evelyneee / ellekit Goto Github PK
View Code? Open in Web Editor NEWyet another tweak injector / tweak hooking library for darwin systems
License: BSD 3-Clause "New" or "Revised" License
yet another tweak injector / tweak hooking library for darwin systems
License: BSD 3-Clause "New" or "Revised" License
Are the instructions listed in this file still accurate for building and installing ellekit on macOS Ventura+ (M1)?: Installation.md
If not, is it possible to list what steps should be taken here?
Im experiencing an issue when using ellekit on a jailed device (specifically m2 mac, injecting ellekit dylib when sideloading an iOS app)
Here is the code im using along with the crash.
It looks like the hook is executing but then crashes.
I think it might be that when the app is sideloaded it doesnt give the entitlement
com.apple.security.cs.disable-executable-page-protection
Thoughts?
CODE
typealias XXXXXX_t = @convention(c) (Int64, UnsafeMutablePointer<UnsafeMutablePointer<Int8>?>?) -> CBool
var XXXXXX_Original: XXXXXX_t? = nil
@objc func XXXXXX_Hook(fileName: Int64, tablePtr: UnsafeMutablePointer<UnsafeMutablePointer<Int8>?>?) -> CBool {
if let orig = XXXXXX_Original {
return orig(fileName, tablePtr)
}
return false
}
public func createHooks() {
// Load the dylib
let dylibHandle = dlopen("libellekit.dylib", RTLD_LAZY)
if dylibHandle == nil {
return
}
if let EKHookFunction = dlsym(dylibHandle, "EKHookFunction") {
typealias EKHookFunctionType = @convention(c) (UnsafeMutableRawPointer, UnsafeMutableRawPointer) -> UnsafeMutableRawPointer?
let hookFunction = unsafeBitCast(EKHookFunction, to: EKHookFunctionType.self)
let XXXXXX_Hook_Address = withUnsafePointer(to: XXXXXXX_Hook) { (functionPointer: UnsafePointer) in
return UnsafeMutableRawPointer(mutating: functionPointer)
}
let orignalAddy = hookFunction(UnsafeMutableRawPointer(bitPatternInt64: memoryUtility.getAbsoluteOffset(of: offsets.XXXXXX))!,
XXXXXX_Hook_Address)
XXXXXX_Original = unsafeBitCast(orignalAddy, to: XXXXXX_t.self)
}
CRASH
Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Exception Subtype: UNKNOWN_0x32 at 0x0000000103558fbc
Exception Codes: 0x0000000000000032, 0x0000000103558fbc
VM Region Info: 0x103558fbc is in 0x103558000-0x10355c000; bytes after start: 4028 bytes before end: 12355
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
__TEXT 1020fc000-103558000 [ 20.4M] r-x/r-x SM=COW ...game.app/game
---> __TEXT 103558000-10355c000 [ 16K] r-x/rwx SM=COW ...game.app/game
__TEXT 10355c000-105f24000 [ 41.8M] r-x/r-x SM=COW ...game.app/game
Termination Reason: CODESIGNING 2 Invalid Page
Triggered by Thread: 8
Thread 8 Crashed:
0 game 0x103558fbc 0x1020fc000 [+ 21352380](tel:+ 21352380)
1 game 0x103b2ad9c 0x1020fc000 [+ 27454876](tel:+ 27454876)
2 game 0x103b2a874 0x1020fc000 [+ 27453556](tel:+ 27453556)
3 game 0x103b20a0c 0x1020fc000 [+ 27413004](tel:+ 27413004)
4 game 0x1034c2174 0x1020fc000 [+ 20734324](tel:+ 20734324)
5 game 0x1036bd254 0x1020fc000 [+ 22811220](tel:+ 22811220)
6 game 0x1036bee84 0x1020fc000 [+ 22818436](tel:+ 22818436)
7 game 0x1025a5590 0x1020fc000 [+ 4887952](tel:+ 4887952)
8 game 0x1032a0194 0x1020fc000 [+ 18497940](tel:+ 18497940)
9 libsystem_pthread.dylib 0x18e04ffa8 _pthread_start + 148
10 libsystem_pthread.dylib 0x18e04ada0 thread_start + 8
Hi @evelyneee,
I've tried to run the loader
either built from Xcode or the one you attached in the "issue-2" on a Mac M1 mini terminal and it got killed immediately. I also setup the plist to run it with launchd like you show in the instruction. Both the output log and the error log were empty so I assumed it also got killed during the startup process. I tried to disable SIP but still have the same result when running the loader
. The only thing that got me a little bit further is creating a new Command Line Tool target and moving all the code of loader
to the new target. That got me as far as to the set thread state
as following:
[+] got task 7427
[i] using path /Library/TweakInject/pspawn.dylib
[+] loader: started thread
[+] loader: converted thread state
[-] loader: failed to set thread state
Is there anything specific I need to do for the loader to work on the Mac M1 (currently on Ventura)?
