https://iphonedev.wiki/api.php?action=feedcontributions&user=Indiekiduk&feedformat=atomiPhone Development Wiki - User contributions [en]2024-03-29T10:00:04ZUser contributionsMediaWiki 1.39.6https://iphonedev.wiki/index.php?title=Dyld_shared_cache&diff=5495Dyld shared cache2020-06-13T18:54:07Z<p>Indiekiduk: </p>
<hr />
<div>{{DISPLAYTITLE:dyld_shared_cache}}<br />
<br />
Since iPhone OS 3.1, all system (private and public) libraries have been combined into a big cache file to improve performance. The original files are redundant and thus eliminated from the system.<br />
<br />
If you're looking for binaries or libraries inside of <tt>[http://theiphonewiki.com/wiki//System/Library/Frameworks /System/Library/Frameworks]</tt> or <tt>/System/Library/PrivateFrameworks</tt> (or other directories) and can't, this is why.<br />
<br />
As of iOS 13.5 application code is now in frameworks in the shared cache. The binaries you see in <tt>/Applications</tt> or <tt>/private/var/staged_system_apps</tt> are now just shims so if you attempt to class-dump them it will error no ObjC section found.<br />
<br />
OS X also uses a shared cache. Unlike iOS, OS X ships with the source binaries still on-disk, particularly so it can be updated with [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/update_dyld_shared_cache.1.html update_dyld_shared_cache]. The cache is only vaguely documented in dyld man pages.<br />
<br />
== Cache location ==<br />
<br />
The cache is located in <tt>/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX</tt>, where X can be:<br />
<br />
{| class="wikitable"<br />
|-<br />
! X<br />
! Device ARM Architecture<br />
|-<br />
| v6<br />
| ARMv6<br />
|-<br />
| v7<br />
| rowspan="3" | ARMv7<br />
|-<br />
| v7s<br />
|-<br />
| v7k<br />
|-<br />
| 64<br />
| ARMv8<br />
|-<br />
| 64e<br />
| ARMv8.3<br />
|}<br />
<br />
== Cache extraction ==<br />
<br />
It used to be possible to compile and link from an iOS device without an SDK, but the introduction of dyld_shared_cache has made using an SDK a necessity. Alternatively, one may need to extract the appropriate dylibs from the dyld_shared_cache, if it's not available in the SDK.<br />
<br />
Starting with iOS 8, the framework binaries shipped with the iOS SDK only contain the symbols, not the compiled code anymore. Binaries extracted from the dyld_shared_cache contain all compiled code and are therefore useful for reverse-engineering purposes.<br />
<br />
Options:<br />
<br />
* [https://github.com/kennytm/Miscellaneous/downloads dyld_decache] by KennyTM~ to extract these dylibs.<br />
* [https://gist.github.com/455086/ DySlim] by comex to mount the whole cache file on Mac OS X.<br />
* [https://github.com/phoenix3200/decache decache] by phoenixdev to nearly perfectly extract dylibs from iOS <= 6 cache file.<br />
* [http://opensource.apple.com/source/dyld/ dsc_extractor (source code)]. More info [https://gist.github.com/NSExceptional/85527151eeec4b0640187a0a165da1cd here]. It produces the best results among all tools, but without branch islands workaround.<br />
* [http://www.newosxbook.com/index.php?page=downloads jtool] is another option starting from iOS 8. <br />
* [https://github.com/comex/imaon2 yasce] by comex is/was the best option for iOS 8 (and above), but you will need a nightly build version of rust; something like "rustc 1.9.0-nightly (339a409bf 2016-03-01)".<br />
* [https://github.com/macmade/dyld_cache_extract dyld_cache_extract] by macmade that works on macOS and provides a complete GUI. Clone repo and do 'git submodule update --remote' before buidling. It was reported to be not working on iOS 10.2's dyld_shared_cache_armv7s; gave a 561.1MB executable file. <br />
* [https://www.hopperapp.com Hopper] can open the cache file and lets you choose the binary you are interested in from a list of all binaries contained in the cache, the decompilation doesn't work correctly yet though.<br />
<br />
=== Example usage for dsc_extractor ===<br />
<br />
Sorry this is still work in progress as of iOS 13.4.1 - the binary output is not usable for either Hopper or class-dump.<br />
<br />
This tool is different in that it dumps every binary in the cache compared to other tools that allow extraction of individual binaries. We need to create a c++ file and use Apple's test program code to build an executable:<br />
<br />
<source lang=bash><br />
cd Downloads <br />
mkdir dsc_extractor<br />
cd dsc_extractor<br />
mate dsc_extractor.cpp<br />
</source><br />
<br />
Copy and paste in the following Apple test program taken from the dyld package (look after the code for instructions on how to download it yourself).<br />
<br />
<source lang=c++><br />
// test program<br />
#include <stdio.h><br />
#include <stddef.h><br />
#include <dlfcn.h><br />
<br />
<br />
typedef int (*extractor_proc)(const char* shared_cache_file_path, const char* extraction_root_path,<br />
void (^progress)(unsigned current, unsigned total));<br />
<br />
int main(int argc, const char* argv[])<br />
{<br />
if ( argc != 3 ) {<br />
fprintf(stderr, "usage: dsc_extractor <path-to-cache-file> <path-to-device-dir>\n");<br />
return 1;<br />
}<br />
<br />
//void* handle = dlopen("/Volumes/my/src/dyld/build/Debug/dsc_extractor.bundle", RTLD_LAZY);<br />
void* handle = dlopen("/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/usr/lib/dsc_extractor.bundle", RTLD_LAZY);<br />
if ( handle == NULL ) {<br />
fprintf(stderr, "dsc_extractor.bundle could not be loaded\n");<br />
return 1;<br />
}<br />
<br />
extractor_proc proc = (extractor_proc)dlsym(handle, "dyld_shared_cache_extract_dylibs_progress");<br />
if ( proc == NULL ) {<br />
fprintf(stderr, "dsc_extractor.bundle did not have dyld_shared_cache_extract_dylibs_progress symbol\n");<br />
return 1;<br />
}<br />
<br />
int result = (*proc)(argv[1], argv[2], ^(unsigned c, unsigned total) { printf("%d/%d\n", c, total); } );<br />
fprintf(stderr, "dyld_shared_cache_extract_dylibs_progress() => %d\n", result);<br />
return 0;<br />
}<br />
</source><br />
<br />
This test program was taken from dydl 733.6. Get latest by browsing the versions [https://opensource.apple.com/source/dyld/ here] and download by swapping in a version number like:<br />
<source lang=bash><br />
wget http://opensource.apple.com/tarballs/dyld/dyld-733.6.tar.gz<br />
tar xvf dyld-733.6.tar.gz<br />
cd dyld-733.6/launch_cache<br />
mate dyld-733.6/launch_cache/dsc_extractor.cpp<br />
</source><br />
<br />
Scroll to the bottom to find the test program code in the big comment.<br />
<br />
Back to what we were doing, to build the file we created and install:<br />
<br />
<source lang=bash><br />
clang++ -o dsc_extractor dsc_extractor.cpp<br />
cp dsc_extractor ~/bin/<br />
chmod u+x ~/bin/dsc_extractor<br />
</source><br />
<br />
To use (Change the iOS version to what is in your folder, Xcode will copy the cache file from a connected device):<br />
<source lang=bash><br />
cd ~/Library/Developer/Xcode/iOS DeviceSupport/13.4.1 (17E262)<br />
dsc_extractor Symbols/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 Binaries<br />
</source><br />
<br />
After a brief pause you'll see a lot of output as it dumps each binary, e.g.<br />
<source lang=bash><br />
0/1805<br />
1/1805<br />
2/1805<br />
3/1805<br />
4/1805<br />
5/1805<br />
</source><br />
<br />
And now, you can find all of the dumped binaries in the Binaries folder, the problem is the binaries aren't usable in class-dump and errors with "Cannot find offset", e.g.:<br />
<br />
<source lang=bash><br />
class-dump -H Binaries/System/Library/PrivateFrameworks/WiFiKit.framework/WiFiKit <br />
2020-05-02 11:58:35.887 class-dump[47492:2792183] Error: Cannot find offset for address 0x201c9409718 in dataOffsetForAddress:<br />
</source><br />
<br />
=== Example usage for decache ===<br />
<br />
This will extract the binary of the private framework SpringBoardServices<br />
<br />
<source lang=bash><br />
decache -c path/to/dyld_shared_cache -x /System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices -o SpringBoardServices<br />
</source><br />
<br />
If you get a message about an unsupported load command, ignore it. decache does not support some newer mach-o load commands, so the binary won't be able to run probably in the most cases. But for linking or reverse-engineering purposes it is still usable.<br />
<br />
=== Example usage for jtool ===<br />
<br />
To extract a specific binary from the cache ("UIKit" can be replaced with a different framework or library):<br />
<br />
<source lang=bash>jtool -extract UIKit path/to/dyld_shared_cache</source><br />
<br />
An example of one way to dump all the binaries at once (be careful with this, it creates huge files):<br />
<br />
<source lang=bash><br />
cache=dyld_shared_cache_arm64<br />
mkdir -p extracted && jtool -lv $cache | cut -c 24- | tail +5 | while read line; do mkdir -p extracted/"$(dirname "$line")"; jtool -extract $line $cache; mv $cache."$(basename "$line")" extracted/$line; done<br />
</source><br />
<br />
==== Problems with jtool ====<br />
<br />
Please be aware that decache produces currently (16.04.15) better and more usable results then jtool, as jtool fails to resolve and fix the "uniqued" objectiv c selectors correctly.<br />
<br />
Apple "uniques" objectiv c selectors, such as "alloc" (alloc is used almost everywhere), which are used in more then one place, into a single one. When extracting an image from the cache, the address of such a shared selector will most likely not be in the extracted image anymore, so this needs to fixed, which jtool apparently fails to do. (For more information: http://opensource.apple.com/source/dyld/dyld-132.13/launch-cache/update_dyld_shared_cache.cpp, look at the class ObjCSelectorUniquer)<br />
<br />
==== Not working since iOS 11 ====<br />
<br />
jtool2 is the newer version this user reports it not working on the iOS 11 shared cache - shows a warning "File is likely truncated (or header corrupt?)" and then doesn't get past "LC_DYLD_INFO..." http://newosxbook.com/forum/viewtopic.php?f=3&t=19577&start=50#p24183 Still same error exists on the cache from iOS 13.<br />
<br />
<source lang=bash><br />
$ ./jtool2 -e Stocks ./dyld_shared_cache_arm64 <br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) LC_FUNCTION_STARTS falls outside file<br />
0x176d9000-0x17731000 __TEXT (360448 bytes)<br />
0x2ccc2070-0x2ccd54a8 __DATA_CONST (78904 bytes)<br />
0x30571f60-0x30575f60 __DATA (16384 bytes)<br />
0x314c9a28-0x314ca000 __DATA_DIRTY (1496 bytes)<br />
0x316b3000-0x37064000 __LINKEDIT (94048256 bytes)<br />
0x31e3c4d0-0x31e3eaf8 Exports (9768 bytes)<br />
0x34689f18-0x346912f8 Symbol Table (29664 bytes)<br />
0x35a46500-0x35a46b90 Function Starts (1680 bytes)<br />
0x35bb1930-0x35bb1960 Data In Code (48 bytes)<br />
0x35d66710-0x37029aba String Table (19674026 bytes)<br />
LC_DYLD_INFO...<br />
</source><br />
<br />
== Cache retrieval ==<br />
<br />
Since ASLR was implemented in iOS, trivial ways to pull the cache off the device have provided a "broken" cache, which can't be processed correctly by the aforementioned tools. This is because when read by processes in which ASLR is enabled, some offsetting is applied to the cache too. In order to circumvent this issue and pull a "valid" shared cache off the device, there are different options:<br />
<br />
* Copy the cache off the device using a program on which ASLR has been explicitly disabled, using the <tt>-mdynamic-no-pic</tt> compile flag.<br />
* Read the cache explicitly from the filesystem by setting the <tt>F_NOCACHE</tt> flag on the cache's file descriptor.<br />
* Copy the cache through AFC (filesystem browsers which use an AFC connection are fine) - on iOS 7 and 8, you'll want to install the package ''Apple File Conduit "2"'', hosted/maintained by saurik.<br />
* Pull the cache off a decrypted root filesystem DMG which you can find inside the IPSW.<br />
* Use the copy that is probably laying around on your computer in <tt>~/Library/Developer/Xcode/iOS\ DeviceSupport/</tt> if you have Xcode.<br />
<br />
Alternatively, [https://github.com/npupyshev/dt.fetchsymbols dt.fetchsymbols] can be used to extract the cache from an iOS device. This tool doesn't require file system access (jailbreak) or app installation.<br />
<br />
== Class dumping ==<br />
<br />
See [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|this section of Reverse Engineering Tools]].<br />
<br />
== External Links ==<br />
<br />
* [http://blog.howett.net/?p=75 Cache or Check?] — an analysis of the dyld_shared_cache system by D. Howett.<br />
* [https://github.com/deepinstinct/dsc_fix dsc_fix] — an IDA script that aids in reverse engineering dyld_shared_cache libraries</div>Indiekidukhttps://iphonedev.wiki/index.php?title=WiFiKit.framework&diff=5460WiFiKit.framework2020-05-09T22:27:29Z<p>Indiekiduk: Info on AirPortSettings.bundle</p>
<hr />
<div>'''WiFiKit''' is a private framework that provides a high-level ObjC API to [[MobileWiFi.framework]]. Its functionality used to be in AirPortSettings.bundle but it has now been factored out to this new framework and AirPortSettings now contains simply one class APNetworksController that uses WFNetworkListController from this framework.<br />
<br />
It requires the ''com.apple.wifi.manager-access'' entitlement.<br />
<br />
<source lang=objc><br />
#import <WiFiKit/WiFiKit.h><br />
<br />
@interface AppDelegate () <WFScanManagerDelegate><br />
<br />
@property (strong, nonatomic) WFScanManager *scanManager;<br />
<br />
@end<br />
<br />
@implementation AppDelegate<br />
<br />
- (WFScanManager *)scanManager{<br />
if(!_scanManager){<br />
Class WFClientClass = NSClassFromString(@"WFClient"); // Because I can't yet link the framework.<br />
WFClient *client = [WFClientClass.alloc init];<br />
Class WFScanManagerClass = NSClassFromString(@"WFScanManager");<br />
_scanManager = [WFScanManagerClass.alloc initWithClient:client scanInterval:6 delegate:self]; // minimum 6<br />
}<br />
return _scanManager;<br />
}<br />
<br />
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {<br />
// Override point for customization after application launch.<br />
[self.scanManager start];<br />
return YES;<br />
}<br />
<br />
// called first for 2.4GHz then second for 5GHz<br />
-(void)scanManager:(WFScanManager *)scanManager updatedPartialResults:(NSSet<WFNetworkScanRecord *> *)partialResults{<br />
NSLog(@"%@", NSStringFromSelector(_cmd));<br />
}<br />
<br />
// called immediately after 5GHz partial<br />
- (void)scanManagerScanningDidFinish:(WFScanManager *)scanManager withResults:(NSSet<WFNetworkScanRecord *> *)results error:(NSError *)error{<br />
NSLog(@"%@", NSStringFromSelector(_cmd));<br />
}<br />
</source><br />
<br />
== References ==<br />
* Header: https://github.com/lechium/tvOS130Headers/blob/master/System/Library/PrivateFrameworks/WiFiKit.framework/WFScanManager.h</div>Indiekidukhttps://iphonedev.wiki/index.php?title=WiFiKit.framework&diff=5459WiFiKit.framework2020-05-07T22:22:14Z<p>Indiekiduk: </p>
<hr />
<div>'''WiFiKit''' is a private framework that provides a high-level ObjC API to [[MobileWiFi.framework]].<br />
<br />
It requires the ''com.apple.wifi.manager-access'' entitlement.<br />
<br />
<source lang=objc><br />
#import <WiFiKit/WiFiKit.h><br />
<br />
@interface AppDelegate () <WFScanManagerDelegate><br />
<br />
@property (strong, nonatomic) WFScanManager *scanManager;<br />
<br />
@end<br />
<br />
@implementation AppDelegate<br />
<br />
- (WFScanManager *)scanManager{<br />
if(!_scanManager){<br />
Class WFClientClass = NSClassFromString(@"WFClient"); // Because I can't yet link the framework.<br />
WFClient *client = [WFClientClass.alloc init];<br />
Class WFScanManagerClass = NSClassFromString(@"WFScanManager");<br />
_scanManager = [WFScanManagerClass.alloc initWithClient:client scanInterval:6 delegate:self]; // minimum 6<br />
}<br />
return _scanManager;<br />
}<br />
<br />
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {<br />
// Override point for customization after application launch.<br />
[self.scanManager start];<br />
return YES;<br />
}<br />
<br />
// called first for 2.4GHz then second for 5GHz<br />
-(void)scanManager:(WFScanManager *)scanManager updatedPartialResults:(NSSet<WFNetworkScanRecord *> *)partialResults{<br />
NSLog(@"%@", NSStringFromSelector(_cmd));<br />
}<br />
<br />
// called immediately after 5GHz partial<br />
- (void)scanManagerScanningDidFinish:(WFScanManager *)scanManager withResults:(NSSet<WFNetworkScanRecord *> *)results error:(NSError *)error{<br />
NSLog(@"%@", NSStringFromSelector(_cmd));<br />
}<br />
</source><br />
<br />
== References ==<br />
* Header: https://github.com/lechium/tvOS130Headers/blob/master/System/Library/PrivateFrameworks/WiFiKit.framework/WFScanManager.h</div>Indiekidukhttps://iphonedev.wiki/index.php?title=WiFiKit.framework&diff=5458WiFiKit.framework2020-05-07T22:20:17Z<p>Indiekiduk: Added new page WiFiKit.framework</p>
<hr />
<div>'''WiFiKit''' is a private framework that provides a high-level ObjC API to [[MobileWiFi.framework]].<br />
<br />
It requires the ''com.apple.wifi.manager-access'' entitlement.<br />
<br />
<source lang=objc><br />
#import <WiFiKit/WiFiKit.h><br />
<br />
@implementation AppDelegate<br />
<br />
- (WFScanManager *)scanManager{<br />
if(!_scanManager){<br />
Class WFClientClass = NSClassFromString(@"WFClient"); // Because I can't yet link the framework.<br />
WFClient *client = [WFClientClass.alloc init];<br />
Class WFScanManagerClass = NSClassFromString(@"WFScanManager");<br />
_scanManager = [WFScanManagerClass.alloc initWithClient:client scanInterval:6 delegate:self]; // minimum 6<br />
}<br />
return _scanManager;<br />
}<br />
<br />
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {<br />
// Override point for customization after application launch.<br />
[self.scanManager start];<br />
return YES;<br />
}<br />
<br />
// called first for 2.4GHz then second for 5GHz<br />
-(void)scanManager:(WFScanManager *)scanManager updatedPartialResults:(NSSet<WFNetworkScanRecord *> *)partialResults{<br />
NSLog(@"%@", NSStringFromSelector(_cmd));<br />
}<br />
<br />
// called immediately after 5GHz partial<br />
- (void)scanManagerScanningDidFinish:(WFScanManager *)scanManager withResults:(NSSet<WFNetworkScanRecord *> *)results error:(NSError *)error{<br />
NSLog(@"%@", NSStringFromSelector(_cmd));<br />
}<br />
</source></div>Indiekidukhttps://iphonedev.wiki/index.php?title=MobileWiFi.framework&diff=5457MobileWiFi.framework2020-05-07T22:16:19Z<p>Indiekiduk: </p>
<hr />
<div>{{infobox Framework<br />
| vis = Private<br />
| since = 3.0<br />
}}<br />
<br />
'''MobileWiFi''' is the framework that manages WiFi functionality on iOS. It powers [[WiFiPicker.servicebundle]], the Wi-Fi settings page and more. Its main purpose is to be a front-end to [[wifid]], which acquires its data directly from the kernel drivers. It replaces the obsolete '''Apple80211''' framework, but its methods are still available in IPConfiguration.bundle and bypasses wifid.<br />
<br />
MobileWiFi is a C API but [[WiFiKit.framework]] offers its functionality in a higher level ObjC API.<br />
<br />
For examples on how to use this framework, see the [[#Example Code | Example Code]] section of this page.<br />
<br />
* '''Note''': Your program needs the ''com.apple.wifi.manager-access'' entitlement to use '''any''' of the WiFiManager functions.<br />
<br />
= Example Code =<br />
<br />
This section includes example code that uses this framework. For more in-depth examples, see the following open-source projects:<br />
* [https://github.com/Cykey/wifi WiFi]<br />
* [https://github.com/Cykey/airscan Airscan]<br />
<br />
== Retrieving a list of known networks ==<br />
<source lang="c"><br />
#include <MobileWiFi.h><br />
<br />
WiFiManagerRef manager = WiFiManagerClientCreate(kCFAllocatorDefault, 0);<br />
<br />
CFArrayRef networks = WiFiManagerClientCopyNetworks(manager);<br />
<br />
NSLog(@"networks: %@", networks);<br />
<br />
CFRelease(manager);<br />
CFRelease(networks);<br />
</source><br />
<br />
== Getting the WiFi signal strength ==<br />
<source lang="c"><br />
#include <math.h><br />
#include <MobileWiFi.h><br />
<br />
WiFiManagerRef manager = WiFiManagerClientCreate(kCFAllocatorDefault, 0);<br />
CFArrayRef devices = WiFiManagerClientCopyDevices(manager);<br />
<br />
WiFiDeviceClientRef client = (WiFiDeviceClientRef)CFArrayGetValueAtIndex(devices, 0);<br />
CFDictionaryRef data = (CFDictionaryRef)WiFiDeviceClientCopyProperty(client, CFSTR("RSSI"));<br />
CFNumberRef scaled = (CFNumberRef)WiFiDeviceClientCopyProperty(client, kWiFiScaledRSSIKey);<br />
<br />
CFNumberRef RSSI = (CFNumberRef)CFDictionaryGetValue(data, CFSTR("RSSI_CTL_AGR"));<br />
<br />
int raw;<br />
CFNumberGetValue(RSSI, kCFNumberIntType, &raw);<br />
<br />
float strength;<br />
CFNumberGetValue(scaled, kCFNumberFloatType, &strength);<br />
CFRelease(scaled);<br />
<br />
strength *= -1;<br />
<br />
// Apple uses -3.0.<br />
int bars = (int)ceilf(strength * -3.0f);<br />
bars = MAX(1, MIN(bars, 3));<br />
<br />
<br />
printf("WiFi signal strength: %d dBm\n\t Bars: %d\n", raw, bars);<br />
<br />
CFRelease(data);<br />
CFRelease(scaled);<br />
CFRelease(devices);<br />
CFRelease(manager);<br />
<br />
</source><br />
<br />
== Scanning for nearby networks ==<br />
<br />
<source lang="c"><br />
<br />
#include <MobileWiFi.h><br />
<br />
static WiFiManagerRef _manager;<br />
static void scan_callback(WiFiDeviceClientRef device, CFArrayRef results, CFErrorRef error, void *token);<br />
<br />
int main(int argc, char **argv)<br />
{<br />
_manager = WiFiManagerClientCreate(kCFAllocatorDefault, 0);<br />
<br />
CFArrayRef devices = WiFiManagerClientCopyDevices(_manager);<br />
if (!devices) {<br />
fprintf(stderr, "Couldn't get WiFi devices. Bailing.\n");<br />
exit(EXIT_FAILURE);<br />
}<br />
<br />
WiFiDeviceClientRef client = (WiFiDeviceClientRef)CFArrayGetValueAtIndex(devices, 0);<br />
<br />
WiFiManagerClientScheduleWithRunLoop(_manager, CFRunLoopGetCurrent(), kCFRunLoopDefaultMode);<br />
WiFiDeviceClientScanAsync(client, (CFDictionaryRef)[NSDictionary dictionary], scan_callback, 0);<br />
<br />
CFRelease(devices);<br />
<br />
CFRunLoopRun();<br />
<br />
return 0;<br />
}<br />
<br />
static void scan_callback(WiFiDeviceClientRef device, CFArrayRef results, CFErrorRef error, void *token)<br />
{<br />
NSLog(@"Finished scanning! networks: %@", results);<br />
<br />
WiFiManagerClientUnscheduleFromRunLoop(_manager);<br />
CFRelease(_manager);<br />
<br />
CFRunLoopStop(CFRunLoopGetCurrent());<br />
}<br />
</source><br />
<br />
== References ==<br />
* Header: https://github.com/Cykey/ios-reversed-headers/blob/master/MobileWiFi/MobileWiFi.h<br />
<br />
