we found that as soon they Update Ellekit in Sileo to anything after 0.6-1 (so 0.6.1 and up) it doesnt load any tweak anymore.

Downgrading and it works directly again.

Most of the Users are on ios 15.x

Do you have any log file that gets generated or something, that can help you with finding the issue?

Sandbox Issue for IDSBlastDoorService

Hello, I'm using Ellekit on version 16.7.7, but the IDSBlastDoorService keeps crashing, causing issues with sending messages. The IDSBlastDoorService crashes with a Sandbox error when it spawns. I use a lot of tweaks that depend on Ellekit. Is it possible to remove IDSBlastDoorService from Ellekit's inject list?

Sandbox: IDSBlastDoorService(7141) deny(1) syscall-unix 153 SIGKILL

Exception Type: EXC_CRASH (SIGKILL)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Termination Reason: SANDBOX 1

Triggered by Thread: 0

Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 libsystem_kernel.dylib 0x1e81ae034 pread + 8
1 libsystem_trace.dylib 0x1c2560ef0 _os_trace_read_file_at + 163
2 libsystem_trace.dylib 0x1c2560854 _os_trace_read_plist_at + 55
3 libsystem_trace.dylib 0x1c255e054 _os_log_preferences_refresh_process + 151
4 libsystem_trace.dylib 0x1c255dcb8 _os_activity_create_addr + 1199
5 CoreFoundation 0x1aca8c068 _CFPrefsResetPreferences + 71
6 IDSBlastDoorService 0x104d34b8c main + 84
7 dyld 0x1ca1c0344 start + 1860

Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000000000001 x1: 0x0000000000000000 x2: 0x000000000000003e x3: 0x0000000000000000
x4: 0x00000001c2573d5c x5: 0x000000016b0cf0c0 x6: 0x0000000000000074 x7: 0x000000016b0cf01e
x8: 0x0000000000000000 x9: 0x000000000000006c x10: 0x0000000000000051 x11: 0x0000000000000011
x12: 0x0000000000000011 x13: 0x0000000000000051 x14: 0x00000000ffffffff x15: 0x00000000000006c0
x16: 0x0000000000000099 x17: 0x000000002800a010 x18: 0x0000000000000000 x19: 0x000000016b0cf068
x20: 0x0000000000000003 x21: 0x0000000950b0ac80 x22: 0x000000000000003e x23: 0x0000000000000000
x24: 0x00000002078d9000 x25: 0x0000000000000000 x26: 0x0000000000000000 x27: 0x0000000000000000
x28: 0x0000000000000000 fp: 0x000000016b0cf050 lr: 0x00000001c2560ef0
sp: 0x000000016b0cf020 pc: 0x00000001e81ae034 cpsr: 0x20000000
far: 0x0000000000000000 esr: 0x56000080 Address size fault

Binary Images:
0x104d30000 - 0x104d63fff IDSBlastDoorService arm64 <188c806334ba3359acbf1e2e93315ffd> /System/Library/PrivateFrameworks/IDSBlastDoorSupport.framework/XPCServices/IDSBlastDoorService.xpc/IDSBlastDoorService
0x1e81ac000 - 0x1e81e1ff7 libsystem_kernel.dylib arm64 /usr/lib/system/libsystem_kernel.dylib
0x1c255b000 - 0x1c2574fff libsystem_trace.dylib arm64 <99c14f802a7b3252be85408acf524b7f> /usr/lib/system/libsystem_trace.dylib
0x1ac98c000 - 0x1acd5afff CoreFoundation arm64 <8ed7639c50703a5d9ed8599199e62b93> /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0x1ca1ac000 - 0x1ca2288db dyld arm64 <8ae431a3d41e3037ae7d4baff09896dc> /cores/dyld

EOF

Where can we get pspawn.dylib for ios?

Hi @evelyneee,

Where can we get pspawn.dylib if want to load ellekit in

fugu15,Thanks...

ellekit don't load tweak to com.apple.WebKit.WebContent on rootful and rootless jailbreak palerain

i create simple tweak and load to com.apple.WebKit.WebContent.
It works on ellekit roothide.
it works on substitute rootful palerain.
it dont work on ellekit rootful and rootless palerain

Userspace reboot fails with version 1.1.2

Since the release of ellekit 1.1.1 & 1.1.2 the device hangs on a black screen when doing a userspace reboot, requiring a forced reboot and a rejailbreak.
This problem didn't exist in version 1.1
Device: iphone X, ios 16.5, previously jailbroken with palen1x and now jailbroken with dopamine, the problem persisted in both jailbreaks.