As subject says.. does this work on jailed devices?
I got this error on my M1 - 13.3
xcodebuild: error: The project 'ellekit.xcodeproj' does not contain a target named 'ellekit-mac'.
When I run this command xcodebuild -target ellekit-mac
in the solutions folder, I get this error xcodebuild: error: The project 'ellekit.xcodeproj' does not contain a target named 'ellekit-mac'
If I try changing to xcodebuild -target ellekit
, then it successfully builds, so how can I make a new build for mac?
SIP disabled
arm64e abi enabled
M2 13.5.1
Xcode 14.3.1
I wrote a tweak that I've ran on checkra1n in iOS 13/14. After porting it to run in rootless theos, all the functionality works except for MSHookFunction
According to the readme, the Substrate API header should be supported.
Example usage:
MSHookFunction((t_voidOne)getAddress(0x032912), n_New, (void **)&o_Old);
This tweak injection doesn't support AppSync correctly - it needs fixes - even the AppSync creator itself says that this incompatibility problem we have is due to the Ellekit itself, not to the AppSync Unified tweak.
Please, look at the following: akemin-dayo/AppSync#174
Not really a bug but apps like paypal are terribly made and swizzle NSData initilize to call their debug logger class.
Who tf knows why their debug logger is enabled in a release build.
When ellekit's libinjector is loaded into the app, corefoundation is called which in turn calls nsdata, nsdata initilize. But since the app swizzled that function, their version is called instead. This in turn jumps to apps code to early before anything is setup and goes into an inifinite recursion loop.
This can be resolved by just blocking swizzling until tweaks are done loading.
At the time of a FaceTime video call, I upgraded the ‘Call Assistant’ plugin, and after restarting the springboard, it entered safe mode. After deleting all plugins, I found that simply installing Ellekit would trigger safe mode.Even after clearing the jailbreak in jailbreak mode and then re-jailbreaking, the problem persisted.
Heyya
Got a few reports from my users, that the tweak didnt inject anymore. After some debugging, we found that as soon they Update Ellekit in Sileo to anything after 0.6-1 (so 0.6.1 and up) it doesnt load any tweak anymore.
Downgrading and it works directly again.
Most of the Users are on ios 15.x
Do you have any log file that gets generated or something, that can help you with finding the issue?
Hello, I'm using Ellekit on version 16.7.7, but the IDSBlastDoorService keeps crashing, causing issues with sending messages. The IDSBlastDoorService crashes with a Sandbox error when it spawns. I use a lot of tweaks that depend on Ellekit. Is it possible to remove IDSBlastDoorService from Ellekit's inject list?