{{Navbox Frameworks}}</div>Indiekidukhttps://iphonedev.wiki/index.php?title=MobileWiFi.framework&diff=5456MobileWiFi.framework2020-05-07T22:14:45Z<p>Indiekiduk: Added WiFiKit</p>
<hr />
<div>{{infobox Framework<br />
| vis = Private<br />
| since = 3.0<br />
}}<br />
<br />
'''MobileWiFi''' is the framework that manages WiFi functionality on iOS. It powers [[WiFiPicker.servicebundle]], the Wi-Fi settings page and more. Its main purpose is to be a front-end to [[wifid]], which acquires its data directly from the kernel drivers. It replaces the obsolete '''Apple80211''' framework, but its methods are still available in IPConfiguration.bundle and bypasses wifid.<br />
<br />
MobileWiFi is a C API but [[WiFiKit]] offers its functionality in a higher level ObjC API.<br />
<br />
For examples on how to use this framework, see the [[#Example Code | Example Code]] section of this page.<br />
<br />
* '''Note''': Your program needs the ''com.apple.wifi.manager-access'' entitlement to use '''any''' of the WiFiManager functions.<br />
<br />
= Example Code =<br />
<br />
This section includes example code that uses this framework. For more in-depth examples, see the following open-source projects:<br />
* [https://github.com/Cykey/wifi WiFi]<br />
* [https://github.com/Cykey/airscan Airscan]<br />
<br />
== Retrieving a list of known networks ==<br />
<source lang="c"><br />
#include <MobileWiFi.h><br />
<br />
WiFiManagerRef manager = WiFiManagerClientCreate(kCFAllocatorDefault, 0);<br />
<br />
CFArrayRef networks = WiFiManagerClientCopyNetworks(manager);<br />
<br />
NSLog(@"networks: %@", networks);<br />
<br />
CFRelease(manager);<br />
CFRelease(networks);<br />
</source><br />
<br />
== Getting the WiFi signal strength ==<br />
<source lang="c"><br />
#include <math.h><br />
#include <MobileWiFi.h><br />
<br />
WiFiManagerRef manager = WiFiManagerClientCreate(kCFAllocatorDefault, 0);<br />
CFArrayRef devices = WiFiManagerClientCopyDevices(manager);<br />
<br />
WiFiDeviceClientRef client = (WiFiDeviceClientRef)CFArrayGetValueAtIndex(devices, 0);<br />
CFDictionaryRef data = (CFDictionaryRef)WiFiDeviceClientCopyProperty(client, CFSTR("RSSI"));<br />
CFNumberRef scaled = (CFNumberRef)WiFiDeviceClientCopyProperty(client, kWiFiScaledRSSIKey);<br />
<br />
CFNumberRef RSSI = (CFNumberRef)CFDictionaryGetValue(data, CFSTR("RSSI_CTL_AGR"));<br />
<br />
int raw;<br />
CFNumberGetValue(RSSI, kCFNumberIntType, &raw);<br />
<br />
float strength;<br />
CFNumberGetValue(scaled, kCFNumberFloatType, &strength);<br />
CFRelease(scaled);<br />
<br />
strength *= -1;<br />
<br />
// Apple uses -3.0.<br />
int bars = (int)ceilf(strength * -3.0f);<br />
bars = MAX(1, MIN(bars, 3));<br />
<br />
<br />
printf("WiFi signal strength: %d dBm\n\t Bars: %d\n", raw, bars);<br />
<br />
CFRelease(data);<br />
CFRelease(scaled);<br />
CFRelease(devices);<br />
CFRelease(manager);<br />
<br />
</source><br />
<br />
== Scanning for nearby networks ==<br />
<br />
<source lang="c"><br />
<br />
#include <MobileWiFi.h><br />
<br />
static WiFiManagerRef _manager;<br />
static void scan_callback(WiFiDeviceClientRef device, CFArrayRef results, CFErrorRef error, void *token);<br />
<br />
int main(int argc, char **argv)<br />
{<br />
_manager = WiFiManagerClientCreate(kCFAllocatorDefault, 0);<br />
<br />
CFArrayRef devices = WiFiManagerClientCopyDevices(_manager);<br />
if (!devices) {<br />
fprintf(stderr, "Couldn't get WiFi devices. Bailing.\n");<br />
exit(EXIT_FAILURE);<br />
}<br />
<br />
WiFiDeviceClientRef client = (WiFiDeviceClientRef)CFArrayGetValueAtIndex(devices, 0);<br />
<br />
WiFiManagerClientScheduleWithRunLoop(_manager, CFRunLoopGetCurrent(), kCFRunLoopDefaultMode);<br />
WiFiDeviceClientScanAsync(client, (CFDictionaryRef)[NSDictionary dictionary], scan_callback, 0);<br />
<br />
CFRelease(devices);<br />
<br />
CFRunLoopRun();<br />
<br />
return 0;<br />
}<br />
<br />
static void scan_callback(WiFiDeviceClientRef device, CFArrayRef results, CFErrorRef error, void *token)<br />
{<br />
NSLog(@"Finished scanning! networks: %@", results);<br />
<br />
WiFiManagerClientUnscheduleFromRunLoop(_manager);<br />
CFRelease(_manager);<br />
<br />
CFRunLoopStop(CFRunLoopGetCurrent());<br />
}<br />
</source><br />
<br />
== References ==<br />
* Header: https://github.com/Cykey/ios-reversed-headers/blob/master/MobileWiFi/MobileWiFi.h<br />
<br />
{{Navbox Frameworks}}</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Dyld_shared_cache&diff=5455Dyld shared cache2020-05-07T16:30:57Z<p>Indiekiduk: /* Cache extraction */ added Hopper</p>
<hr />
<div>{{DISPLAYTITLE:dyld_shared_cache}}<br />
<br />
Since iPhone OS 3.1, all system (private and public) libraries have been combined into a big cache file to improve performance. The original files are redundant and thus eliminated from the system.<br />
<br />
If you're looking for binaries or libraries inside of <tt>[http://theiphonewiki.com/wiki//System/Library/Frameworks /System/Library/Frameworks]</tt> or <tt>/System/Library/PrivateFrameworks</tt> (or other directories) and can't, this is why.<br />
<br />
OS X also uses a shared cache. Unlike iOS, OS X ships with the source binaries still on-disk, particularly so it can be updated with [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/update_dyld_shared_cache.1.html update_dyld_shared_cache]. The cache is only vaguely documented in dyld man pages.<br />
<br />
= Cache location =<br />
<br />
The cache is located in <tt>/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX</tt>, where X can be:<br />
<br />
{| class="wikitable"<br />
|-<br />
! X<br />
! Device ARM Architecture<br />
|-<br />
| v6<br />
| ARMv6<br />
|-<br />
| v7<br />
| rowspan="3" | ARMv7<br />
|-<br />
| v7s<br />
|-<br />
| v7k<br />
|-<br />
| 64<br />
| ARMv8<br />
|-<br />
| 64e<br />
| ARMv8.3<br />
|}<br />
<br />
= Cache extraction =<br />
<br />
It used to be possible to compile and link from an iOS device without an SDK, but the introduction of dyld_shared_cache has made using an SDK a necessity. Alternatively, one may need to extract the appropriate dylibs from the dyld_shared_cache, if it's not available in the SDK.<br />
<br />
Starting with iOS 8, the framework binaries shipped with the iOS SDK only contain the symbols, not the compiled code anymore. Binaries extracted from the dyld_shared_cache contain all compiled code and are therefore useful for reverse-engineering purposes.<br />
<br />
Options:<br />
<br />
* [https://github.com/kennytm/Miscellaneous/downloads dyld_decache] by KennyTM~ to extract these dylibs.<br />
* [https://gist.github.com/455086/ DySlim] by comex to mount the whole cache file on Mac OS X.<br />
* [https://github.com/phoenix3200/decache decache] by phoenixdev to nearly perfectly extract dylibs from iOS <= 6 cache file.<br />
* [http://opensource.apple.com/source/dyld/ dsc_extractor (source code)]. More info [https://gist.github.com/NSExceptional/85527151eeec4b0640187a0a165da1cd here]. It produces the best results among all tools, but without branch islands workaround.<br />
* [http://www.newosxbook.com/index.php?page=downloads jtool] is another option starting from iOS 8. <br />
* [https://github.com/comex/imaon2 yasce] by comex is/was the best option for iOS 8 (and above), but you will need a nightly build version of rust; something like "rustc 1.9.0-nightly (339a409bf 2016-03-01)".<br />
* [https://github.com/macmade/dyld_cache_extract dyld_cache_extract] by macmade that works on macOS and provides a complete GUI. Clone repo and do 'git submodule update --remote' before buidling. It was reported to be not working on iOS 10.2's dyld_shared_cache_armv7s; gave a 561.1MB executable file. <br />
* [https://www.hopperapp.com Hopper] can open the cache file and lets you choose the binary you are interested in from a list of all binaries contained in the cache, the decompilation doesn't work correctly yet though.<br />
<br />
== Example usage for dsc_extractor ==<br />
<br />
Sorry this is still work in progress as of iOS 13.4.1 - the binary output is not usable for either Hopper or class-dump.<br />
<br />
This tool is different in that it dumps every binary in the cache compared to other tools that allow extraction of individual binaries. We need to create a c++ file and use Apple's test program code to build an executable:<br />
<br />
<source lang=bash><br />
cd Downloads <br />
mkdir dsc_extractor<br />
cd dsc_extractor<br />
mate dsc_extractor.cpp<br />
</source><br />
<br />
Copy and paste in the following Apple test program taken from the dyld package (look after the code for instructions on how to download it yourself).<br />
<br />
<source lang=c++><br />
// test program<br />
#include <stdio.h><br />
#include <stddef.h><br />
#include <dlfcn.h><br />
<br />
<br />
typedef int (*extractor_proc)(const char* shared_cache_file_path, const char* extraction_root_path,<br />
void (^progress)(unsigned current, unsigned total));<br />
<br />
int main(int argc, const char* argv[])<br />
{<br />
if ( argc != 3 ) {<br />
fprintf(stderr, "usage: dsc_extractor <path-to-cache-file> <path-to-device-dir>\n");<br />
return 1;<br />
}<br />
<br />
//void* handle = dlopen("/Volumes/my/src/dyld/build/Debug/dsc_extractor.bundle", RTLD_LAZY);<br />
void* handle = dlopen("/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/usr/lib/dsc_extractor.bundle", RTLD_LAZY);<br />
if ( handle == NULL ) {<br />
fprintf(stderr, "dsc_extractor.bundle could not be loaded\n");<br />
return 1;<br />
}<br />
<br />
extractor_proc proc = (extractor_proc)dlsym(handle, "dyld_shared_cache_extract_dylibs_progress");<br />
if ( proc == NULL ) {<br />
fprintf(stderr, "dsc_extractor.bundle did not have dyld_shared_cache_extract_dylibs_progress symbol\n");<br />
return 1;<br />
}<br />
<br />
int result = (*proc)(argv[1], argv[2], ^(unsigned c, unsigned total) { printf("%d/%d\n", c, total); } );<br />
fprintf(stderr, "dyld_shared_cache_extract_dylibs_progress() => %d\n", result);<br />
return 0;<br />
}<br />
</source><br />
<br />
This test program was taken from dydl 733.6. Get latest by browsing the versions [https://opensource.apple.com/source/dyld/ here] and download by swapping in a version number like:<br />
<source lang=bash><br />
wget http://opensource.apple.com/tarballs/dyld/dyld-733.6.tar.gz<br />
tar xvf dyld-733.6.tar.gz<br />
cd dyld-733.6/launch_cache<br />
mate dyld-733.6/launch_cache/dsc_extractor.cpp<br />
</source><br />
<br />
Scroll to the bottom to find the test program code in the big comment.<br />
<br />
Back to what we were doing, to build the file we created and install:<br />
<br />
<source lang=bash><br />
clang++ -o dsc_extractor dsc_extractor.cpp<br />
cp dsc_extractor ~/bin/<br />
chmod u+x ~/bin/dsc_extractor<br />
</source><br />
<br />
To use (Change the iOS version to what is in your folder, Xcode will copy the cache file from a connected device):<br />
<source lang=bash><br />
cd ~/Library/Developer/Xcode/iOS DeviceSupport/13.4.1 (17E262)<br />
dsc_extractor Symbols/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 Binaries<br />
</source><br />
<br />
After a brief pause you'll see a lot of output as it dumps each binary, e.g.<br />
<source lang=bash><br />
0/1805<br />
1/1805<br />
2/1805<br />
3/1805<br />
4/1805<br />
5/1805<br />
</source><br />
<br />
And now, you can find all of the dumped binaries in the Binaries folder, the problem is the binaries aren't usable in class-dump and errors with "Cannot find offset", e.g.:<br />
<br />
<source lang=bash><br />
class-dump -H Binaries/System/Library/PrivateFrameworks/WiFiKit.framework/WiFiKit <br />
2020-05-02 11:58:35.887 class-dump[47492:2792183] Error: Cannot find offset for address 0x201c9409718 in dataOffsetForAddress:<br />
</source><br />
<br />
== Example usage for decache ==<br />
<br />
This will extract the binary of the private framework SpringBoardServices<br />
<br />
<source lang=bash><br />
decache -c path/to/dyld_shared_cache -x /System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices -o SpringBoardServices<br />
</source><br />
<br />
If you get a message about an unsupported load command, ignore it. decache does not support some newer mach-o load commands, so the binary won't be able to run probably in the most cases. But for linking or reverse-engineering purposes it is still usable.<br />
<br />
== Example usage for jtool ==<br />
<br />
To extract a specific binary from the cache ("UIKit" can be replaced with a different framework or library):<br />
<br />
<source lang=bash>jtool -extract UIKit path/to/dyld_shared_cache</source><br />
<br />
An example of one way to dump all the binaries at once (be careful with this, it creates huge files):<br />
<br />
<source lang=bash><br />
cache=dyld_shared_cache_arm64<br />
mkdir -p extracted && jtool -lv $cache | cut -c 24- | tail +5 | while read line; do mkdir -p extracted/"$(dirname "$line")"; jtool -extract $line $cache; mv $cache."$(basename "$line")" extracted/$line; done<br />
</source><br />
<br />
=== Problems with jtool ===<br />
<br />
Please be aware that decache produces currently (16.04.15) better and more usable results then jtool, as jtool fails to resolve and fix the "uniqued" objectiv c selectors correctly.<br />
<br />
Apple "uniques" objectiv c selectors, such as "alloc" (alloc is used almost everywhere), which are used in more then one place, into a single one. When extracting an image from the cache, the address of such a shared selector will most likely not be in the extracted image anymore, so this needs to fixed, which jtool apparently fails to do. (For more information: http://opensource.apple.com/source/dyld/dyld-132.13/launch-cache/update_dyld_shared_cache.cpp, look at the class ObjCSelectorUniquer)<br />
<br />
=== Not working since iOS 11 ===<br />
<br />
jtool2 is the newer version this user reports it not working on the iOS 11 shared cache - shows a warning "File is likely truncated (or header corrupt?)" and then doesn't get past "LC_DYLD_INFO..." http://newosxbook.com/forum/viewtopic.php?f=3&t=19577&start=50#p24183 Still same error exists on the cache from iOS 13.<br />
<br />
<source lang=bash><br />
$ ./jtool2 -e Stocks ./dyld_shared_cache_arm64 <br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) LC_FUNCTION_STARTS falls outside file<br />
0x176d9000-0x17731000 __TEXT (360448 bytes)<br />
0x2ccc2070-0x2ccd54a8 __DATA_CONST (78904 bytes)<br />
0x30571f60-0x30575f60 __DATA (16384 bytes)<br />
0x314c9a28-0x314ca000 __DATA_DIRTY (1496 bytes)<br />
0x316b3000-0x37064000 __LINKEDIT (94048256 bytes)<br />
0x31e3c4d0-0x31e3eaf8 Exports (9768 bytes)<br />
0x34689f18-0x346912f8 Symbol Table (29664 bytes)<br />
0x35a46500-0x35a46b90 Function Starts (1680 bytes)<br />
0x35bb1930-0x35bb1960 Data In Code (48 bytes)<br />
0x35d66710-0x37029aba String Table (19674026 bytes)<br />
LC_DYLD_INFO...<br />
</source><br />
<br />
= Cache retrieval =<br />
<br />
Since ASLR was implemented in iOS, trivial ways to pull the cache off the device have provided a "broken" cache, which can't be processed correctly by the aforementioned tools. This is because when read by processes in which ASLR is enabled, some offsetting is applied to the cache too. In order to circumvent this issue and pull a "valid" shared cache off the device, there are different options:<br />
<br />
* Copy the cache off the device using a program on which ASLR has been explicitly disabled, using the <tt>-mdynamic-no-pic</tt> compile flag.<br />
* Read the cache explicitly from the filesystem by setting the <tt>F_NOCACHE</tt> flag on the cache's file descriptor.<br />
* Copy the cache through AFC (filesystem browsers which use an AFC connection are fine) - on iOS 7 and 8, you'll want to install the package ''Apple File Conduit "2"'', hosted/maintained by saurik.<br />
* Pull the cache off a decrypted root filesystem DMG which you can find inside the IPSW.<br />
* Use the copy that is probably laying around on your computer in <tt>~/Library/Developer/Xcode/iOS\ DeviceSupport/</tt> if you have Xcode.<br />
<br />
Alternatively, [https://github.com/npupyshev/dt.fetchsymbols dt.fetchsymbols] can be used to extract the cache from an iOS device. This tool doesn't require file system access (jailbreak) or app installation.<br />
<br />
= Class dumping =<br />
<br />
See [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|this section of Reverse Engineering Tools]].<br />
<br />
= External Links =<br />
<br />
* [http://blog.howett.net/?p=75 Cache or Check?] — an analysis of the dyld_shared_cache system by D. Howett.<br />
* [https://github.com/deepinstinct/dsc_fix dsc_fix] — an IDA script that aids in reverse engineering dyld_shared_cache libraries</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Dyld_shared_cache&diff=5450Dyld shared cache2020-05-02T11:17:30Z<p>Indiekiduk: /* Example usage for dsc_extractor */</p>
<hr />
<div>{{DISPLAYTITLE:dyld_shared_cache}}<br />
<br />
Since iPhone OS 3.1, all system (private and public) libraries have been combined into a big cache file to improve performance. The original files are redundant and thus eliminated from the system.<br />
<br />
If you're looking for binaries or libraries inside of <tt>[http://theiphonewiki.com/wiki//System/Library/Frameworks /System/Library/Frameworks]</tt> or <tt>/System/Library/PrivateFrameworks</tt> (or other directories) and can't, this is why.<br />
<br />
OS X also uses a shared cache. Unlike iOS, OS X ships with the source binaries still on-disk, particularly so it can be updated with [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/update_dyld_shared_cache.1.html update_dyld_shared_cache]. The cache is only vaguely documented in dyld man pages.<br />
<br />
= Cache location =<br />
<br />
The cache is located in <tt>/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX</tt>, where X can be:<br />
<br />
{| class="wikitable"<br />
|-<br />
! X<br />
! Device ARM Architecture<br />
|-<br />
| v6<br />
| ARMv6<br />
|-<br />
| v7<br />
| rowspan="3" | ARMv7<br />
|-<br />
| v7s<br />
|-<br />
| v7k<br />
|-<br />
| 64<br />
| ARMv8<br />
|-<br />
| 64e<br />
| ARMv8.3<br />
|}<br />
<br />
= Cache extraction =<br />
<br />
It used to be possible to compile and link from an iOS device without an SDK, but the introduction of dyld_shared_cache has made using an SDK a necessity. Alternatively, one may need to extract the appropriate dylibs from the dyld_shared_cache, if it's not available in the SDK.<br />
<br />
Starting with iOS 8, the framework binaries shipped with the iOS SDK only contain the symbols, not the compiled code anymore. Binaries extracted from the dyld_shared_cache contain all compiled code and are therefore useful for reverse-engineering purposes.<br />
<br />
Options:<br />
<br />
* [https://github.com/kennytm/Miscellaneous/downloads dyld_decache] by KennyTM~ to extract these dylibs.<br />
* [https://gist.github.com/455086/ DySlim] by comex to mount the whole cache file on Mac OS X.<br />
* [https://github.com/phoenix3200/decache decache] by phoenixdev to nearly perfectly extract dylibs from iOS <= 6 cache file.<br />
* [http://opensource.apple.com/source/dyld/ dsc_extractor (source code)]. More info [https://gist.github.com/NSExceptional/85527151eeec4b0640187a0a165da1cd here]. It produces the best results among all tools, but without branch islands workaround.<br />
* [http://www.newosxbook.com/index.php?page=downloads jtool] is another option starting from iOS 8. <br />
* [https://github.com/comex/imaon2 yasce] by comex is/was the best option for iOS 8 (and above), but you will need a nightly build version of rust; something like "rustc 1.9.0-nightly (339a409bf 2016-03-01)".<br />
* [https://github.com/macmade/dyld_cache_extract dyld_cache_extract] by macmade that works on macOS and provides a complete GUI. Clone repo and do 'git submodule update --remote' before buidling. It was reported to be not working on iOS 10.2's dyld_shared_cache_armv7s; gave a 561.1MB executable file. <br />
<br />
== Example usage for dsc_extractor ==<br />
<br />
Sorry this is still work in progress as of iOS 13.4.1 - the binary output is not usable for either Hopper or class-dump.<br />
<br />
This tool is different in that it dumps every binary in the cache compared to other tools that allow extraction of individual binaries. We need to create a c++ file and use Apple's test program code to build an executable:<br />
<br />
<source lang=bash><br />
cd Downloads <br />
mkdir dsc_extractor<br />
cd dsc_extractor<br />
mate dsc_extractor.cpp<br />
</source><br />
<br />
Copy and paste in the following Apple test program taken from the dyld package (look after the code for instructions on how to download it yourself).<br />
<br />
<source lang=c++><br />
// test program<br />
#include <stdio.h><br />
#include <stddef.h><br />
#include <dlfcn.h><br />
<br />
<br />
typedef int (*extractor_proc)(const char* shared_cache_file_path, const char* extraction_root_path,<br />
void (^progress)(unsigned current, unsigned total));<br />
<br />
int main(int argc, const char* argv[])<br />
{<br />
if ( argc != 3 ) {<br />
fprintf(stderr, "usage: dsc_extractor <path-to-cache-file> <path-to-device-dir>\n");<br />
return 1;<br />
}<br />
<br />
//void* handle = dlopen("/Volumes/my/src/dyld/build/Debug/dsc_extractor.bundle", RTLD_LAZY);<br />
void* handle = dlopen("/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/usr/lib/dsc_extractor.bundle", RTLD_LAZY);<br />
if ( handle == NULL ) {<br />
fprintf(stderr, "dsc_extractor.bundle could not be loaded\n");<br />
return 1;<br />
}<br />
<br />
extractor_proc proc = (extractor_proc)dlsym(handle, "dyld_shared_cache_extract_dylibs_progress");<br />
if ( proc == NULL ) {<br />
fprintf(stderr, "dsc_extractor.bundle did not have dyld_shared_cache_extract_dylibs_progress symbol\n");<br />
return 1;<br />
}<br />
<br />
int result = (*proc)(argv[1], argv[2], ^(unsigned c, unsigned total) { printf("%d/%d\n", c, total); } );<br />
fprintf(stderr, "dyld_shared_cache_extract_dylibs_progress() => %d\n", result);<br />
return 0;<br />
}<br />
</source><br />
<br />
This test program was taken from dydl 733.6. Get latest by browsing the versions [https://opensource.apple.com/source/dyld/ here] and download by swapping in a version number like:<br />
<source lang=bash><br />
wget http://opensource.apple.com/tarballs/dyld/dyld-733.6.tar.gz<br />
tar xvf dyld-733.6.tar.gz<br />
cd dyld-733.6/launch_cache<br />
mate dyld-733.6/launch_cache/dsc_extractor.cpp<br />
</source><br />
<br />
Scroll to the bottom to find the test program code in the big comment.<br />
<br />
Back to what we were doing, to build the file we created and install:<br />
<br />
<source lang=bash><br />
clang++ -o dsc_extractor dsc_extractor.cpp<br />
cp dsc_extractor ~/bin/<br />