Respring in safe mode seems a bit troublesome.

Maybe we should open an app like Coolstar does to facilitate normal users to log out after entering safe mode?
Because sometimes entering safe mode is just caused by a plugin crashing by accident.
Also, is it a bit strange to only prohibit third-party plug-ins from injecting into SpringBoard in safe mode? From the previous jailbreaking, shouldn't injection into any program be prohibited?

Adding to SwiftPM

Is there a way to add ellekit as a dependency to a swift package? Either by dylib or the actual repo?

Objective C or static Library

Hey, Thanks for reply on other issue and apologies for creating new issue, but can you please add how to's for objc if you have time? or Static Library Target in current project which will generate static lib and header to use on jailed device?

Regards,

My tweak, ported from rootful and substrate, causes safe modes

I updated my tweak to use @rpaths and it still references (optionally) to mobilesubtrate.
It works well in palera1n rootless but not on Dopamine.
It hooks several c functions in mediaserverd.

Users are experiencing a safe mode when the tweak loads. this is the crash report:

CrashReporter Key:   0147f2ab04213c7d57e422d09fe72e559741bbcd
Hardware Model:      iPhone13,4
Process:             mediaserverd [5212]
Path:                /usr/sbin/mediaserverd
Identifier:          mediaserverd
Version:             ???
Code Type:           ARM-64 (Native)
Role:                Unspecified
Parent Process:      launchd [1]
Coalition:           com.apple.mediaserverd [592]
Date/Time:           2023-07-16 17:00:30.4134 +0300
Launch Time:         2023-07-16 17:00:29.9521 +0300
OS Version:          iPhone OS 15.1.1 (19B81)
Release Type:        User
Baseband Version:    2.11.04
Report Version:      104


Exception Type:  EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000001991c7384
Exception Note:  EXC_CORPSE_NOTIFY
Termination Reason: SIGNAL 5 Trace/BPT trap: 5
Terminating Process: exc handler [5212]

Triggered by Thread:  0


Application Specific Information:




Thread 0 name:   Dispatch queue: com.apple.main-thread

Thread 0 Crashed:

0   libobjc.A.dylib               
       0x1991c7384 readClass(objc_class*, bool, bool) + 116

1   libobjc.A.dylib               
       0x1991c851c map_images_nolock + 3080

2   libobjc.A.dylib               
       0x1991c851c map_images_nolock + 3080

3   libobjc.A.dylib               
       0x1991c923c map_images + 88

4   dyld                          
       0x104d102b8 dyld4::RuntimeState::notifyLoad(dyld3::Array<dyld4::Loader const*> const&) + 584

5   dyld                          
       0x104d15b44 dyld4::APIs::dlopen_from(char const*, int, void*) + 496

6   libinjector.dylib             
       0x104ca3abc injection_init + 2040

7   dyld                          
       0x104d14794 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164

8   dyld                          
       0x104d48364 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340

9   dyld                          
       0x104d12490 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532

10  dyld                          
       0x104d11698 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168

11  dyld                          
       0x104d109f8 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192

12  dyld                          
       0x104d1debc dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516

13  dyld                          
       0x104d1aa10 dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172

14  dyld                          
       0x104d163c4 dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 208

15  dyld                          
       0x104d1c570 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 124

16  dyld                          
       0x104d15b54 dyld4::APIs::dlopen_from(char const*, int, void*) + 512

17  systemhook.dylib              
       0x104c47490 initializer + 500

18  dyld                          
       0x104d14794 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164

19  dyld                          
       0x104d48364 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340

20  dyld                          
       0x104d12490 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532

21  dyld                          
       0x104d11698 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168

22  dyld                          
       0x104d109f8 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192

23  dyld                          
       0x104d1debc dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516

24  dyld                          
       0x104d1aa10 dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172

25  dyld                          
       0x104d163c4 dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 208
26  dyld                          
       0x104d1c570 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 124
27  dyld                          
       0x104d3bd44 dyld4::APIs::runAllInitializersForMain() + 312