Sandbox: IDSBlastDoorService(7141) deny(1) syscall-unix 153 SIGKILL
Exception Type: EXC_CRASH (SIGKILL)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Termination Reason: SANDBOX 1
Triggered by Thread: 0
Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 libsystem_kernel.dylib 0x1e81ae034 pread + 8
1 libsystem_trace.dylib 0x1c2560ef0 _os_trace_read_file_at + 163
2 libsystem_trace.dylib 0x1c2560854 _os_trace_read_plist_at + 55
3 libsystem_trace.dylib 0x1c255e054 _os_log_preferences_refresh_process + 151
4 libsystem_trace.dylib 0x1c255dcb8 _os_activity_create_addr + 1199
5 CoreFoundation 0x1aca8c068 _CFPrefsResetPreferences + 71
6 IDSBlastDoorService 0x104d34b8c main + 84
7 dyld 0x1ca1c0344 start + 1860
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000000000001 x1: 0x0000000000000000 x2: 0x000000000000003e x3: 0x0000000000000000
x4: 0x00000001c2573d5c x5: 0x000000016b0cf0c0 x6: 0x0000000000000074 x7: 0x000000016b0cf01e
x8: 0x0000000000000000 x9: 0x000000000000006c x10: 0x0000000000000051 x11: 0x0000000000000011
x12: 0x0000000000000011 x13: 0x0000000000000051 x14: 0x00000000ffffffff x15: 0x00000000000006c0
x16: 0x0000000000000099 x17: 0x000000002800a010 x18: 0x0000000000000000 x19: 0x000000016b0cf068
x20: 0x0000000000000003 x21: 0x0000000950b0ac80 x22: 0x000000000000003e x23: 0x0000000000000000
x24: 0x00000002078d9000 x25: 0x0000000000000000 x26: 0x0000000000000000 x27: 0x0000000000000000
x28: 0x0000000000000000 fp: 0x000000016b0cf050 lr: 0x00000001c2560ef0
sp: 0x000000016b0cf020 pc: 0x00000001e81ae034 cpsr: 0x20000000
far: 0x0000000000000000 esr: 0x56000080 Address size fault
Binary Images:
0x104d30000 - 0x104d63fff IDSBlastDoorService arm64 <188c806334ba3359acbf1e2e93315ffd> /System/Library/PrivateFrameworks/IDSBlastDoorSupport.framework/XPCServices/IDSBlastDoorService.xpc/IDSBlastDoorService
0x1e81ac000 - 0x1e81e1ff7 libsystem_kernel.dylib arm64 /usr/lib/system/libsystem_kernel.dylib
0x1c255b000 - 0x1c2574fff libsystem_trace.dylib arm64 <99c14f802a7b3252be85408acf524b7f> /usr/lib/system/libsystem_trace.dylib
0x1ac98c000 - 0x1acd5afff CoreFoundation arm64 <8ed7639c50703a5d9ed8599199e62b93> /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
0x1ca1ac000 - 0x1ca2288db dyld arm64 <8ae431a3d41e3037ae7d4baff09896dc> /cores/dyld
EOF
i create simple tweak and load to com.apple.WebKit.WebContent.
It works on ellekit roothide.
it works on substitute rootful palerain.
it dont work on ellekit rootful and rootless palerain
Since the release of ellekit 1.1.1 & 1.1.2 the device hangs on a black screen when doing a userspace reboot, requiring a forced reboot and a rejailbreak.
This problem didn't exist in version 1.1
Device: iphone X, ios 16.5, previously jailbroken with palen1x and now jailbroken with dopamine, the problem persisted in both jailbreaks.
Maybe we should open an app like Coolstar does to facilitate normal users to log out after entering safe mode?
Because sometimes entering safe mode is just caused by a plugin crashing by accident.
Also, is it a bit strange to only prohibit third-party plug-ins from injecting into SpringBoard in safe mode? From the previous jailbreaking, shouldn't injection into any program be prohibited?
Is there a way to add ellekit as a dependency to a swift package? Either by dylib or the actual repo?
Hey, Thanks for reply on other issue and apologies for creating new issue, but can you please add how to's for objc if you have time? or Static Library Target in current project which will generate static lib and header to use on jailed device?
Regards,
I updated my tweak to use @rpaths and it still references (optionally) to mobilesubtrate.
It works well in palera1n rootless but not on Dopamine.
It hooks several c functions in mediaserverd.
Users are experiencing a safe mode when the tweak loads. this is the crash report:
CrashReporter Key: 0147f2ab04213c7d57e422d09fe72e559741bbcd
Hardware Model: iPhone13,4
Process: mediaserverd [5212]
Path: /usr/sbin/mediaserverd
Identifier: mediaserverd
Version: ???