chmod u+x ~/bin/dsc_extractor<br />
</source><br />
<br />
To use (Change the iOS version to what is in your folder, Xcode will copy the cache file from a connected device):<br />
<source lang=bash><br />
cd ~/Library/Developer/Xcode/iOS DeviceSupport/13.4.1 (17E262)<br />
dsc_extractor Symbols/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 Binaries<br />
</source><br />
<br />
After a brief pause you'll see a lot of output as it dumps each binary, e.g.<br />
<source lang=bash><br />
0/1805<br />
1/1805<br />
2/1805<br />
3/1805<br />
4/1805<br />
5/1805<br />
</source><br />
<br />
And now, you can find all of the dumped binaries in the Binaries folder, the problem is the binaries aren't usable in class-dump and errors with "Cannot find offset", e.g.:<br />
<br />
<source lang=bash><br />
class-dump -H Binaries/System/Library/PrivateFrameworks/WiFiKit.framework/WiFiKit <br />
2020-05-02 11:58:35.887 class-dump[47492:2792183] Error: Cannot find offset for address 0x201c9409718 in dataOffsetForAddress:<br />
</source><br />
<br />
== Example usage for decache ==<br />
<br />
This will extract the binary of the private framework SpringBoardServices<br />
<br />
<source lang=bash><br />
decache -c path/to/dyld_shared_cache -x /System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices -o SpringBoardServices<br />
</source><br />
<br />
If you get a message about an unsupported load command, ignore it. decache does not support some newer mach-o load commands, so the binary won't be able to run probably in the most cases. But for linking or reverse-engineering purposes it is still usable.<br />
<br />
== Example usage for jtool ==<br />
<br />
To extract a specific binary from the cache ("UIKit" can be replaced with a different framework or library):<br />
<br />
<source lang=bash>jtool -extract UIKit path/to/dyld_shared_cache</source><br />
<br />
An example of one way to dump all the binaries at once (be careful with this, it creates huge files):<br />
<br />
<source lang=bash><br />
cache=dyld_shared_cache_arm64<br />
mkdir -p extracted && jtool -lv $cache | cut -c 24- | tail +5 | while read line; do mkdir -p extracted/"$(dirname "$line")"; jtool -extract $line $cache; mv $cache."$(basename "$line")" extracted/$line; done<br />
</source><br />
<br />
=== Problems with jtool ===<br />
<br />
Please be aware that decache produces currently (16.04.15) better and more usable results then jtool, as jtool fails to resolve and fix the "uniqued" objectiv c selectors correctly.<br />
<br />
Apple "uniques" objectiv c selectors, such as "alloc" (alloc is used almost everywhere), which are used in more then one place, into a single one. When extracting an image from the cache, the address of such a shared selector will most likely not be in the extracted image anymore, so this needs to fixed, which jtool apparently fails to do. (For more information: http://opensource.apple.com/source/dyld/dyld-132.13/launch-cache/update_dyld_shared_cache.cpp, look at the class ObjCSelectorUniquer)<br />
<br />
=== Not working since iOS 11 ===<br />
<br />
jtool2 is the newer version this user reports it not working on the iOS 11 shared cache - shows a warning "File is likely truncated (or header corrupt?)" and then doesn't get past "LC_DYLD_INFO..." http://newosxbook.com/forum/viewtopic.php?f=3&t=19577&start=50#p24183 Still same error exists on the cache from iOS 13.<br />
<br />
<source lang=bash><br />
$ ./jtool2 -e Stocks ./dyld_shared_cache_arm64 <br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) LC_FUNCTION_STARTS falls outside file<br />
0x176d9000-0x17731000 __TEXT (360448 bytes)<br />
0x2ccc2070-0x2ccd54a8 __DATA_CONST (78904 bytes)<br />
0x30571f60-0x30575f60 __DATA (16384 bytes)<br />
0x314c9a28-0x314ca000 __DATA_DIRTY (1496 bytes)<br />
0x316b3000-0x37064000 __LINKEDIT (94048256 bytes)<br />
0x31e3c4d0-0x31e3eaf8 Exports (9768 bytes)<br />
0x34689f18-0x346912f8 Symbol Table (29664 bytes)<br />
0x35a46500-0x35a46b90 Function Starts (1680 bytes)<br />
0x35bb1930-0x35bb1960 Data In Code (48 bytes)<br />
0x35d66710-0x37029aba String Table (19674026 bytes)<br />
LC_DYLD_INFO...<br />
</source><br />
<br />
= Cache retrieval =<br />
<br />
Since ASLR was implemented in iOS, trivial ways to pull the cache off the device have provided a "broken" cache, which can't be processed correctly by the aforementioned tools. This is because when read by processes in which ASLR is enabled, some offsetting is applied to the cache too. In order to circumvent this issue and pull a "valid" shared cache off the device, there are different options:<br />
<br />
* Copy the cache off the device using a program on which ASLR has been explicitly disabled, using the <tt>-mdynamic-no-pic</tt> compile flag.<br />
* Read the cache explicitly from the filesystem by setting the <tt>F_NOCACHE</tt> flag on the cache's file descriptor.<br />
* Copy the cache through AFC (filesystem browsers which use an AFC connection are fine) - on iOS 7 and 8, you'll want to install the package ''Apple File Conduit "2"'', hosted/maintained by saurik.<br />
* Pull the cache off a decrypted root filesystem DMG which you can find inside the IPSW.<br />
* Use the copy that is probably laying around on your computer in <tt>~/Library/Developer/Xcode/iOS\ DeviceSupport/</tt> if you have Xcode.<br />
<br />
Alternatively, [https://github.com/npupyshev/dt.fetchsymbols dt.fetchsymbols] can be used to extract the cache from an iOS device. This tool doesn't require file system access (jailbreak) or app installation.<br />
<br />
= Class dumping =<br />
<br />
See [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|this section of Reverse Engineering Tools]].<br />
<br />
= External Links =<br />
<br />
* [http://blog.howett.net/?p=75 Cache or Check?] — an analysis of the dyld_shared_cache system by D. Howett.<br />
* [https://github.com/deepinstinct/dsc_fix dsc_fix] — an IDA script that aids in reverse engineering dyld_shared_cache libraries</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Dyld_shared_cache&diff=5449Dyld shared cache2020-05-02T11:15:40Z<p>Indiekiduk: /* Example usage for dsc_extractor */</p>
<hr />
<div>{{DISPLAYTITLE:dyld_shared_cache}}<br />
<br />
Since iPhone OS 3.1, all system (private and public) libraries have been combined into a big cache file to improve performance. The original files are redundant and thus eliminated from the system.<br />
<br />
If you're looking for binaries or libraries inside of <tt>[http://theiphonewiki.com/wiki//System/Library/Frameworks /System/Library/Frameworks]</tt> or <tt>/System/Library/PrivateFrameworks</tt> (or other directories) and can't, this is why.<br />
<br />
OS X also uses a shared cache. Unlike iOS, OS X ships with the source binaries still on-disk, particularly so it can be updated with [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/update_dyld_shared_cache.1.html update_dyld_shared_cache]. The cache is only vaguely documented in dyld man pages.<br />
<br />
= Cache location =<br />
<br />
The cache is located in <tt>/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX</tt>, where X can be:<br />
<br />
{| class="wikitable"<br />
|-<br />
! X<br />
! Device ARM Architecture<br />
|-<br />
| v6<br />
| ARMv6<br />
|-<br />
| v7<br />
| rowspan="3" | ARMv7<br />
|-<br />
| v7s<br />
|-<br />
| v7k<br />
|-<br />
| 64<br />
| ARMv8<br />
|-<br />
| 64e<br />
| ARMv8.3<br />
|}<br />
<br />
= Cache extraction =<br />
<br />
It used to be possible to compile and link from an iOS device without an SDK, but the introduction of dyld_shared_cache has made using an SDK a necessity. Alternatively, one may need to extract the appropriate dylibs from the dyld_shared_cache, if it's not available in the SDK.<br />
<br />
Starting with iOS 8, the framework binaries shipped with the iOS SDK only contain the symbols, not the compiled code anymore. Binaries extracted from the dyld_shared_cache contain all compiled code and are therefore useful for reverse-engineering purposes.<br />
<br />
Options:<br />
<br />
* [https://github.com/kennytm/Miscellaneous/downloads dyld_decache] by KennyTM~ to extract these dylibs.<br />
* [https://gist.github.com/455086/ DySlim] by comex to mount the whole cache file on Mac OS X.<br />
* [https://github.com/phoenix3200/decache decache] by phoenixdev to nearly perfectly extract dylibs from iOS <= 6 cache file.<br />
* [http://opensource.apple.com/source/dyld/ dsc_extractor (source code)]. More info [https://gist.github.com/NSExceptional/85527151eeec4b0640187a0a165da1cd here]. It produces the best results among all tools, but without branch islands workaround.<br />
* [http://www.newosxbook.com/index.php?page=downloads jtool] is another option starting from iOS 8. <br />
* [https://github.com/comex/imaon2 yasce] by comex is/was the best option for iOS 8 (and above), but you will need a nightly build version of rust; something like "rustc 1.9.0-nightly (339a409bf 2016-03-01)".<br />
* [https://github.com/macmade/dyld_cache_extract dyld_cache_extract] by macmade that works on macOS and provides a complete GUI. Clone repo and do 'git submodule update --remote' before buidling. It was reported to be not working on iOS 10.2's dyld_shared_cache_armv7s; gave a 561.1MB executable file. <br />
<br />
== Example usage for dsc_extractor ==<br />
<br />
Sorry this is still work in progress as of iOS 13.4.1 - the binary output is not usable for either Hopper or class-dump.<br />
<br />
This tool is different in that it dumps every binary in the cache compared to other tools that allow extraction of individual binaries. We need to create a c++ file and use Apple's test program code to build an executable:<br />
<br />
<source lang=bash><br />
cd Downloads <br />
mkdir dsc_extractor<br />
cd dsc_extractor<br />
mate dsc_extractor.cpp<br />
</source><br />
<br />
Copy and paste in the following Apple test program taken from the dyld package (look after the code for instructions on how to download it yourself).<br />
<br />
<source lang=c++><br />
// test program<br />
#include <stdio.h><br />
#include <stddef.h><br />
#include <dlfcn.h><br />
<br />
<br />
typedef int (*extractor_proc)(const char* shared_cache_file_path, const char* extraction_root_path,<br />
void (^progress)(unsigned current, unsigned total));<br />
<br />
int main(int argc, const char* argv[])<br />
{<br />
if ( argc != 3 ) {<br />
fprintf(stderr, "usage: dsc_extractor <path-to-cache-file> <path-to-device-dir>\n");<br />
return 1;<br />
}<br />
<br />
//void* handle = dlopen("/Volumes/my/src/dyld/build/Debug/dsc_extractor.bundle", RTLD_LAZY);<br />
void* handle = dlopen("/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/usr/lib/dsc_extractor.bundle", RTLD_LAZY);<br />
if ( handle == NULL ) {<br />
fprintf(stderr, "dsc_extractor.bundle could not be loaded\n");<br />
return 1;<br />
}<br />
<br />
extractor_proc proc = (extractor_proc)dlsym(handle, "dyld_shared_cache_extract_dylibs_progress");<br />
if ( proc == NULL ) {<br />
fprintf(stderr, "dsc_extractor.bundle did not have dyld_shared_cache_extract_dylibs_progress symbol\n");<br />
return 1;<br />
}<br />
<br />
int result = (*proc)(argv[1], argv[2], ^(unsigned c, unsigned total) { printf("%d/%d\n", c, total); } );<br />
fprintf(stderr, "dyld_shared_cache_extract_dylibs_progress() => %d\n", result);<br />
return 0;<br />
}<br />
</source><br />
<br />
This test program was taken from dydl 733.6. Get latest by browsing the versions [https://opensource.apple.com/source/dyld/ here] and download by swapping in a version number like:<br />
<source lang=bash><br />
wget http://opensource.apple.com/tarballs/dyld/dyld-733.6.tar.gz<br />
tar xvf dyld-733.6.tar.gz<br />
cd dyld-733.6/launch_cache<br />
mate dyld-733.6/launch_cache/dsc_extractor.cpp<br />
</source><br />
<br />
Scroll to the bottom to find the test program code in the big comment.<br />
<br />
Back to what we were doing, to build the file we created and install:<br />
<br />
<source lang=bash><br />
clang++ -o dsc_extractor dsc_extractor.cpp<br />
cp dsc_extractor ~/bin/<br />
chmod u+x ~/bin/dsc_extractor<br />
</source><br />
<br />
To use (Change the iOS version to what is in your folder, Xcode will copy the cache file from a connected device):<br />
<source lang=bash><br />
cd ~/Library/Developer/Xcode/iOS DeviceSupport/13.4.1 (17E262)<br />
dsc_extractor Symbols/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 Binaries<br />
</source><br />
<br />
After a brief pause you'll see a lot of output as it dumps each binary, e.g.<br />
<source lang=bash><br />
0/1805<br />
1/1805<br />
2/1805<br />
3/1805<br />
4/1805<br />
5/1805<br />
</source><br />
<br />
And now, you can find all of the dumped binaries in the Binaries folder, the next step for me is to open one that isn't included in the Sim runtime in Hopper:<br />
<br />
<source lang=bash><br />
hopperv4 -e Binaries/System/Library/PrivateFrameworks/WiFiKit.framework/WiFiKit<br />
</source><br />
<br />
== Example usage for decache ==<br />
<br />
This will extract the binary of the private framework SpringBoardServices<br />
<br />
<source lang=bash><br />
decache -c path/to/dyld_shared_cache -x /System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices -o SpringBoardServices<br />
</source><br />
<br />
If you get a message about an unsupported load command, ignore it. decache does not support some newer mach-o load commands, so the binary won't be able to run probably in the most cases. But for linking or reverse-engineering purposes it is still usable.<br />
<br />
== Example usage for jtool ==<br />
<br />
To extract a specific binary from the cache ("UIKit" can be replaced with a different framework or library):<br />
<br />
<source lang=bash>jtool -extract UIKit path/to/dyld_shared_cache</source><br />
<br />
An example of one way to dump all the binaries at once (be careful with this, it creates huge files):<br />
<br />
<source lang=bash><br />
cache=dyld_shared_cache_arm64<br />
mkdir -p extracted && jtool -lv $cache | cut -c 24- | tail +5 | while read line; do mkdir -p extracted/"$(dirname "$line")"; jtool -extract $line $cache; mv $cache."$(basename "$line")" extracted/$line; done<br />
</source><br />
<br />
=== Problems with jtool ===<br />
<br />
Please be aware that decache produces currently (16.04.15) better and more usable results then jtool, as jtool fails to resolve and fix the "uniqued" objectiv c selectors correctly.<br />
<br />
Apple "uniques" objectiv c selectors, such as "alloc" (alloc is used almost everywhere), which are used in more then one place, into a single one. When extracting an image from the cache, the address of such a shared selector will most likely not be in the extracted image anymore, so this needs to fixed, which jtool apparently fails to do. (For more information: http://opensource.apple.com/source/dyld/dyld-132.13/launch-cache/update_dyld_shared_cache.cpp, look at the class ObjCSelectorUniquer)<br />
<br />
=== Not working since iOS 11 ===<br />
<br />
jtool2 is the newer version this user reports it not working on the iOS 11 shared cache - shows a warning "File is likely truncated (or header corrupt?)" and then doesn't get past "LC_DYLD_INFO..." http://newosxbook.com/forum/viewtopic.php?f=3&t=19577&start=50#p24183 Still same error exists on the cache from iOS 13.<br />
<br />
<source lang=bash><br />
$ ./jtool2 -e Stocks ./dyld_shared_cache_arm64 <br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) LC_FUNCTION_STARTS falls outside file<br />
0x176d9000-0x17731000 __TEXT (360448 bytes)<br />
0x2ccc2070-0x2ccd54a8 __DATA_CONST (78904 bytes)<br />
0x30571f60-0x30575f60 __DATA (16384 bytes)<br />
0x314c9a28-0x314ca000 __DATA_DIRTY (1496 bytes)<br />
0x316b3000-0x37064000 __LINKEDIT (94048256 bytes)<br />
0x31e3c4d0-0x31e3eaf8 Exports (9768 bytes)<br />
0x34689f18-0x346912f8 Symbol Table (29664 bytes)<br />
0x35a46500-0x35a46b90 Function Starts (1680 bytes)<br />
0x35bb1930-0x35bb1960 Data In Code (48 bytes)<br />
0x35d66710-0x37029aba String Table (19674026 bytes)<br />
LC_DYLD_INFO...<br />
</source><br />
<br />
= Cache retrieval =<br />
<br />
Since ASLR was implemented in iOS, trivial ways to pull the cache off the device have provided a "broken" cache, which can't be processed correctly by the aforementioned tools. This is because when read by processes in which ASLR is enabled, some offsetting is applied to the cache too. In order to circumvent this issue and pull a "valid" shared cache off the device, there are different options:<br />
<br />
* Copy the cache off the device using a program on which ASLR has been explicitly disabled, using the <tt>-mdynamic-no-pic</tt> compile flag.<br />
* Read the cache explicitly from the filesystem by setting the <tt>F_NOCACHE</tt> flag on the cache's file descriptor.<br />
* Copy the cache through AFC (filesystem browsers which use an AFC connection are fine) - on iOS 7 and 8, you'll want to install the package ''Apple File Conduit "2"'', hosted/maintained by saurik.<br />
* Pull the cache off a decrypted root filesystem DMG which you can find inside the IPSW.<br />
* Use the copy that is probably laying around on your computer in <tt>~/Library/Developer/Xcode/iOS\ DeviceSupport/</tt> if you have Xcode.<br />
<br />
Alternatively, [https://github.com/npupyshev/dt.fetchsymbols dt.fetchsymbols] can be used to extract the cache from an iOS device. This tool doesn't require file system access (jailbreak) or app installation.<br />
<br />
= Class dumping =<br />
<br />
See [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|this section of Reverse Engineering Tools]].<br />
<br />
= External Links =<br />
<br />
* [http://blog.howett.net/?p=75 Cache or Check?] — an analysis of the dyld_shared_cache system by D. Howett.<br />
* [https://github.com/deepinstinct/dsc_fix dsc_fix] — an IDA script that aids in reverse engineering dyld_shared_cache libraries</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Dyld_shared_cache&diff=5448Dyld shared cache2020-05-02T10:47:33Z<p>Indiekiduk: /* Example usage for dsc_extractor */</p>
<hr />
<div>{{DISPLAYTITLE:dyld_shared_cache}}<br />
<br />
Since iPhone OS 3.1, all system (private and public) libraries have been combined into a big cache file to improve performance. The original files are redundant and thus eliminated from the system.<br />
<br />
If you're looking for binaries or libraries inside of <tt>[http://theiphonewiki.com/wiki//System/Library/Frameworks /System/Library/Frameworks]</tt> or <tt>/System/Library/PrivateFrameworks</tt> (or other directories) and can't, this is why.<br />
<br />
OS X also uses a shared cache. Unlike iOS, OS X ships with the source binaries still on-disk, particularly so it can be updated with [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/update_dyld_shared_cache.1.html update_dyld_shared_cache]. The cache is only vaguely documented in dyld man pages.<br />
<br />
= Cache location =<br />
<br />
The cache is located in <tt>/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX</tt>, where X can be:<br />
<br />
{| class="wikitable"<br />
|-<br />
! X<br />
! Device ARM Architecture<br />
|-<br />
| v6<br />
| ARMv6<br />
|-<br />
| v7<br />
| rowspan="3" | ARMv7<br />
|-<br />
| v7s<br />
|-<br />
| v7k<br />
|-<br />
| 64<br />
| ARMv8<br />
|-<br />
| 64e<br />
| ARMv8.3<br />
|}<br />
<br />
= Cache extraction =<br />
<br />
It used to be possible to compile and link from an iOS device without an SDK, but the introduction of dyld_shared_cache has made using an SDK a necessity. Alternatively, one may need to extract the appropriate dylibs from the dyld_shared_cache, if it's not available in the SDK.<br />
<br />
Starting with iOS 8, the framework binaries shipped with the iOS SDK only contain the symbols, not the compiled code anymore. Binaries extracted from the dyld_shared_cache contain all compiled code and are therefore useful for reverse-engineering purposes.<br />
<br />
Options:<br />
<br />
* [https://github.com/kennytm/Miscellaneous/downloads dyld_decache] by KennyTM~ to extract these dylibs.<br />
* [https://gist.github.com/455086/ DySlim] by comex to mount the whole cache file on Mac OS X.<br />
* [https://github.com/phoenix3200/decache decache] by phoenixdev to nearly perfectly extract dylibs from iOS <= 6 cache file.<br />
* [http://opensource.apple.com/source/dyld/ dsc_extractor (source code)]. More info [https://gist.github.com/NSExceptional/85527151eeec4b0640187a0a165da1cd here]. It produces the best results among all tools, but without branch islands workaround.<br />
* [http://www.newosxbook.com/index.php?page=downloads jtool] is another option starting from iOS 8. <br />
* [https://github.com/comex/imaon2 yasce] by comex is/was the best option for iOS 8 (and above), but you will need a nightly build version of rust; something like "rustc 1.9.0-nightly (339a409bf 2016-03-01)".<br />
* [https://github.com/macmade/dyld_cache_extract dyld_cache_extract] by macmade that works on macOS and provides a complete GUI. Clone repo and do 'git submodule update --remote' before buidling. It was reported to be not working on iOS 10.2's dyld_shared_cache_armv7s; gave a 561.1MB executable file. <br />
<br />
== Example usage for dsc_extractor ==<br />
<br />
This method works as of iOS 13.4.1 only downside is it dumps every binary in the cache compared to other tools that allow extraction of individual binaries. We need to create a c++ file and use Apple's test program code to build an executable:<br />
<br />
<source lang=bash><br />
cd Downloads <br />
mkdir dsc_extractor<br />
cd dsc_extractor<br />
mate dsc_extractor.cpp<br />
</source><br />
<br />
Copy and paste in the following Apple test program taken from the dyld package (look after the code for instructions on how to download it yourself).<br />
<br />
<source lang=c++><br />
// test program<br />
#include <stdio.h><br />
#include <stddef.h><br />
#include <dlfcn.h><br />
<br />
<br />
typedef int (*extractor_proc)(const char* shared_cache_file_path, const char* extraction_root_path,<br />
void (^progress)(unsigned current, unsigned total));<br />
<br />
int main(int argc, const char* argv[])<br />
{<br />
if ( argc != 3 ) {<br />
fprintf(stderr, "usage: dsc_extractor <path-to-cache-file> <path-to-device-dir>\n");<br />
return 1;<br />
}<br />
<br />
//void* handle = dlopen("/Volumes/my/src/dyld/build/Debug/dsc_extractor.bundle", RTLD_LAZY);<br />
void* handle = dlopen("/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/usr/lib/dsc_extractor.bundle", RTLD_LAZY);<br />
if ( handle == NULL ) {<br />
fprintf(stderr, "dsc_extractor.bundle could not be loaded\n");<br />
return 1;<br />
}<br />
<br />
extractor_proc proc = (extractor_proc)dlsym(handle, "dyld_shared_cache_extract_dylibs_progress");<br />
if ( proc == NULL ) {<br />