28  dyld                          
       0x104d273ac dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 2820

29  dyld                          
       0x104d25a04 start + 488



Thread 0 crashed with ARM Thread State (64-bit):

    x0: 0x0000000107f39ee0   x1: 0x0000000000000000   x2: 0x0000000000000000   x3: 0xfffffffffffffff6

    x4: 0x0000000000000000   x5: 0x0000000000000000   x6: 0x0000000000000021   x7: 0x00000000000008f0

    x8: 0x0000000107f21c48   x9: 0x000000016b202178  x10: 0x0000000000000006  x11: 0x0000000105c70000

   x12: 0x0000000105c6c000  x13: 0x0000000000000066  x14: 0xe2d4577ee0bb8544  x15: 0x000067616e614d6e

   x16: 0x00200001daa48160  x17: 0x00000001daa48160  x18: 0x0000000000000000  x19: 0x0000000107f39ee0

   x20: 0x0000000000000000  x21: 0x0000000107f0d562  x22: 0x0000000000000000  x23: 0x0000000000000000

   x24: 0x0000000000000000  x25: 0x0000000107f39ee8  x26: 0x0000000001120532  x27: 0x0000000107f39ee0

   x28: 0x0000000000000006   fp: 0x000000016b2021a0   lr: 0xec195581991c851c

    sp: 0x000000016b202150   pc: 0x00000001991c7384 cpsr: 0x20000000

   far: 0x0000000107efcee0  esr: 0xf200c472 (Breakpoint) pointer authentication trap DA


Binary Images:
       0x1991bc000 -        0x1991f5fff libobjc.A.dylib arm64e  <10fa90c6dfe538aeb3dc2251181cc272> /usr/lib/libobjc.A.dylib
       0x104d0c000 -        0x104d63fff dyld arm64e  <c21dba379df93fc7b286734030e18bb1> /usr/lib/dyld
       0x104c9c000 -        0x104ca3fff libinjector.dylib arm64e  <5e17d7464bcc3356ad78321d55215bfc> /private/preboot/5A564AB6B67F73249711094FAA1C979FDD441F128A0E2EF535D5713F9F7A92BD2AFDAB32F6862A3587ADD8ECA5F649D9/jb-nJMZIL/procursus/usr/lib/ellekit/libinjector.dylib

       0x104c40000 -        0x104c47fff systemhook.dylib arm64e  <9bcc3df8d13230d1b4cc1cc5c0831ae4> /usr/lib/systemhook.dylib


EOF



Incident Identifier: 50D9A0C6-25E0-477D-A908-F36998F79996

CrashReporter Key:   0147f2ab04213c7d57e422d09fe72e559741bbcd

Hardware Model:      iPhone13,4

Process:             mediaserverd [5211]

Path:                /usr/sbin/mediaserverd

Identifier:          mediaserverd

Version:             ???

Code Type:           ARM-64 (Native)

Role:                Unspecified

Parent Process:      launchd [1]

Coalition:           com.apple.mediaserverd [592]


Date/Time:           2023-07-16 17:00:24.9506 +0300

Launch Time:         2023-07-16 17:00:24.4799 +0300

OS Version:          iPhone OS 15.1.1 (19B81)

Release Type:        User

Baseband Version:    2.11.04

Report Version:      104


Exception Type:  EXC_BREAKPOINT (SIGTRAP)

Exception Codes: 0x0000000000000001, 0x00000001991c7384

Exception Note:  EXC_CORPSE_NOTIFY

Termination Reason: SIGNAL 5 Trace/BPT trap: 5

Terminating Process: exc handler [5211]


Triggered by Thread:  0


Application Specific Information:




Thread 0 name:   Dispatch queue: com.apple.main-thread

Thread 0 Crashed:

0   libobjc.A.dylib               
       0x1991c7384 readClass(objc_class*, bool, bool) + 116

1   libobjc.A.dylib               
       0x1991c851c map_images_nolock + 3080

2   libobjc.A.dylib               
       0x1991c851c map_images_nolock + 3080

3   libobjc.A.dylib               
       0x1991c923c map_images + 88

4   dyld                          
       0x10484c2b8 dyld4::RuntimeState::notifyLoad(dyld3::Array<dyld4::Loader const*> const&) + 584