Code Type: ARM-64 (Native)
Role: Unspecified
Parent Process: launchd [1]
Coalition: com.apple.mediaserverd [592]
Date/Time: 2023-07-16 17:00:30.4134 +0300
Launch Time: 2023-07-16 17:00:29.9521 +0300
OS Version: iPhone OS 15.1.1 (19B81)
Release Type: User
Baseband Version: 2.11.04
Report Version: 104
Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000001991c7384
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: SIGNAL 5 Trace/BPT trap: 5
Terminating Process: exc handler [5212]
Triggered by Thread: 0
Application Specific Information:
Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 libobjc.A.dylib
0x1991c7384 readClass(objc_class*, bool, bool) + 116
1 libobjc.A.dylib
0x1991c851c map_images_nolock + 3080
2 libobjc.A.dylib
0x1991c851c map_images_nolock + 3080
3 libobjc.A.dylib
0x1991c923c map_images + 88
4 dyld
0x104d102b8 dyld4::RuntimeState::notifyLoad(dyld3::Array<dyld4::Loader const*> const&) + 584
5 dyld
0x104d15b44 dyld4::APIs::dlopen_from(char const*, int, void*) + 496
6 libinjector.dylib
0x104ca3abc injection_init + 2040
7 dyld
0x104d14794 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164
8 dyld
0x104d48364 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340
9 dyld
0x104d12490 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532
10 dyld
0x104d11698 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168
11 dyld
0x104d109f8 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192
12 dyld
0x104d1debc dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516
13 dyld
0x104d1aa10 dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172
14 dyld
0x104d163c4 dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 208
15 dyld
0x104d1c570 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 124
16 dyld
0x104d15b54 dyld4::APIs::dlopen_from(char const*, int, void*) + 512
17 systemhook.dylib
0x104c47490 initializer + 500
18 dyld
0x104d14794 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164
19 dyld
0x104d48364 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340
20 dyld
0x104d12490 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532
21 dyld
0x104d11698 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168
22 dyld
0x104d109f8 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192
23 dyld
0x104d1debc dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516
24 dyld
0x104d1aa10 dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172
25 dyld
0x104d163c4 dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 208
26 dyld
0x104d1c570 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 124
27 dyld
0x104d3bd44 dyld4::APIs::runAllInitializersForMain() + 312
28 dyld
0x104d273ac dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 2820
29 dyld
0x104d25a04 start + 488
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000107f39ee0 x1: 0x0000000000000000 x2: 0x0000000000000000 x3: 0xfffffffffffffff6
x4: 0x0000000000000000 x5: 0x0000000000000000 x6: 0x0000000000000021 x7: 0x00000000000008f0
x8: 0x0000000107f21c48 x9: 0x000000016b202178 x10: 0x0000000000000006 x11: 0x0000000105c70000
x12: 0x0000000105c6c000 x13: 0x0000000000000066 x14: 0xe2d4577ee0bb8544 x15: 0x000067616e614d6e
x16: 0x00200001daa48160 x17: 0x00000001daa48160 x18: 0x0000000000000000 x19: 0x0000000107f39ee0
x20: 0x0000000000000000 x21: 0x0000000107f0d562 x22: 0x0000000000000000 x23: 0x0000000000000000
x24: 0x0000000000000000 x25: 0x0000000107f39ee8 x26: 0x0000000001120532 x27: 0x0000000107f39ee0
x28: 0x0000000000000006 fp: 0x000000016b2021a0 lr: 0xec195581991c851c
sp: 0x000000016b202150 pc: 0x00000001991c7384 cpsr: 0x20000000
far: 0x0000000107efcee0 esr: 0xf200c472 (Breakpoint) pointer authentication trap DA
Binary Images:
0x1991bc000 - 0x1991f5fff libobjc.A.dylib arm64e <10fa90c6dfe538aeb3dc2251181cc272> /usr/lib/libobjc.A.dylib
0x104d0c000 - 0x104d63fff dyld arm64e <c21dba379df93fc7b286734030e18bb1> /usr/lib/dyld
0x104c9c000 - 0x104ca3fff libinjector.dylib arm64e <5e17d7464bcc3356ad78321d55215bfc> /private/preboot/5A564AB6B67F73249711094FAA1C979FDD441F128A0E2EF535D5713F9F7A92BD2AFDAB32F6862A3587ADD8ECA5F649D9/jb-nJMZIL/procursus/usr/lib/ellekit/libinjector.dylib
0x104c40000 - 0x104c47fff systemhook.dylib arm64e <9bcc3df8d13230d1b4cc1cc5c0831ae4> /usr/lib/systemhook.dylib
EOF
Incident Identifier: 50D9A0C6-25E0-477D-A908-F36998F79996
CrashReporter Key: 0147f2ab04213c7d57e422d09fe72e559741bbcd
Hardware Model: iPhone13,4
Process: mediaserverd [5211]
Path: /usr/sbin/mediaserverd
Identifier: mediaserverd
Version: ???