fprintf(stderr, "dsc_extractor.bundle did not have dyld_shared_cache_extract_dylibs_progress symbol\n");<br />
return 1;<br />
}<br />
<br />
int result = (*proc)(argv[1], argv[2], ^(unsigned c, unsigned total) { printf("%d/%d\n", c, total); } );<br />
fprintf(stderr, "dyld_shared_cache_extract_dylibs_progress() => %d\n", result);<br />
return 0;<br />
}<br />
</source><br />
<br />
This test program was taken from dydl 733.6. Get latest by browsing the versions [https://opensource.apple.com/source/dyld/ here] and download by swapping in a version number like:<br />
<source lang=bash><br />
wget http://opensource.apple.com/tarballs/dyld/dyld-733.6.tar.gz<br />
tar xvf dyld-733.6.tar.gz<br />
cd dyld-733.6/launch_cache<br />
mate dyld-733.6/launch_cache/dsc_extractor.cpp<br />
</source><br />
<br />
Scroll to the bottom to find the test program code in the big comment.<br />
<br />
Back to what we were doing, to build the file we created and install:<br />
<br />
<source lang=bash><br />
clang++ -o dsc_extractor dsc_extractor.cpp<br />
cp dsc_extractor ~/bin/<br />
chmod u+x ~/bin/dsc_extractor<br />
</source><br />
<br />
To use (Change the iOS version to what is in your folder, Xcode will copy the cache file from a connected device):<br />
<source lang=bash><br />
cd ~/Library/Developer/Xcode/iOS DeviceSupport/13.4.1 (17E262)<br />
dsc_extractor Symbols/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 Binaries<br />
</source><br />
<br />
After a brief pause you'll see a lot of output as it dumps each binary, e.g.<br />
<source lang=bash><br />
0/1805<br />
1/1805<br />
2/1805<br />
3/1805<br />
4/1805<br />
5/1805<br />
</source><br />
<br />
And now, you can find all of the dumped binaries in the Binaries folder, the next step for me is to open one that isn't included in the Sim runtime in Hopper:<br />
<br />
<source lang=bash><br />
hopperv4 -e Binaries/System/Library/PrivateFrameworks/WiFiKit.framework/WiFiKit<br />
</source><br />
<br />
== Example usage for decache ==<br />
<br />
This will extract the binary of the private framework SpringBoardServices<br />
<br />
<source lang=bash><br />
decache -c path/to/dyld_shared_cache -x /System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices -o SpringBoardServices<br />
</source><br />
<br />
If you get a message about an unsupported load command, ignore it. decache does not support some newer mach-o load commands, so the binary won't be able to run probably in the most cases. But for linking or reverse-engineering purposes it is still usable.<br />
<br />
== Example usage for jtool ==<br />
<br />
To extract a specific binary from the cache ("UIKit" can be replaced with a different framework or library):<br />
<br />
<source lang=bash>jtool -extract UIKit path/to/dyld_shared_cache</source><br />
<br />
An example of one way to dump all the binaries at once (be careful with this, it creates huge files):<br />
<br />
<source lang=bash><br />
cache=dyld_shared_cache_arm64<br />
mkdir -p extracted && jtool -lv $cache | cut -c 24- | tail +5 | while read line; do mkdir -p extracted/"$(dirname "$line")"; jtool -extract $line $cache; mv $cache."$(basename "$line")" extracted/$line; done<br />
</source><br />
<br />
=== Problems with jtool ===<br />
<br />
Please be aware that decache produces currently (16.04.15) better and more usable results then jtool, as jtool fails to resolve and fix the "uniqued" objectiv c selectors correctly.<br />
<br />
Apple "uniques" objectiv c selectors, such as "alloc" (alloc is used almost everywhere), which are used in more then one place, into a single one. When extracting an image from the cache, the address of such a shared selector will most likely not be in the extracted image anymore, so this needs to fixed, which jtool apparently fails to do. (For more information: http://opensource.apple.com/source/dyld/dyld-132.13/launch-cache/update_dyld_shared_cache.cpp, look at the class ObjCSelectorUniquer)<br />
<br />
=== Not working since iOS 11 ===<br />
<br />
jtool2 is the newer version this user reports it not working on the iOS 11 shared cache - shows a warning "File is likely truncated (or header corrupt?)" and then doesn't get past "LC_DYLD_INFO..." http://newosxbook.com/forum/viewtopic.php?f=3&t=19577&start=50#p24183 Still same error exists on the cache from iOS 13.<br />
<br />
<source lang=bash><br />
$ ./jtool2 -e Stocks ./dyld_shared_cache_arm64 <br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) LC_FUNCTION_STARTS falls outside file<br />
0x176d9000-0x17731000 __TEXT (360448 bytes)<br />
0x2ccc2070-0x2ccd54a8 __DATA_CONST (78904 bytes)<br />
0x30571f60-0x30575f60 __DATA (16384 bytes)<br />
0x314c9a28-0x314ca000 __DATA_DIRTY (1496 bytes)<br />
0x316b3000-0x37064000 __LINKEDIT (94048256 bytes)<br />
0x31e3c4d0-0x31e3eaf8 Exports (9768 bytes)<br />
0x34689f18-0x346912f8 Symbol Table (29664 bytes)<br />
0x35a46500-0x35a46b90 Function Starts (1680 bytes)<br />
0x35bb1930-0x35bb1960 Data In Code (48 bytes)<br />
0x35d66710-0x37029aba String Table (19674026 bytes)<br />
LC_DYLD_INFO...<br />
</source><br />
<br />
= Cache retrieval =<br />
<br />
Since ASLR was implemented in iOS, trivial ways to pull the cache off the device have provided a "broken" cache, which can't be processed correctly by the aforementioned tools. This is because when read by processes in which ASLR is enabled, some offsetting is applied to the cache too. In order to circumvent this issue and pull a "valid" shared cache off the device, there are different options:<br />
<br />
* Copy the cache off the device using a program on which ASLR has been explicitly disabled, using the <tt>-mdynamic-no-pic</tt> compile flag.<br />
* Read the cache explicitly from the filesystem by setting the <tt>F_NOCACHE</tt> flag on the cache's file descriptor.<br />
* Copy the cache through AFC (filesystem browsers which use an AFC connection are fine) - on iOS 7 and 8, you'll want to install the package ''Apple File Conduit "2"'', hosted/maintained by saurik.<br />
* Pull the cache off a decrypted root filesystem DMG which you can find inside the IPSW.<br />
* Use the copy that is probably laying around on your computer in <tt>~/Library/Developer/Xcode/iOS\ DeviceSupport/</tt> if you have Xcode.<br />
<br />
Alternatively, [https://github.com/npupyshev/dt.fetchsymbols dt.fetchsymbols] can be used to extract the cache from an iOS device. This tool doesn't require file system access (jailbreak) or app installation.<br />
<br />
= Class dumping =<br />
<br />
See [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|this section of Reverse Engineering Tools]].<br />
<br />
= External Links =<br />
<br />
* [http://blog.howett.net/?p=75 Cache or Check?] — an analysis of the dyld_shared_cache system by D. Howett.<br />
* [https://github.com/deepinstinct/dsc_fix dsc_fix] — an IDA script that aids in reverse engineering dyld_shared_cache libraries</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Dyld_shared_cache&diff=5447Dyld shared cache2020-05-02T10:26:42Z<p>Indiekiduk: Added Example usage for dsc_extractor</p>
<hr />
<div>{{DISPLAYTITLE:dyld_shared_cache}}<br />
<br />
Since iPhone OS 3.1, all system (private and public) libraries have been combined into a big cache file to improve performance. The original files are redundant and thus eliminated from the system.<br />
<br />
If you're looking for binaries or libraries inside of <tt>[http://theiphonewiki.com/wiki//System/Library/Frameworks /System/Library/Frameworks]</tt> or <tt>/System/Library/PrivateFrameworks</tt> (or other directories) and can't, this is why.<br />
<br />
OS X also uses a shared cache. Unlike iOS, OS X ships with the source binaries still on-disk, particularly so it can be updated with [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/update_dyld_shared_cache.1.html update_dyld_shared_cache]. The cache is only vaguely documented in dyld man pages.<br />
<br />
= Cache location =<br />
<br />
The cache is located in <tt>/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX</tt>, where X can be:<br />
<br />
{| class="wikitable"<br />
|-<br />
! X<br />
! Device ARM Architecture<br />
|-<br />
| v6<br />
| ARMv6<br />
|-<br />
| v7<br />
| rowspan="3" | ARMv7<br />
|-<br />
| v7s<br />
|-<br />
| v7k<br />
|-<br />
| 64<br />
| ARMv8<br />
|-<br />
| 64e<br />
| ARMv8.3<br />
|}<br />
<br />
= Cache extraction =<br />
<br />
It used to be possible to compile and link from an iOS device without an SDK, but the introduction of dyld_shared_cache has made using an SDK a necessity. Alternatively, one may need to extract the appropriate dylibs from the dyld_shared_cache, if it's not available in the SDK.<br />
<br />
Starting with iOS 8, the framework binaries shipped with the iOS SDK only contain the symbols, not the compiled code anymore. Binaries extracted from the dyld_shared_cache contain all compiled code and are therefore useful for reverse-engineering purposes.<br />
<br />
Options:<br />
<br />
* [https://github.com/kennytm/Miscellaneous/downloads dyld_decache] by KennyTM~ to extract these dylibs.<br />
* [https://gist.github.com/455086/ DySlim] by comex to mount the whole cache file on Mac OS X.<br />
* [https://github.com/phoenix3200/decache decache] by phoenixdev to nearly perfectly extract dylibs from iOS <= 6 cache file.<br />
* [http://opensource.apple.com/source/dyld/ dsc_extractor (source code)]. More info [https://gist.github.com/NSExceptional/85527151eeec4b0640187a0a165da1cd here]. It produces the best results among all tools, but without branch islands workaround.<br />
* [http://www.newosxbook.com/index.php?page=downloads jtool] is another option starting from iOS 8. <br />
* [https://github.com/comex/imaon2 yasce] by comex is/was the best option for iOS 8 (and above), but you will need a nightly build version of rust; something like "rustc 1.9.0-nightly (339a409bf 2016-03-01)".<br />
* [https://github.com/macmade/dyld_cache_extract dyld_cache_extract] by macmade that works on macOS and provides a complete GUI. Clone repo and do 'git submodule update --remote' before buidling. It was reported to be not working on iOS 10.2's dyld_shared_cache_armv7s; gave a 561.1MB executable file. <br />
<br />
== Example usage for dsc_extractor ==<br />
<br />
This method works as of iOS 13.4.1 only downside is it dumps every binary in the cache compared to other tools that allow extraction of individual binaries. We need to create a c++ file and use Apple's test program code to build an executable:<br />
<br />
<source lang=bash><br />
cd Downloads <br />
mkdir dsc_extractor<br />
cd dsc_extractor<br />
mate dsc_extractor.cpp<br />
</source><br />
<br />
Copy and paste in the following Apple test program taken from the dyld package (look after the code for instructions on how to download it yourself).<br />
<br />
<source lang=c++><br />
// test program<br />
#include <stdio.h><br />
#include <stddef.h><br />
#include <dlfcn.h><br />
<br />
<br />
typedef int (*extractor_proc)(const char* shared_cache_file_path, const char* extraction_root_path,<br />
void (^progress)(unsigned current, unsigned total));<br />
<br />
int main(int argc, const char* argv[])<br />
{<br />
if ( argc != 3 ) {<br />
fprintf(stderr, "usage: dsc_extractor <path-to-cache-file> <path-to-device-dir>\n");<br />
return 1;<br />
}<br />
<br />
//void* handle = dlopen("/Volumes/my/src/dyld/build/Debug/dsc_extractor.bundle", RTLD_LAZY);<br />
void* handle = dlopen("/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/usr/lib/dsc_extractor.bundle", RTLD_LAZY);<br />
if ( handle == NULL ) {<br />
fprintf(stderr, "dsc_extractor.bundle could not be loaded\n");<br />
return 1;<br />
}<br />
<br />
extractor_proc proc = (extractor_proc)dlsym(handle, "dyld_shared_cache_extract_dylibs_progress");<br />
if ( proc == NULL ) {<br />
fprintf(stderr, "dsc_extractor.bundle did not have dyld_shared_cache_extract_dylibs_progress symbol\n");<br />
return 1;<br />
}<br />
<br />
int result = (*proc)(argv[1], argv[2], ^(unsigned c, unsigned total) { printf("%d/%d\n", c, total); } );<br />
fprintf(stderr, "dyld_shared_cache_extract_dylibs_progress() => %d\n", result);<br />
return 0;<br />
}<br />
</source><br />
<br />
This test program was taken from dydl 733.6. Get latest by browsing the versions [https://opensource.apple.com/source/dyld/ here] and download by swapping in a version number like:<br />
<source lang=bash><br />
wget http://opensource.apple.com/tarballs/dyld/dyld-733.6.tar.gz<br />
tar xvf dyld-733.6.tar.gz<br />
cd dyld-733.6/launch_cache<br />
mate dyld-733.6/launch_cache/dsc_extractor.cpp<br />
</source><br />
<br />
Scroll to the bottom to find the test program code in the big comment.<br />
<br />
Back to what we were doing, to build the file we created and install:<br />
<br />
<source lang=bash><br />
clang++ -o dsc_extractor dsc_extractor.cpp<br />
cp dsc_extractor ~/bin/<br />
chmod u+x ~/bin/dsc_extractor<br />
</source><br />
<br />
To use (Change the iOS version to what is in your folder, Xcode will copy the cache file from a connected device):<br />
<source lang=bash><br />
cd ~/Library/Developer/Xcode/iOS DeviceSupport/13.4.1 (17E262)<br />
dsc_extractor Symbols/System/Library/Caches/com.apple.dyld/dyld_shared_cache_arm64 Binaries<br />
</source><br />
<br />
After a brief pause you'll see a lot of output as it dumps each binary, e.g.<br />
<source lang=bash><br />
0/1805<br />
1/1805<br />
2/1805<br />
3/1805<br />
4/1805<br />
5/1805<br />
</source><br />
<br />
And now, you can find all of the dumped binaries in the Binaries folder, the next step for me is to open them in Hopper:<br />
<br />
<source lang=bash><br />
hopperv4 -e Binaries/System/Library/PrivateFrameworks/UIKitCore.framework/UIKitCore<br />
</source><br />
<br />
== Example usage for decache ==<br />
<br />
This will extract the binary of the private framework SpringBoardServices<br />
<br />
<source lang=bash><br />
decache -c path/to/dyld_shared_cache -x /System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices -o SpringBoardServices<br />
</source><br />
<br />
If you get a message about an unsupported load command, ignore it. decache does not support some newer mach-o load commands, so the binary won't be able to run probably in the most cases. But for linking or reverse-engineering purposes it is still usable.<br />
<br />
== Example usage for jtool ==<br />
<br />
To extract a specific binary from the cache ("UIKit" can be replaced with a different framework or library):<br />
<br />
<source lang=bash>jtool -extract UIKit path/to/dyld_shared_cache</source><br />
<br />
An example of one way to dump all the binaries at once (be careful with this, it creates huge files):<br />
<br />
<source lang=bash><br />
cache=dyld_shared_cache_arm64<br />
mkdir -p extracted && jtool -lv $cache | cut -c 24- | tail +5 | while read line; do mkdir -p extracted/"$(dirname "$line")"; jtool -extract $line $cache; mv $cache."$(basename "$line")" extracted/$line; done<br />
</source><br />
<br />
=== Problems with jtool ===<br />
<br />
Please be aware that decache produces currently (16.04.15) better and more usable results then jtool, as jtool fails to resolve and fix the "uniqued" objectiv c selectors correctly.<br />
<br />
Apple "uniques" objectiv c selectors, such as "alloc" (alloc is used almost everywhere), which are used in more then one place, into a single one. When extracting an image from the cache, the address of such a shared selector will most likely not be in the extracted image anymore, so this needs to fixed, which jtool apparently fails to do. (For more information: http://opensource.apple.com/source/dyld/dyld-132.13/launch-cache/update_dyld_shared_cache.cpp, look at the class ObjCSelectorUniquer)<br />
<br />
=== Not working since iOS 11 ===<br />
<br />
jtool2 is the newer version this user reports it not working on the iOS 11 shared cache - shows a warning "File is likely truncated (or header corrupt?)" and then doesn't get past "LC_DYLD_INFO..." http://newosxbook.com/forum/viewtopic.php?f=3&t=19577&start=50#p24183 Still same error exists on the cache from iOS 13.<br />
<br />
<source lang=bash><br />
$ ./jtool2 -e Stocks ./dyld_shared_cache_arm64 <br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) LC_FUNCTION_STARTS falls outside file<br />
0x176d9000-0x17731000 __TEXT (360448 bytes)<br />
0x2ccc2070-0x2ccd54a8 __DATA_CONST (78904 bytes)<br />
0x30571f60-0x30575f60 __DATA (16384 bytes)<br />
0x314c9a28-0x314ca000 __DATA_DIRTY (1496 bytes)<br />
0x316b3000-0x37064000 __LINKEDIT (94048256 bytes)<br />
0x31e3c4d0-0x31e3eaf8 Exports (9768 bytes)<br />
0x34689f18-0x346912f8 Symbol Table (29664 bytes)<br />
0x35a46500-0x35a46b90 Function Starts (1680 bytes)<br />
0x35bb1930-0x35bb1960 Data In Code (48 bytes)<br />
0x35d66710-0x37029aba String Table (19674026 bytes)<br />
LC_DYLD_INFO...<br />
</source><br />
<br />
= Cache retrieval =<br />
<br />
Since ASLR was implemented in iOS, trivial ways to pull the cache off the device have provided a "broken" cache, which can't be processed correctly by the aforementioned tools. This is because when read by processes in which ASLR is enabled, some offsetting is applied to the cache too. In order to circumvent this issue and pull a "valid" shared cache off the device, there are different options:<br />
<br />
* Copy the cache off the device using a program on which ASLR has been explicitly disabled, using the <tt>-mdynamic-no-pic</tt> compile flag.<br />
* Read the cache explicitly from the filesystem by setting the <tt>F_NOCACHE</tt> flag on the cache's file descriptor.<br />
* Copy the cache through AFC (filesystem browsers which use an AFC connection are fine) - on iOS 7 and 8, you'll want to install the package ''Apple File Conduit "2"'', hosted/maintained by saurik.<br />
* Pull the cache off a decrypted root filesystem DMG which you can find inside the IPSW.<br />
* Use the copy that is probably laying around on your computer in <tt>~/Library/Developer/Xcode/iOS\ DeviceSupport/</tt> if you have Xcode.<br />
<br />
Alternatively, [https://github.com/npupyshev/dt.fetchsymbols dt.fetchsymbols] can be used to extract the cache from an iOS device. This tool doesn't require file system access (jailbreak) or app installation.<br />
<br />
= Class dumping =<br />
<br />
See [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|this section of Reverse Engineering Tools]].<br />
<br />
= External Links =<br />
<br />
* [http://blog.howett.net/?p=75 Cache or Check?] — an analysis of the dyld_shared_cache system by D. Howett.<br />
* [https://github.com/deepinstinct/dsc_fix dsc_fix] — an IDA script that aids in reverse engineering dyld_shared_cache libraries</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Dyld_shared_cache&diff=5446Dyld shared cache2020-05-02T09:53:13Z<p>Indiekiduk: /* Cache retrieval */ Path fix</p>
<hr />
<div>{{DISPLAYTITLE:dyld_shared_cache}}<br />
<br />
Since iPhone OS 3.1, all system (private and public) libraries have been combined into a big cache file to improve performance. The original files are redundant and thus eliminated from the system.<br />
<br />
If you're looking for binaries or libraries inside of <tt>[http://theiphonewiki.com/wiki//System/Library/Frameworks /System/Library/Frameworks]</tt> or <tt>/System/Library/PrivateFrameworks</tt> (or other directories) and can't, this is why.<br />
<br />
OS X also uses a shared cache. Unlike iOS, OS X ships with the source binaries still on-disk, particularly so it can be updated with [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/update_dyld_shared_cache.1.html update_dyld_shared_cache]. The cache is only vaguely documented in dyld man pages.<br />
<br />
= Cache location =<br />
<br />
The cache is located in <tt>/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX</tt>, where X can be:<br />
<br />
{| class="wikitable"<br />
|-<br />
! X<br />
! Device ARM Architecture<br />
|-<br />
| v6<br />
| ARMv6<br />
|-<br />
| v7<br />
| rowspan="3" | ARMv7<br />
|-<br />
| v7s<br />
|-<br />
| v7k<br />
|-<br />
| 64<br />
| ARMv8<br />
|-<br />
| 64e<br />
| ARMv8.3<br />
|}<br />
<br />
= Cache extraction =<br />
<br />
It used to be possible to compile and link from an iOS device without an SDK, but the introduction of dyld_shared_cache has made using an SDK a necessity. Alternatively, one may need to extract the appropriate dylibs from the dyld_shared_cache, if it's not available in the SDK.<br />
<br />
Starting with iOS 8, the framework binaries shipped with the iOS SDK only contain the symbols, not the compiled code anymore. Binaries extracted from the dyld_shared_cache contain all compiled code and are therefore useful for reverse-engineering purposes.<br />
<br />
Options:<br />
<br />
* [https://github.com/kennytm/Miscellaneous/downloads dyld_decache] by KennyTM~ to extract these dylibs.<br />
* [https://gist.github.com/455086/ DySlim] by comex to mount the whole cache file on Mac OS X.<br />
* [https://github.com/phoenix3200/decache decache] by phoenixdev to nearly perfectly extract dylibs from iOS <= 6 cache file.<br />
* [http://opensource.apple.com/source/dyld/ dsc_extractor (source code)]. More info [https://gist.github.com/NSExceptional/85527151eeec4b0640187a0a165da1cd here]. It produces the best results among all tools, but without branch islands workaround.<br />
* [http://www.newosxbook.com/index.php?page=downloads jtool] is another option starting from iOS 8. <br />
* [https://github.com/comex/imaon2 yasce] by comex is/was the best option for iOS 8 (and above), but you will need a nightly build version of rust; something like "rustc 1.9.0-nightly (339a409bf 2016-03-01)".<br />
* [https://github.com/macmade/dyld_cache_extract dyld_cache_extract] by macmade that works on macOS and provides a complete GUI. Clone repo and do 'git submodule update --remote' before buidling. It was reported to be not working on iOS 10.2's dyld_shared_cache_armv7s; gave a 561.1MB executable file. <br />
<br />
== Example usage for decache ==<br />
<br />
This will extract the binary of the private framework SpringBoardServices<br />
<br />
<source lang=bash><br />
decache -c path/to/dyld_shared_cache -x /System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices -o SpringBoardServices<br />
</source><br />
<br />
If you get a message about an unsupported load command, ignore it. decache does not support some newer mach-o load commands, so the binary won't be able to run probably in the most cases. But for linking or reverse-engineering purposes it is still usable.<br />
<br />
== Example usage for jtool ==<br />
<br />
To extract a specific binary from the cache ("UIKit" can be replaced with a different framework or library):<br />
<br />
<source lang=bash>jtool -extract UIKit path/to/dyld_shared_cache</source><br />
<br />