5   dyld                          
       0x104851b44 dyld4::APIs::dlopen_from(char const*, int, void*) + 496

6   libinjector.dylib             
       0x1047dfabc injection_init + 2040

7   dyld                          
       0x104850794 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164

8   dyld                          
       0x104884364 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340

9   dyld                          
       0x10484e490 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532

10  dyld                          
       0x10484d698 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168

11  dyld                          
       0x10484c9f8 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192

12  dyld                          
       0x104859ebc dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516

13  dyld                          
       0x104856a10 dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172

14  dyld                          
       0x1048523c4 dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 208

15  dyld                          
       0x104858570 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 124

16  dyld                          
       0x104851b54 dyld4::APIs::dlopen_from(char const*, int, void*) + 512

17  systemhook.dylib              
       0x104783490 initializer + 500

18  dyld                          
       0x104850794 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164

19  dyld                          
       0x104884364 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340

20  dyld                          
       0x10484e490 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532

21  dyld                          
       0x10484d698 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168

22  dyld                          
       0x10484c9f8 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192

23  dyld                          
       0x104859ebc dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516

24  dyld                          
       0x104856a10 dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172

25  dyld                          
       0x1048523c4 dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 208

26  dyld                          
       0x104858570 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 124

27  dyld                          
       0x104877d44 dyld4::APIs::runAllInitializersForMain() + 312

28  dyld                          
       0x1048633ac dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 2820

29  dyld                          
       0x104861a04 start + 488



Thread 0 crashed with ARM Thread State (64-bit):

    x0: 0x0000000107ae5ee0   x1: 0x0000000000000000   x2: 0x0000000000000000   x3: 0xfffffffffffffff6

    x4: 0x0000000000000000   x5: 0x0000000000000000   x6: 0x0000000000000021   x7: 0x00000000000008f0

    x8: 0x0000000107acdc48   x9: 0x000000016b7c6178  x10: 0x0000000000000006  x11: 0x0000000104e9c000

   x12: 0x0000000104e98000  x13: 0x0000000000000066  x14: 0xe2d4577ee0bb8544  x15: 0x000067616e614d6e

   x16: 0x00200001daa48160  x17: 0x00000001daa48160  x18: 0x0000000000000000  x19: 0x0000000107ae5ee0

   x20: 0x0000000000000000  x21: 0x0000000107ab9562  x22: 0x0000000000000000  x23: 0x0000000000000000

   x24: 0x0000000000000000  x25: 0x0000000107ae5ee8  x26: 0x0000000001120532  x27: 0x0000000107ae5ee0

   x28: 0x0000000000000006   fp: 0x000000016b7c61a0   lr: 0xd352e481991c851c

    sp: 0x000000016b7c6150   pc: 0x00000001991c7384 cpsr: 0x20000000

   far: 0x0000000107aa8ee0  esr: 0xf200c472 (Breakpoint) pointer authentication trap DA


Binary Images:

       0x1991bc000 -        0x1991f5fff libobjc.A.dylib arm64e  <10fa90c6dfe538aeb3dc2251181cc272> /usr/lib/libobjc.A.dylib

       0x104848000 -        0x10489ffff dyld arm64e  <c21dba379df93fc7b286734030e18bb1> /usr/lib/dyld

       0x1047d8000 -        0x1047dffff libinjector.dylib arm64e  <5e17d7464bcc3356ad78321d55215bfc> /private/preboot/5A564AB6B67F73249711094FAA1C979FDD441F128A0E2EF535D5713F9F7A92BD2AFDAB32F6862A3587ADD8ECA5F649D9/jb-nJMZIL/procursus/usr/lib/ellekit/libinjector.dylib

       0x10477c000 -        0x104783fff systemhook.dylib arm64e  <9bcc3df8d13230d1b4cc1cc5c0831ae4> /usr/lib/systemhook.dylib

MSHookMessageEx and Logos are not working

I am unable to have MSHookMessageEx and Logos hooking in a tweak. In this code, only "myTweak CTOR" is output in console.

Notes:

The tweak is built for X86_64 using TARGET = macosx::10.14 and ARCHS = x86_64.
Ellekit is built with most recent commit.
Using Ventura M2.
When I first ran the app, it crashed with error that it is missing "/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate". So I created the folder and symlink "ellekit.dylib" to it as "CydiaSubstrate".