Code Type: ARM-64 (Native)
Role: Unspecified
Parent Process: launchd [1]
Coalition: com.apple.mediaserverd [592]
Date/Time: 2023-07-16 17:00:24.9506 +0300
Launch Time: 2023-07-16 17:00:24.4799 +0300
OS Version: iPhone OS 15.1.1 (19B81)
Release Type: User
Baseband Version: 2.11.04
Report Version: 104
Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x00000001991c7384
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: SIGNAL 5 Trace/BPT trap: 5
Terminating Process: exc handler [5211]
Triggered by Thread: 0
Application Specific Information:
Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 libobjc.A.dylib
0x1991c7384 readClass(objc_class*, bool, bool) + 116
1 libobjc.A.dylib
0x1991c851c map_images_nolock + 3080
2 libobjc.A.dylib
0x1991c851c map_images_nolock + 3080
3 libobjc.A.dylib
0x1991c923c map_images + 88
4 dyld
0x10484c2b8 dyld4::RuntimeState::notifyLoad(dyld3::Array<dyld4::Loader const*> const&) + 584
5 dyld
0x104851b44 dyld4::APIs::dlopen_from(char const*, int, void*) + 496
6 libinjector.dylib
0x1047dfabc injection_init + 2040
7 dyld
0x104850794 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164
8 dyld
0x104884364 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340
9 dyld
0x10484e490 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532
10 dyld
0x10484d698 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168
11 dyld
0x10484c9f8 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192
12 dyld
0x104859ebc dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516
13 dyld
0x104856a10 dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172
14 dyld
0x1048523c4 dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 208
15 dyld
0x104858570 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 124
16 dyld
0x104851b54 dyld4::APIs::dlopen_from(char const*, int, void*) + 512
17 systemhook.dylib
0x104783490 initializer + 500
18 dyld
0x104850794 invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164
19 dyld
0x104884364 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340
20 dyld
0x10484e490 invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532
21 dyld
0x10484d698 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168
22 dyld
0x10484c9f8 dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192
23 dyld
0x104859ebc dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516
24 dyld
0x104856a10 dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172
25 dyld
0x1048523c4 dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const*>&) const + 208
26 dyld
0x104858570 dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const + 124
27 dyld
0x104877d44 dyld4::APIs::runAllInitializersForMain() + 312
28 dyld
0x1048633ac dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 2820
29 dyld
0x104861a04 start + 488
Thread 0 crashed with ARM Thread State (64-bit):
x0: 0x0000000107ae5ee0 x1: 0x0000000000000000 x2: 0x0000000000000000 x3: 0xfffffffffffffff6
x4: 0x0000000000000000 x5: 0x0000000000000000 x6: 0x0000000000000021 x7: 0x00000000000008f0
x8: 0x0000000107acdc48 x9: 0x000000016b7c6178 x10: 0x0000000000000006 x11: 0x0000000104e9c000
x12: 0x0000000104e98000 x13: 0x0000000000000066 x14: 0xe2d4577ee0bb8544 x15: 0x000067616e614d6e
x16: 0x00200001daa48160 x17: 0x00000001daa48160 x18: 0x0000000000000000 x19: 0x0000000107ae5ee0
x20: 0x0000000000000000 x21: 0x0000000107ab9562 x22: 0x0000000000000000 x23: 0x0000000000000000
x24: 0x0000000000000000 x25: 0x0000000107ae5ee8 x26: 0x0000000001120532 x27: 0x0000000107ae5ee0
x28: 0x0000000000000006 fp: 0x000000016b7c61a0 lr: 0xd352e481991c851c
sp: 0x000000016b7c6150 pc: 0x00000001991c7384 cpsr: 0x20000000
far: 0x0000000107aa8ee0 esr: 0xf200c472 (Breakpoint) pointer authentication trap DA
Binary Images:
0x1991bc000 - 0x1991f5fff libobjc.A.dylib arm64e <10fa90c6dfe538aeb3dc2251181cc272> /usr/lib/libobjc.A.dylib
0x104848000 - 0x10489ffff dyld arm64e <c21dba379df93fc7b286734030e18bb1> /usr/lib/dyld
0x1047d8000 - 0x1047dffff libinjector.dylib arm64e <5e17d7464bcc3356ad78321d55215bfc> /private/preboot/5A564AB6B67F73249711094FAA1C979FDD441F128A0E2EF535D5713F9F7A92BD2AFDAB32F6862A3587ADD8ECA5F649D9/jb-nJMZIL/procursus/usr/lib/ellekit/libinjector.dylib
0x10477c000 - 0x104783fff systemhook.dylib arm64e <9bcc3df8d13230d1b4cc1cc5c0831ae4> /usr/lib/systemhook.dylib
I am unable to have MSHookMessageEx and Logos hooking in a tweak. In this code, only "myTweak CTOR" is output in console.