An example of one way to dump all the binaries at once (be careful with this, it creates huge files):<br />
<br />
<source lang=bash><br />
cache=dyld_shared_cache_arm64<br />
mkdir -p extracted && jtool -lv $cache | cut -c 24- | tail +5 | while read line; do mkdir -p extracted/"$(dirname "$line")"; jtool -extract $line $cache; mv $cache."$(basename "$line")" extracted/$line; done<br />
</source><br />
<br />
=== Problems with jtool ===<br />
<br />
Please be aware that decache produces currently (16.04.15) better and more usable results then jtool, as jtool fails to resolve and fix the "uniqued" objectiv c selectors correctly.<br />
<br />
Apple "uniques" objectiv c selectors, such as "alloc" (alloc is used almost everywhere), which are used in more then one place, into a single one. When extracting an image from the cache, the address of such a shared selector will most likely not be in the extracted image anymore, so this needs to fixed, which jtool apparently fails to do. (For more information: http://opensource.apple.com/source/dyld/dyld-132.13/launch-cache/update_dyld_shared_cache.cpp, look at the class ObjCSelectorUniquer)<br />
<br />
=== Not working since iOS 11 ===<br />
<br />
jtool2 is the newer version this user reports it not working on the iOS 11 shared cache - shows a warning "File is likely truncated (or header corrupt?)" and then doesn't get past "LC_DYLD_INFO..." http://newosxbook.com/forum/viewtopic.php?f=3&t=19577&start=50#p24183 Still same error exists on the cache from iOS 13.<br />
<br />
<source lang=bash><br />
$ ./jtool2 -e Stocks ./dyld_shared_cache_arm64 <br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) LC_FUNCTION_STARTS falls outside file<br />
0x176d9000-0x17731000 __TEXT (360448 bytes)<br />
0x2ccc2070-0x2ccd54a8 __DATA_CONST (78904 bytes)<br />
0x30571f60-0x30575f60 __DATA (16384 bytes)<br />
0x314c9a28-0x314ca000 __DATA_DIRTY (1496 bytes)<br />
0x316b3000-0x37064000 __LINKEDIT (94048256 bytes)<br />
0x31e3c4d0-0x31e3eaf8 Exports (9768 bytes)<br />
0x34689f18-0x346912f8 Symbol Table (29664 bytes)<br />
0x35a46500-0x35a46b90 Function Starts (1680 bytes)<br />
0x35bb1930-0x35bb1960 Data In Code (48 bytes)<br />
0x35d66710-0x37029aba String Table (19674026 bytes)<br />
LC_DYLD_INFO...<br />
</source><br />
<br />
= Cache retrieval =<br />
<br />
Since ASLR was implemented in iOS, trivial ways to pull the cache off the device have provided a "broken" cache, which can't be processed correctly by the aforementioned tools. This is because when read by processes in which ASLR is enabled, some offsetting is applied to the cache too. In order to circumvent this issue and pull a "valid" shared cache off the device, there are different options:<br />
<br />
* Copy the cache off the device using a program on which ASLR has been explicitly disabled, using the <tt>-mdynamic-no-pic</tt> compile flag.<br />
* Read the cache explicitly from the filesystem by setting the <tt>F_NOCACHE</tt> flag on the cache's file descriptor.<br />
* Copy the cache through AFC (filesystem browsers which use an AFC connection are fine) - on iOS 7 and 8, you'll want to install the package ''Apple File Conduit "2"'', hosted/maintained by saurik.<br />
* Pull the cache off a decrypted root filesystem DMG which you can find inside the IPSW.<br />
* Use the copy that is probably laying around on your computer in <tt>~/Library/Developer/Xcode/iOS\ DeviceSupport/</tt> if you have Xcode.<br />
<br />
Alternatively, [https://github.com/npupyshev/dt.fetchsymbols dt.fetchsymbols] can be used to extract the cache from an iOS device. This tool doesn't require file system access (jailbreak) or app installation.<br />
<br />
= Class dumping =<br />
<br />
See [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|this section of Reverse Engineering Tools]].<br />
<br />
= External Links =<br />
<br />
* [http://blog.howett.net/?p=75 Cache or Check?] — an analysis of the dyld_shared_cache system by D. Howett.<br />
* [https://github.com/deepinstinct/dsc_fix dsc_fix] — an IDA script that aids in reverse engineering dyld_shared_cache libraries</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Dyld_shared_cache&diff=5445Dyld shared cache2020-05-02T09:52:01Z<p>Indiekiduk: Path formatting fix in Cache retrieval</p>
<hr />
<div>{{DISPLAYTITLE:dyld_shared_cache}}<br />
<br />
Since iPhone OS 3.1, all system (private and public) libraries have been combined into a big cache file to improve performance. The original files are redundant and thus eliminated from the system.<br />
<br />
If you're looking for binaries or libraries inside of <tt>[http://theiphonewiki.com/wiki//System/Library/Frameworks /System/Library/Frameworks]</tt> or <tt>/System/Library/PrivateFrameworks</tt> (or other directories) and can't, this is why.<br />
<br />
OS X also uses a shared cache. Unlike iOS, OS X ships with the source binaries still on-disk, particularly so it can be updated with [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/update_dyld_shared_cache.1.html update_dyld_shared_cache]. The cache is only vaguely documented in dyld man pages.<br />
<br />
= Cache location =<br />
<br />
The cache is located in <tt>/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX</tt>, where X can be:<br />
<br />
{| class="wikitable"<br />
|-<br />
! X<br />
! Device ARM Architecture<br />
|-<br />
| v6<br />
| ARMv6<br />
|-<br />
| v7<br />
| rowspan="3" | ARMv7<br />
|-<br />
| v7s<br />
|-<br />
| v7k<br />
|-<br />
| 64<br />
| ARMv8<br />
|-<br />
| 64e<br />
| ARMv8.3<br />
|}<br />
<br />
= Cache extraction =<br />
<br />
It used to be possible to compile and link from an iOS device without an SDK, but the introduction of dyld_shared_cache has made using an SDK a necessity. Alternatively, one may need to extract the appropriate dylibs from the dyld_shared_cache, if it's not available in the SDK.<br />
<br />
Starting with iOS 8, the framework binaries shipped with the iOS SDK only contain the symbols, not the compiled code anymore. Binaries extracted from the dyld_shared_cache contain all compiled code and are therefore useful for reverse-engineering purposes.<br />
<br />
Options:<br />
<br />
* [https://github.com/kennytm/Miscellaneous/downloads dyld_decache] by KennyTM~ to extract these dylibs.<br />
* [https://gist.github.com/455086/ DySlim] by comex to mount the whole cache file on Mac OS X.<br />
* [https://github.com/phoenix3200/decache decache] by phoenixdev to nearly perfectly extract dylibs from iOS <= 6 cache file.<br />
* [http://opensource.apple.com/source/dyld/ dsc_extractor (source code)]. More info [https://gist.github.com/NSExceptional/85527151eeec4b0640187a0a165da1cd here]. It produces the best results among all tools, but without branch islands workaround.<br />
* [http://www.newosxbook.com/index.php?page=downloads jtool] is another option starting from iOS 8. <br />
* [https://github.com/comex/imaon2 yasce] by comex is/was the best option for iOS 8 (and above), but you will need a nightly build version of rust; something like "rustc 1.9.0-nightly (339a409bf 2016-03-01)".<br />
* [https://github.com/macmade/dyld_cache_extract dyld_cache_extract] by macmade that works on macOS and provides a complete GUI. Clone repo and do 'git submodule update --remote' before buidling. It was reported to be not working on iOS 10.2's dyld_shared_cache_armv7s; gave a 561.1MB executable file. <br />
<br />
== Example usage for decache ==<br />
<br />
This will extract the binary of the private framework SpringBoardServices<br />
<br />
<source lang=bash><br />
decache -c path/to/dyld_shared_cache -x /System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices -o SpringBoardServices<br />
</source><br />
<br />
If you get a message about an unsupported load command, ignore it. decache does not support some newer mach-o load commands, so the binary won't be able to run probably in the most cases. But for linking or reverse-engineering purposes it is still usable.<br />
<br />
== Example usage for jtool ==<br />
<br />
To extract a specific binary from the cache ("UIKit" can be replaced with a different framework or library):<br />
<br />
<source lang=bash>jtool -extract UIKit path/to/dyld_shared_cache</source><br />
<br />
An example of one way to dump all the binaries at once (be careful with this, it creates huge files):<br />
<br />
<source lang=bash><br />
cache=dyld_shared_cache_arm64<br />
mkdir -p extracted && jtool -lv $cache | cut -c 24- | tail +5 | while read line; do mkdir -p extracted/"$(dirname "$line")"; jtool -extract $line $cache; mv $cache."$(basename "$line")" extracted/$line; done<br />
</source><br />
<br />
=== Problems with jtool ===<br />
<br />
Please be aware that decache produces currently (16.04.15) better and more usable results then jtool, as jtool fails to resolve and fix the "uniqued" objectiv c selectors correctly.<br />
<br />
Apple "uniques" objectiv c selectors, such as "alloc" (alloc is used almost everywhere), which are used in more then one place, into a single one. When extracting an image from the cache, the address of such a shared selector will most likely not be in the extracted image anymore, so this needs to fixed, which jtool apparently fails to do. (For more information: http://opensource.apple.com/source/dyld/dyld-132.13/launch-cache/update_dyld_shared_cache.cpp, look at the class ObjCSelectorUniquer)<br />
<br />
=== Not working since iOS 11 ===<br />
<br />
jtool2 is the newer version this user reports it not working on the iOS 11 shared cache - shows a warning "File is likely truncated (or header corrupt?)" and then doesn't get past "LC_DYLD_INFO..." http://newosxbook.com/forum/viewtopic.php?f=3&t=19577&start=50#p24183 Still same error exists on the cache from iOS 13.<br />
<br />
<source lang=bash><br />
$ ./jtool2 -e Stocks ./dyld_shared_cache_arm64 <br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) LC_FUNCTION_STARTS falls outside file<br />
0x176d9000-0x17731000 __TEXT (360448 bytes)<br />
0x2ccc2070-0x2ccd54a8 __DATA_CONST (78904 bytes)<br />
0x30571f60-0x30575f60 __DATA (16384 bytes)<br />
0x314c9a28-0x314ca000 __DATA_DIRTY (1496 bytes)<br />
0x316b3000-0x37064000 __LINKEDIT (94048256 bytes)<br />
0x31e3c4d0-0x31e3eaf8 Exports (9768 bytes)<br />
0x34689f18-0x346912f8 Symbol Table (29664 bytes)<br />
0x35a46500-0x35a46b90 Function Starts (1680 bytes)<br />
0x35bb1930-0x35bb1960 Data In Code (48 bytes)<br />
0x35d66710-0x37029aba String Table (19674026 bytes)<br />
LC_DYLD_INFO...<br />
</source><br />
<br />
= Cache retrieval =<br />
<br />
Since ASLR was implemented in iOS, trivial ways to pull the cache off the device have provided a "broken" cache, which can't be processed correctly by the aforementioned tools. This is because when read by processes in which ASLR is enabled, some offsetting is applied to the cache too. In order to circumvent this issue and pull a "valid" shared cache off the device, there are different options:<br />
<br />
* Copy the cache off the device using a program on which ASLR has been explicitly disabled, using the <tt>-mdynamic-no-pic</tt> compile flag.<br />
* Read the cache explicitly from the filesystem by setting the <tt>F_NOCACHE</tt> flag on the cache's file descriptor.<br />
* Copy the cache through AFC (filesystem browsers which use an AFC connection are fine) - on iOS 7 and 8, you'll want to install the package ''Apple File Conduit "2"'', hosted/maintained by saurik.<br />
* Pull the cache off a decrypted root filesystem DMG which you can find inside the IPSW.<br />
* Use the copy that is probably laying around on your computer in <tt>~/Library/Developer/Xcode/iOS DeviceSupport/</tt> if you have Xcode.<br />
<br />
Alternatively, [https://github.com/npupyshev/dt.fetchsymbols dt.fetchsymbols] can be used to extract the cache from an iOS device. This tool doesn't require file system access (jailbreak) or app installation.<br />
<br />
= Class dumping =<br />
<br />
See [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|this section of Reverse Engineering Tools]].<br />
<br />
= External Links =<br />
<br />
* [http://blog.howett.net/?p=75 Cache or Check?] — an analysis of the dyld_shared_cache system by D. Howett.<br />
* [https://github.com/deepinstinct/dsc_fix dsc_fix] — an IDA script that aids in reverse engineering dyld_shared_cache libraries</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Dyld_shared_cache&diff=5444Dyld shared cache2020-05-02T08:13:41Z<p>Indiekiduk: /* Not working since iOS 11 */</p>
<hr />
<div>{{DISPLAYTITLE:dyld_shared_cache}}<br />
<br />
Since iPhone OS 3.1, all system (private and public) libraries have been combined into a big cache file to improve performance. The original files are redundant and thus eliminated from the system.<br />
<br />
If you're looking for binaries or libraries inside of <tt>[http://theiphonewiki.com/wiki//System/Library/Frameworks /System/Library/Frameworks]</tt> or <tt>/System/Library/PrivateFrameworks</tt> (or other directories) and can't, this is why.<br />
<br />
OS X also uses a shared cache. Unlike iOS, OS X ships with the source binaries still on-disk, particularly so it can be updated with [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/update_dyld_shared_cache.1.html update_dyld_shared_cache]. The cache is only vaguely documented in dyld man pages.<br />
<br />
= Cache location =<br />
<br />
The cache is located in <tt>/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX</tt>, where X can be:<br />
<br />
{| class="wikitable"<br />
|-<br />
! X<br />
! Device ARM Architecture<br />
|-<br />
| v6<br />
| ARMv6<br />
|-<br />
| v7<br />
| rowspan="3" | ARMv7<br />
|-<br />
| v7s<br />
|-<br />
| v7k<br />
|-<br />
| 64<br />
| ARMv8<br />
|-<br />
| 64e<br />
| ARMv8.3<br />
|}<br />
<br />
= Cache extraction =<br />
<br />
It used to be possible to compile and link from an iOS device without an SDK, but the introduction of dyld_shared_cache has made using an SDK a necessity. Alternatively, one may need to extract the appropriate dylibs from the dyld_shared_cache, if it's not available in the SDK.<br />
<br />
Starting with iOS 8, the framework binaries shipped with the iOS SDK only contain the symbols, not the compiled code anymore. Binaries extracted from the dyld_shared_cache contain all compiled code and are therefore useful for reverse-engineering purposes.<br />
<br />
Options:<br />
<br />
* [https://github.com/kennytm/Miscellaneous/downloads dyld_decache] by KennyTM~ to extract these dylibs.<br />
* [https://gist.github.com/455086/ DySlim] by comex to mount the whole cache file on Mac OS X.<br />
* [https://github.com/phoenix3200/decache decache] by phoenixdev to nearly perfectly extract dylibs from iOS <= 6 cache file.<br />
* [http://opensource.apple.com/source/dyld/ dsc_extractor (source code)]. More info [https://gist.github.com/NSExceptional/85527151eeec4b0640187a0a165da1cd here]. It produces the best results among all tools, but without branch islands workaround.<br />
* [http://www.newosxbook.com/index.php?page=downloads jtool] is another option starting from iOS 8. <br />
* [https://github.com/comex/imaon2 yasce] by comex is/was the best option for iOS 8 (and above), but you will need a nightly build version of rust; something like "rustc 1.9.0-nightly (339a409bf 2016-03-01)".<br />
* [https://github.com/macmade/dyld_cache_extract dyld_cache_extract] by macmade that works on macOS and provides a complete GUI. Clone repo and do 'git submodule update --remote' before buidling. It was reported to be not working on iOS 10.2's dyld_shared_cache_armv7s; gave a 561.1MB executable file. <br />
<br />
== Example usage for decache ==<br />
<br />
This will extract the binary of the private framework SpringBoardServices<br />
<br />
<source lang=bash><br />
decache -c path/to/dyld_shared_cache -x /System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices -o SpringBoardServices<br />
</source><br />
<br />
If you get a message about an unsupported load command, ignore it. decache does not support some newer mach-o load commands, so the binary won't be able to run probably in the most cases. But for linking or reverse-engineering purposes it is still usable.<br />
<br />
== Example usage for jtool ==<br />
<br />
To extract a specific binary from the cache ("UIKit" can be replaced with a different framework or library):<br />
<br />
<source lang=bash>jtool -extract UIKit path/to/dyld_shared_cache</source><br />
<br />
An example of one way to dump all the binaries at once (be careful with this, it creates huge files):<br />
<br />
<source lang=bash><br />
cache=dyld_shared_cache_arm64<br />
mkdir -p extracted && jtool -lv $cache | cut -c 24- | tail +5 | while read line; do mkdir -p extracted/"$(dirname "$line")"; jtool -extract $line $cache; mv $cache."$(basename "$line")" extracted/$line; done<br />
</source><br />
<br />
=== Problems with jtool ===<br />
<br />
Please be aware that decache produces currently (16.04.15) better and more usable results then jtool, as jtool fails to resolve and fix the "uniqued" objectiv c selectors correctly.<br />
<br />
Apple "uniques" objectiv c selectors, such as "alloc" (alloc is used almost everywhere), which are used in more then one place, into a single one. When extracting an image from the cache, the address of such a shared selector will most likely not be in the extracted image anymore, so this needs to fixed, which jtool apparently fails to do. (For more information: http://opensource.apple.com/source/dyld/dyld-132.13/launch-cache/update_dyld_shared_cache.cpp, look at the class ObjCSelectorUniquer)<br />
<br />
=== Not working since iOS 11 ===<br />
<br />
jtool2 is the newer version this user reports it not working on the iOS 11 shared cache - shows a warning "File is likely truncated (or header corrupt?)" and then doesn't get past "LC_DYLD_INFO..." http://newosxbook.com/forum/viewtopic.php?f=3&t=19577&start=50#p24183 Still same error exists on the cache from iOS 13.<br />
<br />
<source lang=bash><br />
$ ./jtool2 -e Stocks ./dyld_shared_cache_arm64 <br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) LC_FUNCTION_STARTS falls outside file<br />
0x176d9000-0x17731000 __TEXT (360448 bytes)<br />
0x2ccc2070-0x2ccd54a8 __DATA_CONST (78904 bytes)<br />
0x30571f60-0x30575f60 __DATA (16384 bytes)<br />
0x314c9a28-0x314ca000 __DATA_DIRTY (1496 bytes)<br />
0x316b3000-0x37064000 __LINKEDIT (94048256 bytes)<br />
0x31e3c4d0-0x31e3eaf8 Exports (9768 bytes)<br />
0x34689f18-0x346912f8 Symbol Table (29664 bytes)<br />
0x35a46500-0x35a46b90 Function Starts (1680 bytes)<br />
0x35bb1930-0x35bb1960 Data In Code (48 bytes)<br />
0x35d66710-0x37029aba String Table (19674026 bytes)<br />
LC_DYLD_INFO...<br />
</source><br />
<br />
= Cache retrieval =<br />
<br />
Since ASLR was implemented in iOS, trivial ways to pull the cache off the device have provided a "broken" cache, which can't be processed correctly by the aforementioned tools. This is because when read by processes in which ASLR is enabled, some offsetting is applied to the cache too. In order to circumvent this issue and pull a "valid" shared cache off the device, there are different options:<br />
<br />
* Copy the cache off the device using a program on which ASLR has been explicitly disabled, using the <tt>-mdynamic-no-pic</tt> compile flag.<br />
* Read the cache explicitly from the filesystem by setting the <tt>F_NOCACHE</tt> flag on the cache's file descriptor.<br />
* Copy the cache through AFC (filesystem browsers which use an AFC connection are fine) - on iOS 7 and 8, you'll want to install the package ''Apple File Conduit "2"'', hosted/maintained by saurik.<br />
* Pull the cache off a decrypted root filesystem DMG which you can find inside the IPSW.<br />
* Use the copy that is probably laying around on your computer in "~/Library/Developer/Xcode/iOS DeviceSupport/" if you have Xcode.<br />
<br />
Alternatively, [https://github.com/npupyshev/dt.fetchsymbols dt.fetchsymbols] can be used to extract the cache from an iOS device. This tool doesn't require file system access (jailbreak) or app installation.<br />
<br />
= Class dumping =<br />
<br />
See [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|this section of Reverse Engineering Tools]].<br />
<br />
= External Links =<br />
<br />
* [http://blog.howett.net/?p=75 Cache or Check?] — an analysis of the dyld_shared_cache system by D. Howett.<br />
* [https://github.com/deepinstinct/dsc_fix dsc_fix] — an IDA script that aids in reverse engineering dyld_shared_cache libraries</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Dyld_shared_cache&diff=5443Dyld shared cache2020-05-02T08:12:42Z<p>Indiekiduk: /* Example usage for jtool */</p>
<hr />
<div>{{DISPLAYTITLE:dyld_shared_cache}}<br />
<br />
Since iPhone OS 3.1, all system (private and public) libraries have been combined into a big cache file to improve performance. The original files are redundant and thus eliminated from the system.<br />
<br />
If you're looking for binaries or libraries inside of <tt>[http://theiphonewiki.com/wiki//System/Library/Frameworks /System/Library/Frameworks]</tt> or <tt>/System/Library/PrivateFrameworks</tt> (or other directories) and can't, this is why.<br />
<br />
OS X also uses a shared cache. Unlike iOS, OS X ships with the source binaries still on-disk, particularly so it can be updated with [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/update_dyld_shared_cache.1.html update_dyld_shared_cache]. The cache is only vaguely documented in dyld man pages.<br />
<br />
= Cache location =<br />
<br />
The cache is located in <tt>/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX</tt>, where X can be:<br />
<br />
{| class="wikitable"<br />
|-<br />
! X<br />
! Device ARM Architecture<br />
|-<br />
| v6<br />
| ARMv6<br />
|-<br />
| v7<br />
| rowspan="3" | ARMv7<br />
|-<br />
| v7s<br />
|-<br />
| v7k<br />
|-<br />
| 64<br />
| ARMv8<br />
|-<br />
| 64e<br />
| ARMv8.3<br />
|}<br />
<br />
= Cache extraction =<br />
<br />
It used to be possible to compile and link from an iOS device without an SDK, but the introduction of dyld_shared_cache has made using an SDK a necessity. Alternatively, one may need to extract the appropriate dylibs from the dyld_shared_cache, if it's not available in the SDK.<br />
<br />
Starting with iOS 8, the framework binaries shipped with the iOS SDK only contain the symbols, not the compiled code anymore. Binaries extracted from the dyld_shared_cache contain all compiled code and are therefore useful for reverse-engineering purposes.<br />
<br />
Options:<br />
<br />
* [https://github.com/kennytm/Miscellaneous/downloads dyld_decache] by KennyTM~ to extract these dylibs.<br />
* [https://gist.github.com/455086/ DySlim] by comex to mount the whole cache file on Mac OS X.<br />