#include <Foundation/Foundation.h>
#include <substrate.h>


%group mytweak

%hook someClass

-(BOOL)someMethod{
    
    NSLog(@"myTweak 1:%d", %orig());
    return TRUE;
}

%end

//end group
%end


BOOL (*oldMethod)(id self, SEL _cmd);
BOOL newMethod(id self, SEL _cmd) {

    NSLog(@"myTweak 2:%d", oldMethod(self, _cmd));
    return TRUE;
}



%ctor {

    NSLog(@"myTweak CTOR");
    MSHookMessageEx(objc_getClass("someClass"), @selector(someMethod), (IMP)newMethod, (IMP *)&oldMethod);
    %init(mytweak);
}

Ellekit

Entitlements issue for DriverKit

The project builds fine using Apple silicon, but when I try to build it on an Intel mac, I get this error:

MB:Source user$ xcodebuild -scheme loader
2023-09-27 11:54:43.475 xcodebuild[1648:21427] DVTCoreDeviceEnabledState: DVTCoreDeviceEnabledState_Disabled set via user default (DVTEnableCoreDevice=disabled)
Command line invocation:
    /Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild -scheme loader

User defaults from command line:
    IDEPackageSupportUseBuiltinSCM = YES

--- xcodebuild: WARNING: Using the first of multiple matching destinations:
{ platform:DriverKit, name:Any DriverKit Host }
{ platform:iOS, id:dvtdevice-DVTiPhonePlaceholder-iphoneos:placeholder, name:Any iOS Device }
{ platform:iOS Simulator, id:dvtdevice-DVTiOSDeviceSimulatorPlaceholder-iphonesimulator:placeholder, name:Any iOS Simulator Device }
{ platform:macOS, name:Any Mac }
{ platform:macOS, variant:Mac Catalyst, name:Any Mac }
Prepare packages

Computing target dependency graph and provisioning inputs

Create build description
Build description signature: 470200406204e2dcdfc682a6e828d283
Build description path: /Users/user/Library/Developer/Xcode/DerivedData/ellekit-bclcflmeasyekohhdvjuqrjxwjhj/Build/Intermediates.noindex/XCBuildData/470200406204e2dcdfc682a6e828d283.xcbuilddata

note: Building targets in dependency order
error: Entitlements are required for product type 'Command-line Tool' in SDK 'DriverKit 22.4'. (in target 'loader' from project 'ellekit')
** BUILD FAILED **

I have enabled arm64e new ABI, and SIP is disabled.

I get the same error with xcodebuild -scheme launchd, but xcodebuild -scheme ellekit-mac works fine.

loader binary

here's a loader binary that works
loader.zip

The Future of the /var/jb Root Path

Since the SSV security mechanism of ios15, jailbreak has encountered great challenges and difficulties, but with the efforts of big names such as xina and opa334, we have seen a new dawn. They use the rootless mechanism to successfully avoid the restrictions of SSV, Let the jailbreak enter a new era.

But for the /var/jb root path, I have been very worried. Rootless jailbreak stores all data and files in it, it is a completely fixed path. All jailbreak apps, deamon, tweaks will refer to this path, and hard Encoded into the final released binary.

So what is /var/jb, it is the interface of rootless jailbreak, once the jailbreak community in the rootless era forms this specification, it is very difficult for anyone to change and adjust it.

But the fixed path is very easy to be detected, only one line of code is needed to call the acess/stat function, and any ios development rookie can detect it.

Although we can temporarily remove the /var/jb symlink (like xina15 did), but I think this is a lazy way, and this way will cause two things that will cause major trouble in the future:
1: It's really annoying that people have to repeatedly remove and restore it when opening different apps, and people get tired of it very quickly.
2: Almost all jailbreak apps, deamon, tweaks will use this path, when you temporarily remove it, maybe a jailbreak app, deamon, tweak is accessing this path, or is about to access this path, and then they will not be able to find it Well, this would create a confusing situation.