Notes:
TARGET = macosx::10.14
and ARCHS = x86_64
.#include <Foundation/Foundation.h>
#include <substrate.h>
%group mytweak
%hook someClass
-(BOOL)someMethod{
NSLog(@"myTweak 1:%d", %orig());
return TRUE;
}
%end
//end group
%end
BOOL (*oldMethod)(id self, SEL _cmd);
BOOL newMethod(id self, SEL _cmd) {
NSLog(@"myTweak 2:%d", oldMethod(self, _cmd));
return TRUE;
}
%ctor {
NSLog(@"myTweak CTOR");
MSHookMessageEx(objc_getClass("someClass"), @selector(someMethod), (IMP)newMethod, (IMP *)&oldMethod);
%init(mytweak);
}
The project builds fine using Apple silicon, but when I try to build it on an Intel mac, I get this error:
MB:Source user$ xcodebuild -scheme loader
2023-09-27 11:54:43.475 xcodebuild[1648:21427] DVTCoreDeviceEnabledState: DVTCoreDeviceEnabledState_Disabled set via user default (DVTEnableCoreDevice=disabled)
Command line invocation:
/Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild -scheme loader
User defaults from command line:
IDEPackageSupportUseBuiltinSCM = YES
--- xcodebuild: WARNING: Using the first of multiple matching destinations:
{ platform:DriverKit, name:Any DriverKit Host }
{ platform:iOS, id:dvtdevice-DVTiPhonePlaceholder-iphoneos:placeholder, name:Any iOS Device }
{ platform:iOS Simulator, id:dvtdevice-DVTiOSDeviceSimulatorPlaceholder-iphonesimulator:placeholder, name:Any iOS Simulator Device }
{ platform:macOS, name:Any Mac }
{ platform:macOS, variant:Mac Catalyst, name:Any Mac }
Prepare packages
Computing target dependency graph and provisioning inputs
Create build description
Build description signature: 470200406204e2dcdfc682a6e828d283
Build description path: /Users/user/Library/Developer/Xcode/DerivedData/ellekit-bclcflmeasyekohhdvjuqrjxwjhj/Build/Intermediates.noindex/XCBuildData/470200406204e2dcdfc682a6e828d283.xcbuilddata
note: Building targets in dependency order
error: Entitlements are required for product type 'Command-line Tool' in SDK 'DriverKit 22.4'. (in target 'loader' from project 'ellekit')
** BUILD FAILED **
I have enabled arm64e new ABI, and SIP is disabled.
I get the same error with xcodebuild -scheme launchd
, but xcodebuild -scheme ellekit-mac
works fine.
here's a loader binary that works
loader.zip
Since the SSV security mechanism of ios15, jailbreak has encountered great challenges and difficulties, but with the efforts of big names such as xina and opa334, we have seen a new dawn. They use the rootless mechanism to successfully avoid the restrictions of SSV, Let the jailbreak enter a new era.
But for the /var/jb root path, I have been very worried. Rootless jailbreak stores all data and files in it, it is a completely fixed path. All jailbreak apps, deamon, tweaks will refer to this path, and hard Encoded into the final released binary.
So what is /var/jb, it is the interface of rootless jailbreak, once the jailbreak community in the rootless era forms this specification, it is very difficult for anyone to change and adjust it.