* [https://github.com/phoenix3200/decache decache] by phoenixdev to nearly perfectly extract dylibs from iOS <= 6 cache file.<br />
* [http://opensource.apple.com/source/dyld/ dsc_extractor (source code)]. More info [https://gist.github.com/NSExceptional/85527151eeec4b0640187a0a165da1cd here]. It produces the best results among all tools, but without branch islands workaround.<br />
* [http://www.newosxbook.com/index.php?page=downloads jtool] is another option starting from iOS 8. <br />
* [https://github.com/comex/imaon2 yasce] by comex is/was the best option for iOS 8 (and above), but you will need a nightly build version of rust; something like "rustc 1.9.0-nightly (339a409bf 2016-03-01)".<br />
* [https://github.com/macmade/dyld_cache_extract dyld_cache_extract] by macmade that works on macOS and provides a complete GUI. Clone repo and do 'git submodule update --remote' before buidling. It was reported to be not working on iOS 10.2's dyld_shared_cache_armv7s; gave a 561.1MB executable file. <br />
<br />
== Example usage for decache ==<br />
<br />
This will extract the binary of the private framework SpringBoardServices<br />
<br />
<source lang=bash><br />
decache -c path/to/dyld_shared_cache -x /System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices -o SpringBoardServices<br />
</source><br />
<br />
If you get a message about an unsupported load command, ignore it. decache does not support some newer mach-o load commands, so the binary won't be able to run probably in the most cases. But for linking or reverse-engineering purposes it is still usable.<br />
<br />
== Example usage for jtool ==<br />
<br />
To extract a specific binary from the cache ("UIKit" can be replaced with a different framework or library):<br />
<br />
<source lang=bash>jtool -extract UIKit path/to/dyld_shared_cache</source><br />
<br />
An example of one way to dump all the binaries at once (be careful with this, it creates huge files):<br />
<br />
<source lang=bash><br />
cache=dyld_shared_cache_arm64<br />
mkdir -p extracted && jtool -lv $cache | cut -c 24- | tail +5 | while read line; do mkdir -p extracted/"$(dirname "$line")"; jtool -extract $line $cache; mv $cache."$(basename "$line")" extracted/$line; done<br />
</source><br />
<br />
=== Problems with jtool ===<br />
<br />
Please be aware that decache produces currently (16.04.15) better and more usable results then jtool, as jtool fails to resolve and fix the "uniqued" objectiv c selectors correctly.<br />
<br />
Apple "uniques" objectiv c selectors, such as "alloc" (alloc is used almost everywhere), which are used in more then one place, into a single one. When extracting an image from the cache, the address of such a shared selector will most likely not be in the extracted image anymore, so this needs to fixed, which jtool apparently fails to do. (For more information: http://opensource.apple.com/source/dyld/dyld-132.13/launch-cache/update_dyld_shared_cache.cpp, look at the class ObjCSelectorUniquer)<br />
<br />
=== Not working since iOS 11 ===<br />
<br />
jtool2 is the newer version this user reports it not working on the iOS 11 shared cache - fails with the error "File is likely truncated (or header corrupt?)" http://newosxbook.com/forum/viewtopic.php?f=3&t=19577&start=50#p24183 Still same error exists on the cache from iOS 13.<br />
<br />
<source lang=bash><br />
$ ./jtool2 -e Stocks ./dyld_shared_cache_arm64 <br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) Binding opcodes falls outside file<br />
Warning: File is likely truncated (or header corrupt?) LC_FUNCTION_STARTS falls outside file<br />
0x176d9000-0x17731000 __TEXT (360448 bytes)<br />
0x2ccc2070-0x2ccd54a8 __DATA_CONST (78904 bytes)<br />
0x30571f60-0x30575f60 __DATA (16384 bytes)<br />
0x314c9a28-0x314ca000 __DATA_DIRTY (1496 bytes)<br />
0x316b3000-0x37064000 __LINKEDIT (94048256 bytes)<br />
0x31e3c4d0-0x31e3eaf8 Exports (9768 bytes)<br />
0x34689f18-0x346912f8 Symbol Table (29664 bytes)<br />
0x35a46500-0x35a46b90 Function Starts (1680 bytes)<br />
0x35bb1930-0x35bb1960 Data In Code (48 bytes)<br />
0x35d66710-0x37029aba String Table (19674026 bytes)<br />
LC_DYLD_INFO...<br />
</source><br />
<br />
= Cache retrieval =<br />
<br />
Since ASLR was implemented in iOS, trivial ways to pull the cache off the device have provided a "broken" cache, which can't be processed correctly by the aforementioned tools. This is because when read by processes in which ASLR is enabled, some offsetting is applied to the cache too. In order to circumvent this issue and pull a "valid" shared cache off the device, there are different options:<br />
<br />
* Copy the cache off the device using a program on which ASLR has been explicitly disabled, using the <tt>-mdynamic-no-pic</tt> compile flag.<br />
* Read the cache explicitly from the filesystem by setting the <tt>F_NOCACHE</tt> flag on the cache's file descriptor.<br />
* Copy the cache through AFC (filesystem browsers which use an AFC connection are fine) - on iOS 7 and 8, you'll want to install the package ''Apple File Conduit "2"'', hosted/maintained by saurik.<br />
* Pull the cache off a decrypted root filesystem DMG which you can find inside the IPSW.<br />
* Use the copy that is probably laying around on your computer in "~/Library/Developer/Xcode/iOS DeviceSupport/" if you have Xcode.<br />
<br />
Alternatively, [https://github.com/npupyshev/dt.fetchsymbols dt.fetchsymbols] can be used to extract the cache from an iOS device. This tool doesn't require file system access (jailbreak) or app installation.<br />
<br />
= Class dumping =<br />
<br />
See [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|this section of Reverse Engineering Tools]].<br />
<br />
= External Links =<br />
<br />
* [http://blog.howett.net/?p=75 Cache or Check?] — an analysis of the dyld_shared_cache system by D. Howett.<br />
* [https://github.com/deepinstinct/dsc_fix dsc_fix] — an IDA script that aids in reverse engineering dyld_shared_cache libraries</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Welcome&diff=5321Welcome2019-08-21T21:18:07Z<p>Indiekiduk: /* Overview of contents */</p>
<hr />
<div>__NOTOC__<br />
== Welcome to the iPhoneDevWiki ==<br />
[[File:Drill bits.jpg|right]]<br />
Our goal is to share the sum of all human<ref> We'll make an exception for lawyers; they may submit too. Cf. http://wiki.creativecommons.org/Frequently_Asked_Questions#How_does_a_Creative_Commons_license_operate.3F: "Creative Commons licenses are expressed in three different formats: the Commons Deed (human-readable code), the Legal Code (lawyer-readable code); and the metadata (machine readable code)."</ref> knowledge about jailbroken iOS development. In other words, this is a collection of documentation written by developers to help each other write extensions (tweaks) for jailbroken iOS, and you're invited to learn from it and contribute to it too.<br />
<br />
What is this wiki for?<br />
<br />
* Information about using iOS [[frameworks]] (both public and [[PrivateFrameworks|private]]), [[SpringBoard.app|SpringBoard]], system [[daemons]] (for hooking and hacking), and classes in applications included with the system.<br />
* Information about third-party libraries and extensions for developers ([[ActionMenu]], [[AppList]], [[Flipswitch]], [[IconSupport]], [[libactivator]], [[libhide]], [[libobjcipc]], [[libstatusbar]], [[PreferenceLoader]], [[RocketBootstrap]], etc.).<br />
* Lists of [[Open Source Projects]], [[Reverse Engineering Tools]], [[advice for new developers]], [[List of development blogs|development blogs]], and other useful information for developers.<br />
* Documentation about making [http://iphonedevwiki.net/index.php/Category:Preferences preferences] for extensions: [[PreferenceLoader]], [[PreferenceBundles]], [[Preferences specifier plist]], [[Preferences.framework]].<br />
* Anything else about development for jailbroken iOS devices. (For other technical information about iOS, see [http://theiphonewiki.com The iPhone Wiki], which covers topics including jailbreak exploits, internal iOS systems, and iOS hardware details. [http://theiphonewiki.com/wiki/Up_to_Speed "Up to Speed"] is its getting-started page about learning about security research on iOS.)<br />
<br />
Current featured article: '''[[Updating extensions for iOS 11]]'''<br />
<br />
New articles: [[Kik]], [[Active Developers]], [[IPC|Inter Process Communication (IPC)]], [[Using ARC in tweaks]], [[Career advice]], [[IOMobileFramebuffer]], [[IOAudio2Device]], [[IOAudio2Transformer]], [[RocketBootstrap]], [[Breadcrumbs]].<br />
<br />
If you'd like to make a new article or improve an existing article, see [[Help:Editing]] for advice (and see [[#Editing this wiki]] for ideas). '''Articles that need work''': [[Packaging]] (tools, control file tips, troubleshooting dpkg-deb errors), [[Next Steps After Getting Started]] (a set of ideas for tutorials you could write), ''edit this page and add your idea here''.<br />
<br />
== Getting started ==<br />
<br />
New to developing for jailbroken devices? Welcome, it's fun and challenging! Hopefully you already have some experience with Objective-C. You will want to get familiar with [[MobileSubstrate|Cydia Substrate (formerly called MobileSubstrate)]] and [[Theos]], and you can study some [[Open Source Projects]] to see how existing tweaks work. See '''[[Getting Started]]''' and also take a look at [[Best Practices]] and [[MobileSubstrate Pitfalls]]. If you're looking for a more thorough and sequential tutorial, take a look at the book ''[http://iosre.com/t/ios-app-reverse-engineering-the-worlds-1st-book-of-very-detailed-ios-app-reverse-engineering-skills/1117 iOS App Reverse Engineering]'' and its forum [http://bbs.iosre.com iOSRE].<br />
<br />
'''[[Getting Help | How to ask for help]]:''' You can ask questions in the IRC channel [https://kiwiirc.com/client/irc.saurik.com/#iphonedev #iphonedev on irc.saurik.com] (where a bunch of developers hang out). IRC is an old-school chat system; if you don't already know how to use it, [[How to use IRC]] has details for you. There are also tags for [http://stackoverflow.com/questions/tagged/jailbreak "jailbreak"], [http://stackoverflow.com/questions/tagged/cydia "Cydia"], and [http://stackoverflow.com/questions/tagged/theos "Theos"] on Stack Overflow, a site for programming questions in general; feel free to ask there as well. (If you want to help answer questions, following [https://twitter.com/jailbreakdevqs @JailbreakDevQs] might be useful.) On reddit, there's [http://www.reddit.com/r/jailbreakdevelopers/ /r/jailbreakdevelopers]. For non-development-related troubleshooting questions, try [http://www.jailbreakqa.com/ JailbreakQA] or [http://www.reddit.com/r/jailbreak/ /r/jailbreak].<br />
<br />
== Overview of contents ==<br />
<br />
By topic:<br />
<br />
* '''Frameworks''':<br />
** {{fwlink|UIKit}} &bull; {{fwlink|GraphicsServices}} &bull; {{fwlink|AppSupport}} &bull; {{fwlink|BiometricKit}} &bull; {{fwlink|ChatKit}} &bull; {{fwlink|MobileWiFi}} &bull; '''''[[Template:Navbox Frameworks|more »]]'''''<br />
* '''Applications''':<br />
** {{applink|SpringBoard}} &bull; {{applink|Preferences}} &bull; {{applink|MobileSafari}} &bull; '''''[[Template:Navbox Applications|more »]]'''''<br />
* '''Extensions''':<br />
** [[ActionMenu]] &bull; [[AppList]] &bull; [[Cydget]] &bull; [[Flipswitch]] &bull; [[IconSupport]] &bull; [[LayerSnapshotter]] &bull; [[libactivator]] &bull; [[libhide]] &bull; [[libobjcipc]] &bull; [[libstatusbar]] &bull; [[PreferenceLoader]] &bull; [[RocketBootstrap]] &bull; [[WinterBoard]] &bull; [[libPassword]] &bull; '''''[[:Category:Cydia_packages|more »]]'''''<br />
* '''System directories''':<br />
** [[Frameworks]] &bull; [[Internet Plug-Ins]] &bull; [[PreferenceBundles]] &bull; [[PrivateFrameworks]] &bull; '''''[[Template:Navbox_Library|more »]]'''''<br />
* '''Other parts of iOS''':<br />
** [[Bluetooth]] &bull; [[CgBI file format]] &bull; [[Coprocessors]] &bull; [[Daemons]] &bull; [[dyld_shared_cache]] &bull; [[Entitlements]] &bull; [[iOS Keyboard]] &bull; [[launchd]] &bull; [[NFC]] &bull; [[Notifications]] &bull; [[Seatbelt]]<br />
* '''Development tools''':<br />
** [[Cycript]] &bull; [[MobileSubstrate|Cydia Substrate (MobileSubstrate)]] &bull; [[debugserver|debugserver (remote debugging)]] &bull; [[Jailbreak Development Tools]] &bull; [[ldid]] &bull; [[On-device toolchains]] &bull; [[Reverse Engineering Tools]] &bull; [[Theos]], [[Logos]], [[NIC]], [[Logify]] &bull; [[Retrieving SDKs]] &bull; [[Xcode|Xcode &ndash; Bypass Provisioning Profile]] &bull; [[SSH Over USB]]<br />
* '''Other articles about development''':<br />
** [[Getting Started]] &bull; [[Best Practices]] &bull; [[MobileSubstrate Pitfalls]] &bull; [[Open Source Projects]] &bull; [[Advice for new developers]] &bull; [[Cydia Store Integration]] &bull; [[Tweak DRM]] &bull; [[Code Signing]] &bull; [[Repository Management]] &bull; [[Packaging]] &bull; [[Crack prevention]] &bull; [[List of development blogs]] &bull; [[Using ARC in tweaks]] &bull; [[Career advice]]<br />
<br />
By iOS version:<br />
<br />
* '''New in iOS 12:''' [[Updating for iOS 12]]<br />
* '''New in iOS 11:''' [[Updating extensions for iOS 11]]<br />
* '''New in iOS 10:''' [[Updating extensions for iOS 10]], [[ControlCenterUI.framework]], [[UserNotificationsUIKit.framework]].<br />
* '''New in iOS 9:''' [[Updating extensions for iOS 9]], [[Updating extensions for iOS 9.3.3]], [[Breadcrumbs]].<br />
* '''New in iOS 8:''' [[Updating extensions for iOS 8]], [[AssertionServices.framework]], [[SBSRestartRenderServerAction]], [[FBSSystemService]], [[UIAlertController]].<br />
* '''New in iOS 7:''' [[Updating extensions for iOS 7]], [[Debugging on iOS 7]], [[Downgrading iPhone 4 from iOS 7]], [[BiometricKit.framework]], [[TouchID]], [[UIBackdropView]], [[AVFlashlight]], [[SBAppSliderController]].<br />
* '''New in iOS 6:''' [[BackBoardServices.framework]], [[backboardd]], [[ChatKit.framework]], [[BKSProcessAssertion]].<br />
* '''New in iOS 5:''' [[SBIconView]], [[CKMadridService]], [[SBAppContextHostManager]].<br />
* '''New in iOS 4:''' [[SBAppSwitcherModel]].<br />
<br />
Translated articles: <br />
<br />
* '''Français''': [[Main page/fr]] &bull; [[MobileSubstrate/fr]] &bull; [[SSH Over USB/fr]] &bull; [[UIFont/fr]] &bull; [[UIColor/fr]] &bull; [[ActorKit.framework/fr]] &bull; [[IOSOpenDev/fr]]<br />
* '''ไทย''': [[MobileSubstrate/th]] &bull; [[SSH Over USB/th]] &bull; [[SpringBoard.app/th]] &bull; [[UIColor/th]]<br />
* '''Deutsch''': [[Theos/de]]<br />
<br />
<!-- {{Navbox Frameworks}}<br />
{{Navbox Applications}} --><br />
<br />
== Editing this wiki ==<br />
<br />
* If you have anything at all to contribute, feel free to do so!<br />
* An account is required to edit pages, but everyone is welcome to make an account. If you have trouble with the account creation process, or any questions about editing the wiki, please ask in #iphonedev on irc.saurik.com for help (see [[How to use IRC]]).<br />
<br />
Some ideas for information to contribute:<br />
<br />
* Add more projects to the list of [[Open Source Projects]], or fill out details on that page.<br />
* Expand [[Getting Started]] for new developers - what do they need to know before beginning? How do they set up a development environment on OS X, Windows, and Linux? What are common beginner's mistakes that they should watch out for? How to reverse-engineer parts of iOS for writing tweaks? How to debug with GDB and learn about memory management?<br />
* Update articles that haven't been significantly edited in a few years, such as [[Seatbelt]] and [[Crack prevention]]. See [[Special:AncientPages]] for a list of articles that haven't been updated recently.<br />
* Help [[Cycript]] explain why Cycript is fun - syntax highlighting, injection, auto-completion, generally exploring around.<br />
* Make a page that documents a class or framework you're familiar with.<br />
* If you've developed a library that other developers can use or write addons/plugins/extensions for, make a page that documents your project.<br />
* Update [[Xcode]] with better information about how to build apps for jailbroken devices.<br />
* Make the homepage more useful! For example, add links to good pages that are hidden/buried deep within the wiki.<br />
* The following articles are linked from nowhere in the wiki: [[Special:LonelyPages]] - you can fix that by linking them somewhere.<br />
* Check out the most popular pages and see if they need updating: [[Special:PopularPages]].<br />
* Write an article that is in demand: [[Special:WantedPages]].<br />
* Translate an existing article into a non-English language. Check out the list at [[Special:PopularPages]] for ideas about high-priority articles to translate, and then make a new page with this name format: <code>Article name/[language code]</code>. [http://svn.wikimedia.org/svnroot/mediawiki/trunk/phase3/languages/Names.php Here's the list of language codes.] For example: [[PreferenceLoader/de]] or [[Libactivator/sv]].<br />
<br />
----<br />
<br />
<references /></div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_11&diff=5211Updating extensions for iOS 112018-07-22T20:04:53Z<p>Indiekiduk: /* Updating extensions for iOS 11.3.1 */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 10|iOS 10]], [[Updating extensions for iOS 9|iOS 9]], [[Updating extensions for iOS 8|iOS 8]] and [[Updating extensions for iOS 7|iOS 7]] – paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+11&type=signup Make an account and edit this page!]'''<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_11&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== Screenshots ==<br />
Since iOS 9.3.3 the SBScreenshotManager has been used. This is no longer the case, it seems. The class still exists, however it doesn't appear to be used anymore. Instead, there is a new framework named "ScreenshotServices" where most of the screenshot abilities have been kicked off to. <br />
<br />
However, if the needs are simple, the SpringBoard _class_ has gotten two new methods to kick off screenshots with as well. `takeScreenshot` will be invoked with the hardware keys, at which point you can do what you need. This method won't work when the user invokes a screenshot in another way, like with AssistiveTouch. `takeScreenshot` only calls `takeScreenshotAndEdit:(BOOL)arg1` though, which IS called by AssistiveTouch, so you can use that one instead.<br />
<br />
If you have more complex needs, you likely will have to dig into the new services. Here is the partly decompiled version (Hopper) of `takeScreenshotAndEdit:` for some guidance.<br />
<br />
void -[SpringBoard takeScreenshotAndEdit:](void * self, void * _cmd, bool edit) {<br />
...<br />
SSScreenCapturerPresentationOptions *options = [SSScreenCapturerPresentationOptions new];<br />
if ([SSScreenCapturer shouldUseScreenCapturerForScreenshots]) {<br />
[options setPresentationMode:edit];<br />
[self->_screenCapturer takeScreenshotWithPresentationOptions:options];<br />
}<br />
else {<br />
[self->_screenshotManager saveScreenshots];<br />
}<br />
...<br />
return;<br />
}<br />
<br />
Other avenues for screenshots I found while researching were:<br />
<br />
- `SBCombinationHardwareButtonActions`s method `-(void)performTakeScreenshotAction` which also did not work with AssistiveTouch.<br />
<br />
- `SSScreenCaptureAbilityCheck`s method `-(bool)isAbleToTakeScreenshots` which seems to be always called. I didn't track down exactly from where it was called yet. I didn't need it.<br />
<br />
- `SSMainScreenSnapshotter` and `SSOtherScreenSnapshotter` are highly related to taking screenshots, however I did not use these either. But worth looking into if you have multi-screen needs maybe.<br />
<br />
== SBUserAgent changes ==<br />
<br />
SBUserAgent still exists, however it is no longer accessible through the previous shared instance. It has instead been moved into SpringBoard as an ivar and can be accessed through a method. So the change can look like something like this in iOS 11:<br />
<br />
Class SpringBoardClass = objc_getClass("SpringBoard");<br />
SpringBoard *springBoardInstance = [SpringBoardClass sharedApplication];<br />
SBUserAgent *userAgent = [springBoardInstance pluginUserAgent];<br />
UIDeviceOrientation orientation = [userAgent activeInterfaceOrientation];<br />
<br />
While iOS 10 and below could look like:<br />
<br />
UIDeviceOrientation orientation = [[objc_getClass("SBUserAgent") sharedUserAgent] activeInterfaceOrientation];<br />
<br />
== Disabling CC, NC and Home gestures ==<br />
<br />
In iOS 11 the CC moved to the top right, rather than the bottom. It also added the Home gesture for iPhone X devices. Since the code is pretty large (documentation) I'll make a new page for it with all versions in one.<br />
<br />
See [[Disabling NC, CC and Home gestures]] for information of all versions. <br />
<br />
== Handling iPhone X ==<br />
<br />
If you don't have an iPhone X handy, you may use [https://github.com/ioscreatix/LittleX LittleX] to emulate iPhone X-specific functionalities on your non-X devices.<br />
<br />
== Invoking app switcher ==<br />
<br />
Pre iOS 11 we can use <br />
<br />
SBMainSwitcherViewController *svm = [objc_getClass("SBMainSwitcherViewController") sharedInstance];<br />
[svm toggleSwitcherNoninteractively];<br />
<br />
And in iOS 11 it changed to use 'toggleSwitcherNoninteractivelyWithSource' like this<br />
<br />
SBMainSwitcherViewController *svm = [objc_getClass("SBMainSwitcherViewController") sharedInstance];<br />
[svm toggleSwitcherNoninteractivelyWithSource:nil];<br />
<br />
== Updating extensions for iOS 11.3.1 ==<br />
<br />
When installing a tweak on this OS, instead of MobileSubstrate it queues up Substitute, Substrate Compatibility Layer, Tweak Injector. Substitute is basically the alternative runtime modification framework to Cydia Substrate. Normally, tweaks created using Cydia Substrate will work just fine with Substitute because it includes Cydia Substrate based function calls that link to Substitute itself. Developers do not need to use Substitute directly. Tweak Injector, similar to how Cydia Substrate works, will be injected to every process spawned by "posix_spawn", deciding which tweaks should be run on which processes.<br />
<br />
There is an issue with package dependencies, e.g. "Note: After you install Semperon, you’ll also need to manually install two dependencies from Cydia: 1) libSparkAppList and 2) PrefixUI. Citing the developer, these aren’t installed automatically because of an APT bug present in this version of Cydia on iOS 11." <ref>Bouchard, Anthony [http://www.idownloadblog.com/2018/07/19/semperon/ "Semperon adds an ‘always-on-display’ to your jailbroken iPhone"] ''[[iDownloadBlog]]''</ref><br />
<br />