I think we have a better way to deal with this problem, first we add a random suffix to the /var/jb path, like /var/jb-xxxxx, and then use environment variables as the rootless jailbreak interface, for example, we Create an environment variable named "JBRoot" and set it to /var/jb-xxxx, we can also easily access this environment variable:

in shell code:

cd $JBRoot

in Objective-C code:

NSString* my_file_path = [NSString stringWithFormat:@"%s/my_file_path", getenv("JBRoot")];

in C/C++ code:

char my_file_path[PATH_MAX]={0};
snprintf(my_file_path, sizeof(my_file_path), "%s/my_file_path", getenv("JBRoot"));

So what is the difference between this method and the fixed path of directly using /var/jb?
The difference is that the fixed path of /var/jb is visible to all processes, but environment variables can be set individually for each process. In the future, we can create a blacklist, and we can choose to hide the "JBRoot" environment variable for Some APPs. In this way, they will not be able to detect the existence of /var/jb-xxxx, and will not interfere with other rootless jailbreak apps/deamon/tweak's access to /var/jb-xxxx.

Why is hiding /var/jb so important and urgent?
Some people may ask, even if we hide /var/jb, there are still many other ways to detect jailbreak, why do we have to deal with /var/jb first.
First of all, the data in the file system is the easiest to detect. As I said before, any rookie in ios development can detect the existence of /var/jb with a single line of code. This will make the detection of /var/jb very difficult Widespread and ubiquitous, eventually a large number of apps will detect this path, making jailbreaking difficult to use if you don't handle /var/jb.
Secondly, the /var/jb path is used as the interface standard for rootless jailbreaks, and every jailbreak app/deamon/tweak will use it, and it is hard-coded into the released binary, which means that if we do not deal with it now, we will not be able to deal with this problem in the future up.

As a loyal jailbreak fan, I have witnessed the brilliance of jailbreak from ios5 to ios9, and also witnessed the wisdom of the jailbreak community starting from ios10, and starting from ios15, jailbreak has entered a new era, I sincerely hope that the masters of the jailbreak community can consider this issue.

macOS 14.5 failed

nx@NX ~ % sudo /usr/local/bin/loader
Password:
[+] got task 7683
[i] using path /Library/TweakInject/pspawn.dylib
[+] loader: started thread: 6151
[+] loader: converted thread state
zsh: killed sudo /usr/local/bin/loader

Does this support macOS Sonoma?

Just recently came across this project, it's very impressive!

Are you serious?

ellekit/ellekit/Mach-O/Image.swift

Lines 10 to 15 in 8c90474

 let index = (0..<_dyld_image_count()) 

 .filter { 

 String(cString: _dyld_get_image_name($0)) 

 .contains(path) 

 } 

 .first

I wasted 2 days debugging my tweak before I found this. 😭

This is a bug report.

iPad mini 5(A12)
iPad OS 15.3.1

1 Jailbreak with Dopamine
2 install Ellekit 1.0
3 safemode

Idk how to send logs. I would appreciate it if you could tell me.

Fugu14

Dude, it'd be so sick if you could help me get this to work in Fugu14 to achieve a proper untether!
I have absolute no clue what I'm doing, this is what I've been able to botch together so far: https://github.com/SmartBoy84/Weazol

Trust cache injection works sometimes for some utilities but doesn't for others, daemon launching is unreliable and device will crash randomly

[Question] how to replace ellekit dylibs?

Hello, I try to build ellekit with safe mode disabled.

Now I have the dylibs but how do I place them on my ios 16.7 iphone 8 jb rootless with palera1n?

Is it just a matter of replacing them in the FS?

I installed ellekit with zebra

Thank you!!

v1.1.2 crashes Clock when injection enabled

Good afternoon,

On Serotonin/Bootstrap, I’ve been using AlarmTime successfully for a week or so and noticed today that the Clock app wouldn’t open.

Even with no tweaks injected, just having Clock enabled in Bootstrap, will crash the app. I did not notice this issue until updating to ElleKit 1.1.2, so I’m hoping to bring this to your attention.

Also: I restarted my device, and re-activated Bootstrap and Serotonin just to be totally sure it’s just an issue with Clock, and it is.

CLI command to injection

Which CLI command should we use to manually inject dylib to apps? (As cynject on unc0ver?)

	let index = (0..<_dyld_image_count())
	.filter {
	String(cString: _dyld_get_image_name($0))
	.contains(path)
	}
	.first