But the fixed path is very easy to be detected, only one line of code is needed to call the acess/stat function, and any ios development rookie can detect it.
Although we can temporarily remove the /var/jb symlink (like xina15 did), but I think this is a lazy way, and this way will cause two things that will cause major trouble in the future:
1: It's really annoying that people have to repeatedly remove and restore it when opening different apps, and people get tired of it very quickly.
2: Almost all jailbreak apps, deamon, tweaks will use this path, when you temporarily remove it, maybe a jailbreak app, deamon, tweak is accessing this path, or is about to access this path, and then they will not be able to find it Well, this would create a confusing situation.
I think we have a better way to deal with this problem, first we add a random suffix to the /var/jb path, like /var/jb-xxxxx, and then use environment variables as the rootless jailbreak interface, for example, we Create an environment variable named "JBRoot" and set it to /var/jb-xxxx, we can also easily access this environment variable:
So what is the difference between this method and the fixed path of directly using /var/jb?
The difference is that the fixed path of /var/jb is visible to all processes, but environment variables can be set individually for each process. In the future, we can create a blacklist, and we can choose to hide the "JBRoot" environment variable for Some APPs. In this way, they will not be able to detect the existence of /var/jb-xxxx, and will not interfere with other rootless jailbreak apps/deamon/tweak's access to /var/jb-xxxx.
Why is hiding /var/jb so important and urgent?
Some people may ask, even if we hide /var/jb, there are still many other ways to detect jailbreak, why do we have to deal with /var/jb first.
First of all, the data in the file system is the easiest to detect. As I said before, any rookie in ios development can detect the existence of /var/jb with a single line of code. This will make the detection of /var/jb very difficult Widespread and ubiquitous, eventually a large number of apps will detect this path, making jailbreaking difficult to use if you don't handle /var/jb.
Secondly, the /var/jb path is used as the interface standard for rootless jailbreaks, and every jailbreak app/deamon/tweak will use it, and it is hard-coded into the released binary, which means that if we do not deal with it now, we will not be able to deal with this problem in the future up.
As a loyal jailbreak fan, I have witnessed the brilliance of jailbreak from ios5 to ios9, and also witnessed the wisdom of the jailbreak community starting from ios10, and starting from ios15, jailbreak has entered a new era, I sincerely hope that the masters of the jailbreak community can consider this issue.
nx@NX ~ % sudo /usr/local/bin/loader
Password:
[+] got task 7683
[i] using path /Library/TweakInject/pspawn.dylib
[+] loader: started thread: 6151
[+] loader: converted thread state
zsh: killed sudo /usr/local/bin/loader
Just recently came across this project, it's very impressive!
ellekit/ellekit/Mach-O/Image.swift
Lines 10 to 15 in 8c90474
I wasted 2 days debugging my tweak before I found this. 😭
iPad mini 5(A12)
iPad OS 15.3.1
1 Jailbreak with Dopamine
2 install Ellekit 1.0
3 safemode
Idk how to send logs. I would appreciate it if you could tell me.
Dude, it'd be so sick if you could help me get this to work in Fugu14 to achieve a proper untether!
I have absolute no clue what I'm doing, this is what I've been able to botch together so far: https://github.com/SmartBoy84/Weazol
Trust cache injection works sometimes for some utilities but doesn't for others, daemon launching is unreliable and device will crash randomly
Hello, I try to build ellekit with safe mode disabled.
Now I have the dylibs but how do I place them on my ios 16.7 iphone 8 jb rootless with palera1n?
Is it just a matter of replacing them in the FS?
I installed ellekit with zebra
Thank you!!
Good afternoon,
On Serotonin/Bootstrap, I’ve been using AlarmTime successfully for a week or so and noticed today that the Clock app wouldn’t open.
Even with no tweaks injected, just having Clock enabled in Bootstrap, will crash the app. I did not notice this issue until updating to ElleKit 1.1.2, so I’m hoping to bring this to your attention.
Also: I restarted my device, and re-activated Bootstrap and Serotonin just to be totally sure it’s just an issue with Clock, and it is.
Which CLI command should we use to manually inject dylib to apps? (As cynject on unc0ver?)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.