[[Category:Updating extensions]]</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_11&diff=5203Updating extensions for iOS 112018-07-09T09:42:12Z<p>Indiekiduk: </p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 10|iOS 10]], [[Updating extensions for iOS 9|iOS 9]], [[Updating extensions for iOS 8|iOS 8]] and [[Updating extensions for iOS 7|iOS 7]] – paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+11&type=signup Make an account and edit this page!]'''<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_11&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== Screenshots ==<br />
Since iOS 9.3.3 the SBScreenshotManager has been used. This is no longer the case, it seems. The class still exists, however it doesn't appear to be used anymore. Instead, there is a new framework named "ScreenshotServices" where most of the screenshot abilities have been kicked off to. <br />
<br />
However, if the needs are simple, the SpringBoard _class_ has gotten two new methods to kick off screenshots with as well. `takeScreenshot` will be invoked with the hardware keys, at which point you can do what you need. This method won't work when the user invokes a screenshot in another way, like with AssistiveTouch. `takeScreenshot` only calls `takeScreenshotAndEdit:(BOOL)arg1` though, which IS called by AssistiveTouch, so you can use that one instead.<br />
<br />
If you have more complex needs, you likely will have to dig into the new services. Here is the partly decompiled version (Hopper) of `takeScreenshotAndEdit:` for some guidance.<br />
<br />
void -[SpringBoard takeScreenshotAndEdit:](void * self, void * _cmd, bool edit) {<br />
...<br />
SSScreenCapturerPresentationOptions *options = [SSScreenCapturerPresentationOptions new];<br />
if ([SSScreenCapturer shouldUseScreenCapturerForScreenshots]) {<br />
[options setPresentationMode:edit];<br />
[self->_screenCapturer takeScreenshotWithPresentationOptions:options];<br />
}<br />
else {<br />
[self->_screenshotManager saveScreenshots];<br />
}<br />
...<br />
return;<br />
}<br />
<br />
Other avenues for screenshots I found while researching were:<br />
<br />
- `SBCombinationHardwareButtonActions`s method `-(void)performTakeScreenshotAction` which also did not work with AssistiveTouch.<br />
<br />
- `SSScreenCaptureAbilityCheck`s method `-(bool)isAbleToTakeScreenshots` which seems to be always called. I didn't track down exactly from where it was called yet. I didn't need it.<br />
<br />
- `SSMainScreenSnapshotter` and `SSOtherScreenSnapshotter` are highly related to taking screenshots, however I did not use these either. But worth looking into if you have multi-screen needs maybe.<br />
<br />
== SBUserAgent changes ==<br />
<br />
SBUserAgent still exists, however it is no longer accessible through the previous shared instance. It has instead been moved into SpringBoard as an ivar and can be accessed through a method. So the change can look like something like this in iOS 11:<br />
<br />
Class SpringBoardClass = objc_getClass("SpringBoard");<br />
SpringBoard *springBoardInstance = [SpringBoardClass sharedApplication];<br />
SBUserAgent *userAgent = [springBoardInstance pluginUserAgent];<br />
UIDeviceOrientation orientation = [userAgent activeInterfaceOrientation];<br />
<br />
While iOS 10 and below could look like:<br />
<br />
UIDeviceOrientation orientation = [[objc_getClass("SBUserAgent") sharedUserAgent] activeInterfaceOrientation];<br />
<br />
== Disabling CC, NC and Home gestures ==<br />
<br />
In iOS 11 the CC moved to the top right, rather than the bottom. It also added the Home gesture for iPhone X devices. Since the code is pretty large (documentation) I'll make a new page for it with all versions in one.<br />
<br />
See [[Disabling NC, CC and Home gestures]] for information of all versions. <br />
<br />
== Handling iPhone X ==<br />
<br />
If you don't have an iPhone X handy, the tweak (paid but open sourced) 'LittleX' worked _okay_ as a substitute. <br />
<br />
https://github.com/ioscreatix/LittleX/blob/master/Tweak.xm<br />
<br />
== Invoking app switcher ==<br />
<br />
Pre iOS 11 we can use <br />
<br />
SBMainSwitcherViewController *svm = [objc_getClass("SBMainSwitcherViewController") sharedInstance];<br />
[svm toggleSwitcherNoninteractively];<br />
<br />
And in iOS 11 it changed to use 'toggleSwitcherNoninteractivelyWithSource' like this<br />
<br />
SBMainSwitcherViewController *svm = [objc_getClass("SBMainSwitcherViewController") sharedInstance];<br />
[svm toggleSwitcherNoninteractivelyWithSource:nil];<br />
<br />
== Updating extensions for iOS 11.3.1 ==<br />
<br />
When installing a tweak on this OS, instead of MobileSubstrate it queues up Substitute, Substrate Compatibility Layer, Tweak Injector. More info on how this works is needed.<br />
<br />
[[Category:Updating extensions]]</div>Indiekidukhttps://iphonedev.wiki/index.php?title=MMCS.framework&diff=5074MMCS.framework2017-08-16T18:32:04Z<p>Indiekiduk: </p>
<hr />
<div>MMCS is a private Objective-C framework that provides networking support for connecting to cloud services. MMCS may stand for MobileMe Cloud Services or Connection Services. It is used by CloudKitDaemon.framework for a NSURLSession pool which allows a session to be used per-domain among other options. This allows a unique NSURLSession and operation queue to be used for each domain being connected to which allows apps to do multiple requests for different things simultaneously. This is achieved via the C2SessionPool classes, C2 might stand for Cloud v2.</div>Indiekidukhttps://iphonedev.wiki/index.php?title=MMCS.framework&diff=5073MMCS.framework2017-08-16T18:31:19Z<p>Indiekiduk: </p>
<hr />
<div>MMCS is a private Objective-C framework that provides networking support for connecting to cloud services. MMCS may stand for Mobile Me Cloud Services or Mobile Me Connection Services. It is used by CloudKitDaemon.framework for a NSURLSession pool which allows a session to be used per-domain among other options. This allows a unique NSURLSession and operation queue to be used for each domain being connected to which allows apps to do multiple requests for different things simultaneously. This is achieved via the C2SessionPool classes, C2 might stand for Cloud v2.</div>Indiekidukhttps://iphonedev.wiki/index.php?title=MMCS.framework&diff=5072MMCS.framework2017-08-16T16:48:04Z<p>Indiekiduk: Created page with "MMCS is a private Objective-C framework that provides networking support for connecting to cloud services. MMCS may stand for Mobile Me Cloud Services. It is used by CloudKitD..."</p>
<hr />
<div>MMCS is a private Objective-C framework that provides networking support for connecting to cloud services. MMCS may stand for Mobile Me Cloud Services. It is used by CloudKitDaemon.framework for a NSURLSession pool which allows a session to be used per-domain among other options. This allows a unique NSURLSession and operation queue to be used for each domain being connected to which allows apps to do multiple requests for different things simultaneously. This is achieved via the C2SessionPool classes, C2 might stand for Cloud v2.</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Dyld_shared_cache&diff=4947Dyld shared cache2017-03-06T12:55:47Z<p>Indiekiduk: /* Cache extraction */</p>
<hr />
<div>{{DISPLAYTITLE:dyld_shared_cache}}<br />
<br />
Since iPhone OS 3.1, all system (private and public) libraries have been combined into a big cache file to improve performance. The original files are redundant and thus eliminated from the system.<br />
<br />
If you're looking for binaries or libraries inside of <tt>[http://theiphonewiki.com/wiki//System/Library/Frameworks /System/Library/Frameworks]</tt> or <tt>/System/Library/PrivateFrameworks</tt> (or other directories) and can't, this is why.<br />
<br />
OS X also uses a shared cache. Unlike iOS, OS X ships with the source binaries still on-disk, particularly so it can be updated with [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/update_dyld_shared_cache.1.html update_dyld_shared_cache]. The cache is only vaguely documented in dyld man pages.<br />
<br />
= Cache location =<br />
<br />
The cache is located in <tt>/System/Library/Caches/com.apple.dyld/dyld_shared_cache_armX</tt>, where X can be:<br />
<br />
{| class="wikitable"<br />
|-<br />
! X<br />
! Device ARM Architecture<br />
|-<br />
| v6<br />
| ARMv6<br />
|-<br />
| v7<br />
| rowspan="3" | ARMv7<br />
|-<br />
| v7s<br />
|-<br />
| v7k<br />
|-<br />
| 64<br />
| ARMv8<br />
|}<br />
<br />
= Cache extraction =<br />
<br />
It used to be possible to compile and link from an iOS device without an SDK, but the introduction of dyld_shared_cache has made using an SDK a necessity. Alternatively, one may need to extract the appropriate dylibs from the dyld_shared_cache, if it's not available in the SDK.<br />
<br />
Starting with iOS 8, the framework binaries shipped with the iOS SDK only contain the symbols, not the compiled code anymore. Binaries extracted from the dyld_shared_cache contain all compiled code and are therefore useful for reverse-engineering purposes.<br />
<br />
Options:<br />
<br />
* You could use [https://github.com/kennytm/Miscellaneous/downloads dyld_decache] by KennyTM~ to extract these dylibs.<br />
* Alternatively, you could use [https://gist.github.com/455086/ DySlim] by comex to mount the whole cache file on Mac OS X.<br />
* [https://github.com/phoenix3200/decache decache] by phoenixdev also works quite well. Out of the tools presented here, it currently produces the most usable results.<br />
* [http://opensource.apple.com/source/dyld/ dsc_extractor (source code)]. More info [http://lightbulbone.tumblr.com/post/56546834100/ios-shared-cache-extraction here].<br />
* [http://www.newosxbook.com/index.php?page=downloads jtool] is another option if other tools fail (which seems to be common starting with iOS 8). <br />
* [https://github.com/comex/imaon2 yasce] by comex seems to currently provide the best output for iOS8+ but have fun getting the right version of rust running. You probably want something like "rustc 1.9.0-nightly (339a409bf 2016-03-01)".<br />
* [https://github.com/macmade/dyld_cache_extract dyld_cache_extract] by macmade. Works on macOS and provides a complete GUI. Clone repo and do 'git submodule update --remote' before buidling. Was not successful in extracting NotesShared from 10.2 dyld_shared_cache_armv7s, gave a 561.1MB file. <br />
<br />
== Example usage for decache ==<br />
<br />
This will extract the binary of the private framework SpringBoardServices<br />
<br />
<source lang=bash><br />
decache -c path/to/dyld_shared_cache -x /System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices -o SpringBoardServices<br />
</source><br />
<br />
If you get a message about an unsupported load command, ignore it. decache does not support some newer mach-o load commands, so the binary won't be able to run probably in the most cases. But for linking or reverse-engineering purposes it is still usable.<br />
<br />
== Example usage for jtool ==<br />
<br />
To extract a specific binary from the cache ("UIKit" can be replaced with a different framework or library):<br />
<br />
<source lang=bash>jtool -extract UIKit path/to/dyld_shared_cache</source><br />
<br />
An example of one way to dump all the binaries at once (be careful with this, it creates huge files):<br />
<br />
<source lang=bash><br />
jtool -lv cache_armv7 | cut -c 24- | tail +5 | while read line ; do jtool -extract $line cache_armv7 ; done<br />
</source><br />
<br />
=== Problems with jtool ===<br />
<br />
Please be aware that decache produces currently (16.04.15) better and more usable results then jtool, as jtool fails to resolve and fix the "uniqued" objectiv c selectors correctly.<br />
<br />
Apple "uniques" objectiv c selectors, such as "alloc" (alloc is used almost everywhere), which are used in more then one place, into a single one. When extracting an image from the cache, the address of such a shared selector will most likely not be in the extracted image anymore, so this needs to fixed, which jtool apparently fails to do. (For more information: http://opensource.apple.com/source/dyld/dyld-132.13/launch-cache/update_dyld_shared_cache.cpp, look at the class ObjCSelectorUniquer)<br />
<br />
= Cache retrieval =<br />
<br />
Since ASLR was implemented in iOS, trivial ways to pull the cache off the device have provided a "broken" cache, which can't be processed correctly by the aforementioned tools. This is because when read by processes in which ASLR is enabled, some offsetting is applied to the cache too. In order to circumvent this issue and pull a "valid" shared cache off the device, there are different options:<br />
<br />
* Copy the cache off the device using a program on which ASLR has been explicitly disabled, using the <tt>-mdynamic-no-pic</tt> compile flag.<br />
* Read the cache explicitly from the filesystem by setting the <tt>F_NOCACHE</tt> flag on the cache's file descriptor.<br />
* Copy the cache through AFC (filesystem browsers which use an AFC connection are fine) - on iOS 7 and 8, you'll want to install the package ''Apple File Conduit "2"'', hosted/maintained by saurik.<br />
* Pull the cache off a decrypted root filesystem DMG which you can find inside the IPSW.<br />
* Use the copy that is probably laying around on your computer in "~/Library/Developer/Xcode/iOS DeviceSupport/" if you have Xcode.<br />
<br />
Alternatively, [https://github.com/npupyshev/dt.fetchsymbols dt.fetchsymbols] can be used to extract the cache from an iOS device. This tool doesn't require file system access (jailbreak) or app installation.<br />
<br />
= Class dumping =<br />
<br />
See [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|this section of Reverse Engineering Tools]].<br />
<br />
= External Links =<br />
<br />
* [http://blog.howett.net/?p=75 Cache or Check?] — an analysis of the dyld_shared_cache system by D. Howett.</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_10&diff=4897Updating extensions for iOS 102017-02-01T13:18:15Z<p>Indiekiduk: /* Logging */ removed mistaken issue</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 9|iOS 9]], [[Updating extensions for iOS 8|iOS 8]] and [[Updating extensions for iOS 7|iOS 7]] – paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+10&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research – feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_10&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== SBApplication ==<br />
In iOS 9 and applications dynamic and shortcut items were accessed view dynamicShortcutItems and staticShortcutItems. These have now been changed to dynamicApplicationShortcutItems and staticApplicationShortcutItems;<br />
<br />
== AppList ==<br />
For now you will need RocketBootStrap from https://rpetri.ch/repo .<br />
<br />
<br />
== SBIconController ==<br />
You used to be able to manually create a shortcut item and activate it using _activateShortcutItem:fromApplication:. This has been removed. <br />
<br />
== Logging ==<br />
<br />
The system logging APIs have changed again – [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/asl.3.html ASL] and [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/syslog.3.html syslog] are now deprecated in favor of the [https://developer.apple.com/reference/os/logging?language=objc unified logging system]. NSLog() and CFLog() now send their output through this system.<br />
<br />
The Console app in macOS Sierra supports reading logs from connected iOS devices – just select the device from the sidebar. The new concept seems to encourage being verbose, so system processes have become pretty noisy. Right click a message to reveal options for filtering to or filtering out messages from a process, library, subsystem, category, etc. You probably want to filter out irrelevant noisy processes otherwise you’ll be overwhelmed and need to scroll a lot. Set up a filter you’re happy with and click Save in the top-right. There is also the [https://ghostbin.com/paste/hfu7t log] command line tool.<br />
<br />
If you want to use os_log, as a courtesy for others, use [https://developer.apple.com/reference/os/1643744-os_log_create?language=objc os_log_create] with your package identifier as the subsystem. Keep in mind the APIs are new to iOS 10. If you support older iOS, retrieve the function symbols at runtime with dlsym() and fall back to an old logging mechanism if they are null.<br />
<br />
== SBDashBoardPageViewController ==<br />
<br />
The iOS 10 lockscreen presents subclasses of SBDashBoardPageViewController as pages for the user to swipe through; new pages can be added with ease. See [http://iphonedevwiki.net/index.php/SBDashBoardPageViewController this wiki page] for further information.<br />
<br />
== OpenSSH ==<br />
<br />
OpenSSH is broken on iOS 10, which is why yalu comes with dropbear (an alternative ssh server). To SSH into your device after jailbreaking, you have to do it [[SSH Over USB|via USB]]<br />
<br />
If you accidentally install the openssh package (BigBoss Tools includes it for example), simply remove the openssh package, reboot and rejailbreak.<br />
<br />
If you get this error with scp:<br />
<br />
sh: scp: command not found<br />
lost connection<br />
<br />
Download [http://newosxbook.com/tools/iOSBinaries.html iosbinpack], then copy it over like so:<br />
<br />
ssh phone 'cat > /usr/bin/scp' < ~/Downloads/iosbinpack64/usr/bin/scp<br />
<br />
Then on the phone, <code>chmod +x /usr/bin/scp</code>.<br />
<br />
== Tweak simply not loading ==<br />
<br />
If your tweak (or preference bundle) does not load, you might have these lines in your Makefile that you need to remove:<br />
<br />
TweakName_LDFLAGS += -Wl,-segalign,4000<br />
TweakName_CODESIGN_FLAGS=-Sentitlements.xml<br />
<br />
For reasons X and Y (I don't know - someone please fill this in).<br />
<br />
See [http://iphonedevwiki.net/index.php/Updating_extensions_for_iOS_9#Compilation_changes here] for why<br />
<br />
[[Category:Updating extensions]]</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_10&diff=4896Updating extensions for iOS 102017-02-01T12:59:17Z<p>Indiekiduk: /* Logging */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 9|iOS 9]], [[Updating extensions for iOS 8|iOS 8]] and [[Updating extensions for iOS 7|iOS 7]] – paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+10&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research – feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_10&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== SBApplication ==<br />
In iOS 9 and applications dynamic and shortcut items were accessed view dynamicShortcutItems and staticShortcutItems. These have now been changed to dynamicApplicationShortcutItems and staticApplicationShortcutItems;<br />
<br />
== AppList ==<br />
For now you will need RocketBootStrap from https://rpetri.ch/repo .<br />
<br />
<br />
== SBIconController ==<br />
You used to be able to manually create a shortcut item and activate it using _activateShortcutItem:fromApplication:. This has been removed. <br />
<br />
== Logging ==<br />
On iOS 10.2 tweaks built with a lower SDK (e.g. 9.3 in Xcode 7) do not output NSLogs to the Sierra Console app or Xcode Devices log ([https://www.reddit.com/r/jailbreakdevelopers/comments/5qt7r2/102_nslog_and_hblogdebug_not_showing_in_system_log/ Reddit: 10.2 NSLog and HBLogDebug not showing in System Log]). The solution is to build against 10.2 SDK, e.g. Xcode 8. Or with make file TARGET = iphone:10.2:10.2 (adjusting deployment target as fits).<br />
<br />
The system logging APIs have changed again – [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/asl.3.html ASL] and [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/syslog.3.html syslog] are now deprecated in favor of the [https://developer.apple.com/reference/os/logging?language=objc unified logging system]. NSLog() and CFLog() now send their output through this system.<br />
<br />
The Console app in macOS Sierra supports reading logs from connected iOS devices – just select the device from the sidebar. The new concept seems to encourage being verbose, so system processes have become pretty noisy. Right click a message to reveal options for filtering to or filtering out messages from a process, library, subsystem, category, etc. You probably want to filter out irrelevant noisy processes otherwise you’ll be overwhelmed and need to scroll a lot. Set up a filter you’re happy with and click Save in the top-right. There is also the [https://ghostbin.com/paste/hfu7t log] command line tool.<br />
<br />
If you want to use os_log, as a courtesy for others, use [https://developer.apple.com/reference/os/1643744-os_log_create?language=objc os_log_create] with your package identifier as the subsystem. Keep in mind the APIs are new to iOS 10. If you support older iOS, retrieve the function symbols at runtime with dlsym() and fall back to an old logging mechanism if they are null.<br />
<br />
== SBDashBoardPageViewController ==<br />
<br />
The iOS 10 lockscreen presents subclasses of SBDashBoardPageViewController as pages for the user to swipe through; new pages can be added with ease. See [http://iphonedevwiki.net/index.php/SBDashBoardPageViewController this wiki page] for further information.<br />
<br />
== OpenSSH ==<br />
<br />
OpenSSH is broken on iOS 10, which is why yalu comes with dropbear (an alternative ssh server). To SSH into your device after jailbreaking, you have to do it [[SSH Over USB|via USB]]<br />
<br />
If you accidentally install the openssh package (BigBoss Tools includes it for example), simply remove the openssh package, reboot and rejailbreak.<br />
<br />
If you get this error with scp:<br />
<br />
sh: scp: command not found<br />
lost connection<br />
<br />
Download [http://newosxbook.com/tools/iOSBinaries.html iosbinpack], then copy it over like so:<br />
<br />
ssh phone 'cat > /usr/bin/scp' < ~/Downloads/iosbinpack64/usr/bin/scp<br />
<br />
Then on the phone, <code>chmod +x /usr/bin/scp</code>.<br />
<br />
== Tweak simply not loading ==<br />
<br />
If your tweak (or preference bundle) does not load, you might have these lines in your Makefile that you need to remove:<br />
<br />
TweakName_LDFLAGS += -Wl,-segalign,4000<br />
TweakName_CODESIGN_FLAGS=-Sentitlements.xml<br />
<br />
For reasons X and Y (I don't know - someone please fill this in).<br />
<br />
See [http://iphonedevwiki.net/index.php/Updating_extensions_for_iOS_9#Compilation_changes here] for why<br />
<br />
[[Category:Updating extensions]]</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_10&diff=4895Updating extensions for iOS 102017-02-01T00:38:35Z<p>Indiekiduk: /* Tweak simply not loading */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 9|iOS 9]], [[Updating extensions for iOS 8|iOS 8]] and [[Updating extensions for iOS 7|iOS 7]] – paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+10&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research – feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_10&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== SBApplication ==<br />
In iOS 9 and applications dynamic and shortcut items were accessed view dynamicShortcutItems and staticShortcutItems. These have now been changed to dynamicApplicationShortcutItems and staticApplicationShortcutItems;<br />
<br />
== AppList ==<br />
For now you will need RocketBootStrap from https://rpetri.ch/repo .<br />
<br />
<br />
== SBIconController ==<br />
You used to be able to manually create a shortcut item and activate it using _activateShortcutItem:fromApplication:. This has been removed. <br />
<br />
== Logging ==<br />
The system logging APIs have changed again – [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/asl.3.html ASL] and [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/syslog.3.html syslog] are now deprecated in favor of the [https://developer.apple.com/reference/os/logging?language=objc unified logging system]. NSLog() and CFLog() now send their output through this system.<br />
<br />
The Console app in macOS Sierra supports reading logs from connected iOS devices – just select the device from the sidebar. The new concept seems to encourage being verbose, so system processes have become pretty noisy. Right click a message to reveal options for filtering to or filtering out messages from a process, library, subsystem, category, etc. You probably want to filter out irrelevant noisy processes otherwise you’ll be overwhelmed and need to scroll a lot. Set up a filter you’re happy with and click Save in the top-right. There is also the [https://ghostbin.com/paste/hfu7t log] command line tool.<br />
<br />
On 10.2 NSLogs from apps and tweaks are [https://www.reddit.com/r/jailbreakdevelopers/comments/5qt7r2/102_nslog_and_hblogdebug_not_showing_in_system_log/ not output] to the Sierra Console app or Xcode Devices log.<br />
<br />
If you want to use os_log, as a courtesy for others, use [https://developer.apple.com/reference/os/1643744-os_log_create?language=objc os_log_create] with your package identifier as the subsystem. Keep in mind the APIs are new to iOS 10. If you support older iOS, retrieve the function symbols at runtime with dlsym() and fall back to an old logging mechanism if they are null.<br />
<br />
== SBDashBoardPageViewController ==<br />
<br />
The iOS 10 lockscreen presents subclasses of SBDashBoardPageViewController as pages for the user to swipe through; new pages can be added with ease. See [http://iphonedevwiki.net/index.php/SBDashBoardPageViewController this wiki page] for further information.<br />
<br />
== OpenSSH ==<br />
<br />
OpenSSH is broken on iOS 10, which is why yalu comes with dropbear (an alternative ssh server). To SSH into your device after jailbreaking, you have to do it [[SSH Over USB|via USB]]<br />
<br />
If you accidentally install the openssh package (BigBoss Tools includes it for example), simply remove the openssh package, reboot and rejailbreak.<br />
<br />
If you get this error with scp:<br />
<br />
sh: scp: command not found<br />
lost connection<br />
<br />
Download [http://newosxbook.com/tools/iOSBinaries.html iosbinpack], then copy it over like so:<br />
<br />
ssh phone 'cat > /usr/bin/scp' < ~/Downloads/iosbinpack64/usr/bin/scp<br />
<br />
Then on the phone, <code>chmod +x /usr/bin/scp</code>.<br />
<br />
== Tweak simply not loading ==<br />
<br />
If your tweak (or preference bundle) does not load, you might have these lines in your Makefile that you need to remove:<br />
<br />
TweakName_LDFLAGS += -Wl,-segalign,4000<br />
TweakName_CODESIGN_FLAGS=-Sentitlements.xml<br />
<br />
For reasons X and Y (I don't know - someone please fill this in).<br />
<br />
See [http://iphonedevwiki.net/index.php/Updating_extensions_for_iOS_9#Compilation_changes here] for why<br />
<br />
[[Category:Updating extensions]]</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_10&diff=4893Updating extensions for iOS 102017-01-31T14:47:30Z<p>Indiekiduk: /* Logging */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 9|iOS 9]], [[Updating extensions for iOS 8|iOS 8]] and [[Updating extensions for iOS 7|iOS 7]] – paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+10&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research – feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_10&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== SBApplication ==<br />
In iOS 9 and applications dynamic and shortcut items were accessed view dynamicShortcutItems and staticShortcutItems. These have now been changed to dynamicApplicationShortcutItems and staticApplicationShortcutItems;<br />
<br />
== AppList ==<br />
For now you will need RocketBootStrap from https://rpetri.ch/repo .<br />
<br />
<br />
== SBIconController ==<br />
You used to be able to manually create a shortcut item and activate it using _activateShortcutItem:fromApplication:. This has been removed. <br />
<br />
== Logging ==<br />
The system logging APIs have changed again – [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/asl.3.html ASL] and [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/syslog.3.html syslog] are now deprecated in favor of the [https://developer.apple.com/reference/os/logging?language=objc unified logging system]. NSLog() and CFLog() now send their output through this system.<br />
<br />
The Console app in macOS Sierra supports reading logs from connected iOS devices – just select the device from the sidebar. The new concept seems to encourage being verbose, so system processes have become pretty noisy. Right click a message to reveal options for filtering to or filtering out messages from a process, library, subsystem, category, etc. You probably want to filter out irrelevant noisy processes otherwise you’ll be overwhelmed and need to scroll a lot. Set up a filter you’re happy with and click Save in the top-right. There is also the [https://ghostbin.com/paste/hfu7t log] command line tool.<br />
<br />
On 10.2 NSLogs from apps and tweaks are [https://www.reddit.com/r/jailbreakdevelopers/comments/5qt7r2/102_nslog_and_hblogdebug_not_showing_in_system_log/ not output] to the Sierra Console app or Xcode Devices log.<br />
<br />
If you want to use os_log, as a courtesy for others, use [https://developer.apple.com/reference/os/1643744-os_log_create?language=objc os_log_create] with your package identifier as the subsystem. Keep in mind the APIs are new to iOS 10. If you support older iOS, retrieve the function symbols at runtime with dlsym() and fall back to an old logging mechanism if they are null.<br />
<br />
== SBDashBoardPageViewController ==<br />
<br />
The iOS 10 lockscreen presents subclasses of SBDashBoardPageViewController as pages for the user to swipe through; new pages can be added with ease. See [http://iphonedevwiki.net/index.php/SBDashBoardPageViewController this wiki page] for further information.<br />
<br />
== OpenSSH ==<br />
<br />
OpenSSH is broken on iOS 10, which is why yalu comes with dropbear (an alternative ssh server). To SSH into your device after jailbreaking, you have to do it [[SSH Over USB|via USB]]<br />
<br />
If you accidentally install the openssh package (BigBoss Tools includes it for example), simply remove the openssh package, reboot and rejailbreak.<br />
<br />
If you get this error with scp:<br />
<br />
sh: scp: command not found<br />
lost connection<br />
<br />
Download [http://newosxbook.com/tools/iOSBinaries.html iosbinpack] and then move usr/bin/scp to /usr/bin/scp and <code>chmod +x /usr/bin/scp</code>.<br />
<br />
== Tweak simply not loading ==<br />
<br />
If your tweak (or preference bundle) does not load, you might have these lines in your Makefile that you need to remove:<br />
<br />
TweakName_LDFLAGS += -Wl,-segalign,4000<br />
TweakName_CODESIGN_FLAGS=-Sentitlements.xml<br />
<br />
For reasons X and Y (I don't know - someone please fill this in).<br />
<br />
[[Category:Updating extensions]]</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_10&diff=4892Updating extensions for iOS 102017-01-31T14:46:47Z<p>Indiekiduk: /* Logging */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 9|iOS 9]], [[Updating extensions for iOS 8|iOS 8]] and [[Updating extensions for iOS 7|iOS 7]] – paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+10&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research – feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_10&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== SBApplication ==<br />
In iOS 9 and applications dynamic and shortcut items were accessed view dynamicShortcutItems and staticShortcutItems. These have now been changed to dynamicApplicationShortcutItems and staticApplicationShortcutItems;<br />
<br />
== AppList ==<br />
For now you will need RocketBootStrap from https://rpetri.ch/repo .<br />
<br />
<br />
== SBIconController ==<br />
You used to be able to manually create a shortcut item and activate it using _activateShortcutItem:fromApplication:. This has been removed. <br />
<br />
== Logging ==<br />
The system logging APIs have changed again – [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/asl.3.html ASL] and [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/syslog.3.html syslog] are now deprecated in favor of the [https://developer.apple.com/reference/os/logging?language=objc unified logging system]. NSLog() and CFLog() now send their output through this system.<br />
<br />
The Console app in macOS Sierra supports reading logs from connected iOS devices – just select the device from the sidebar. The new concept seems to encourage being verbose, so system processes have become pretty noisy. Right click a message to reveal options for filtering to or filtering out messages from a process, library, subsystem, category, etc. You probably want to filter out irrelevant noisy processes otherwise you’ll be overwhelmed and need to scroll a lot. Set up a filter you’re happy with and click Save in the top-right. There is also the [https://ghostbin.com/paste/hfu7t log] command line tool.<br />
<br />
NSLogs from apps and tweaks are [https://www.reddit.com/r/jailbreakdevelopers/comments/5qt7r2/102_nslog_and_hblogdebug_not_showing_in_system_log/ not output] to the Sierra Console app or Xcode Devices log.<br />
<br />
If you want to use os_log, as a courtesy for others, use [https://developer.apple.com/reference/os/1643744-os_log_create?language=objc os_log_create] with your package identifier as the subsystem. Keep in mind the APIs are new to iOS 10. If you support older iOS, retrieve the function symbols at runtime with dlsym() and fall back to an old logging mechanism if they are null.<br />
<br />
== SBDashBoardPageViewController ==<br />
<br />
The iOS 10 lockscreen presents subclasses of SBDashBoardPageViewController as pages for the user to swipe through; new pages can be added with ease. See [http://iphonedevwiki.net/index.php/SBDashBoardPageViewController this wiki page] for further information.<br />
<br />
== OpenSSH ==<br />
<br />
OpenSSH is broken on iOS 10, which is why yalu comes with dropbear (an alternative ssh server). To SSH into your device after jailbreaking, you have to do it [[SSH Over USB|via USB]]<br />
<br />
If you accidentally install the openssh package (BigBoss Tools includes it for example), simply remove the openssh package, reboot and rejailbreak.<br />
<br />
If you get this error with scp:<br />
<br />
sh: scp: command not found<br />
lost connection<br />
<br />
Download [http://newosxbook.com/tools/iOSBinaries.html iosbinpack] and then move usr/bin/scp to /usr/bin/scp and <code>chmod +x /usr/bin/scp</code>.<br />
<br />
== Tweak simply not loading ==<br />
<br />
If your tweak (or preference bundle) does not load, you might have these lines in your Makefile that you need to remove:<br />
<br />
TweakName_LDFLAGS += -Wl,-segalign,4000<br />
TweakName_CODESIGN_FLAGS=-Sentitlements.xml<br />
<br />
For reasons X and Y (I don't know - someone please fill this in).<br />
<br />
[[Category:Updating extensions]]</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_10&diff=4891Updating extensions for iOS 102017-01-31T14:43:46Z<p>Indiekiduk: /* Logging */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 9|iOS 9]], [[Updating extensions for iOS 8|iOS 8]] and [[Updating extensions for iOS 7|iOS 7]] – paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+10&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research – feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_10&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== SBApplication ==<br />
In iOS 9 and applications dynamic and shortcut items were accessed view dynamicShortcutItems and staticShortcutItems. These have now been changed to dynamicApplicationShortcutItems and staticApplicationShortcutItems;<br />
<br />
== AppList ==<br />
For now you will need RocketBootStrap from https://rpetri.ch/repo .<br />
<br />
<br />
== SBIconController ==<br />
You used to be able to manually create a shortcut item and activate it using _activateShortcutItem:fromApplication:. This has been removed. <br />
<br />
== Logging ==<br />
The system logging APIs have changed again – [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/asl.3.html ASL] and [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/syslog.3.html syslog] are now deprecated in favor of the [https://developer.apple.com/reference/os/logging?language=objc unified logging system]. NSLog() and CFLog() now send their output through this system.<br />
<br />
The Console app in macOS Sierra supports reading logs from connected iOS devices – just select the device from the sidebar. The new concept seems to encourage being verbose, so system processes have become pretty noisy. Right click a message to reveal options for filtering to or filtering out messages from a process, library, subsystem, category, etc. You probably want to filter out irrelevant noisy processes otherwise you’ll be overwhelmed and need to scroll a lot. Set up a filter you’re happy with and click Save in the top-right. There is also the [https://ghostbin.com/paste/hfu7t log] command line tool.<br />
<br />
NSLogs from tweaks are [https://www.reddit.com/r/jailbreakdevelopers/comments/5qt7r2/102_nslog_and_hblogdebug_not_showing_in_system_log/ not output to the Console app]. They are output to Xcode->Devices->Log but it's to verbose now to see your own logs of interest.<br />
<br />
If you want to use os_log, as a courtesy for others, use [https://developer.apple.com/reference/os/1643744-os_log_create?language=objc os_log_create] with your package identifier as the subsystem. Keep in mind the APIs are new to iOS 10. If you support older iOS, retrieve the function symbols at runtime with dlsym() and fall back to an old logging mechanism if they are null.<br />
<br />
== SBDashBoardPageViewController ==<br />
<br />
The iOS 10 lockscreen presents subclasses of SBDashBoardPageViewController as pages for the user to swipe through; new pages can be added with ease. See [http://iphonedevwiki.net/index.php/SBDashBoardPageViewController this wiki page] for further information.<br />
<br />
== OpenSSH ==<br />
<br />
OpenSSH is broken on iOS 10, which is why yalu comes with dropbear (an alternative ssh server). To SSH into your device after jailbreaking, you have to do it [[SSH Over USB|via USB]]<br />
<br />
If you accidentally install the openssh package (BigBoss Tools includes it for example), simply remove the openssh package, reboot and rejailbreak.<br />
<br />
If you get this error with scp:<br />
<br />
sh: scp: command not found<br />
lost connection<br />
<br />
Download [http://newosxbook.com/tools/iOSBinaries.html iosbinpack] and then move usr/bin/scp to /usr/bin/scp and <code>chmod +x /usr/bin/scp</code>.<br />
<br />
== Tweak simply not loading ==<br />
<br />
If your tweak (or preference bundle) does not load, you might have these lines in your Makefile that you need to remove:<br />
<br />
TweakName_LDFLAGS += -Wl,-segalign,4000<br />
TweakName_CODESIGN_FLAGS=-Sentitlements.xml<br />
<br />
For reasons X and Y (I don't know - someone please fill this in).<br />
<br />
[[Category:Updating extensions]]</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_10&diff=4890Updating extensions for iOS 102017-01-31T14:30:09Z<p>Indiekiduk: /* Logging */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 9|iOS 9]], [[Updating extensions for iOS 8|iOS 8]] and [[Updating extensions for iOS 7|iOS 7]] – paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+10&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research – feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_10&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== SBApplication ==<br />
In iOS 9 and applications dynamic and shortcut items were accessed view dynamicShortcutItems and staticShortcutItems. These have now been changed to dynamicApplicationShortcutItems and staticApplicationShortcutItems;<br />
<br />
== AppList ==<br />
For now you will need RocketBootStrap from https://rpetri.ch/repo .<br />
<br />
<br />
== SBIconController ==<br />
You used to be able to manually create a shortcut item and activate it using _activateShortcutItem:fromApplication:. This has been removed. <br />
<br />
== Logging ==<br />
The system logging APIs have changed again – [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/asl.3.html ASL] and [https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man3/syslog.3.html syslog] are now deprecated in favor of the [https://developer.apple.com/reference/os/logging?language=objc unified logging system]. NSLog() and CFLog() now send their output through this system.<br />
<br />
NSLogs from tweaks are [https://www.reddit.com/r/jailbreakdevelopers/comments/5qt7r2/102_nslog_and_hblogdebug_not_showing_in_system_log/ not output to Console].<br />
<br />
The Console app in macOS Sierra supports reading logs from connected iOS devices – just select the device from the sidebar. The new concept seems to encourage being verbose, so system processes have become pretty noisy. Right click a message to reveal options for filtering to or filtering out messages from a process, library, subsystem, category, etc. You probably want to filter out irrelevant noisy processes otherwise you’ll be overwhelmed and need to scroll a lot. Set up a filter you’re happy with and click Save in the top-right. There is also the [https://ghostbin.com/paste/hfu7t log] command line tool.<br />
<br />
If you want to use os_log, as a courtesy for others, use [https://developer.apple.com/reference/os/1643744-os_log_create?language=objc os_log_create] with your package identifier as the subsystem. Keep in mind the APIs are new to iOS 10. If you support older iOS, retrieve the function symbols at runtime with dlsym() and fall back to an old logging mechanism if they are null.<br />
<br />
== SBDashBoardPageViewController ==<br />
<br />
The iOS 10 lockscreen presents subclasses of SBDashBoardPageViewController as pages for the user to swipe through; new pages can be added with ease. See [http://iphonedevwiki.net/index.php/SBDashBoardPageViewController this wiki page] for further information.<br />
<br />
== OpenSSH ==<br />
<br />
OpenSSH is broken on iOS 10, which is why yalu comes with dropbear (an alternative ssh server). To SSH into your device after jailbreaking, you have to do it [[SSH Over USB|via USB]]<br />
<br />
If you accidentally install the openssh package (BigBoss Tools includes it for example), simply remove the openssh package, reboot and rejailbreak.<br />
<br />
If you get this error with scp:<br />
<br />
sh: scp: command not found<br />
lost connection<br />
<br />
Download [http://newosxbook.com/tools/iOSBinaries.html iosbinpack] and then move usr/bin/scp to /usr/bin/scp and <code>chmod +x /usr/bin/scp</code>.<br />
<br />
== Tweak simply not loading ==<br />
<br />
If your tweak (or preference bundle) does not load, you might have these lines in your Makefile that you need to remove:<br />
<br />
TweakName_LDFLAGS += -Wl,-segalign,4000<br />
TweakName_CODESIGN_FLAGS=-Sentitlements.xml<br />
<br />
For reasons X and Y (I don't know - someone please fill this in).<br />
<br />
[[Category:Updating extensions]]</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_9&diff=4551Updating extensions for iOS 92016-06-09T12:19:27Z<p>Indiekiduk: </p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 8]] and [[Updating extensions for iOS 7]] - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+9&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_9&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
= Compiling ldid on El Capitan =<br />
<br />
ldid [https://github.com/Homebrew/homebrew/commit/ac8d9201b8ae5ffe2d6aef6acf08cf1f654caccc was recently added to] the main Homebrew repo.<br />
<br />
brew update<br />
brew install ldid<br />
<br />
This is more convenient for ensuring ldid is kept up to date in future.<br />
<br />
= What has changed in iOS 9? (Classes, frameworks, etc.) =<br />
<br />
== Compilation changes ==<br />
<br />
32 bit binaries loaded on 64 bit devices fail to do so since the 32 bit pagesize has been changed from 4096 bytes to 16384 bytes.<br />
<br />
Tweaks targeted at 32 bit binaries on iOS 9 must now be compiled with<br />
<br />
-Wl,-segalign,4000<br />
<br />
This LDFLAG can be used to compile for older iOS versions as it had to be a multiple of 1000 and this new alignment is compatible.<br />
<br />
If using [[Theos]], add it like so to your makefile:<br />
<br />
XXX_LDFLAGS += -Wl,-segalign,4000<br />
<br />
This fix is [https://github.com/kirb/theos/commit/bbf282bd3d2fccd5cbadaeac699820fec0f1e533 integrated with kirb/theos]. (Be sure to <code>make update-theos</code> regularly.)<br />
<br />
If using [[Xcode]], add a new entry to ''Other linker flags'' containing "-Wl,-segalign,4000" to the build settings of your project or target and make sure that the build option "Enable Bitcode" is disabled.<br />
<br />
Source: [http://twitter.com/saurik/status/654198997024796672 saurik's tweet]<br />
<br />
One example of this are tweaks that modify Cydia, which is a 32 bit app.<br />
<br />
== Entitlements ==<br />
<br />
'''''Every''''' dylib meant for injection has to be signed to work on iOS, even if no entitlements are required. Please make sure that your toolchain of choice is producing signed dylibs, if it is a fat binary, make sure that ''all'' slices are signed.<br />
<br />
Use ldid to sign:<br />
<br />
ldid -S Tweak.dylib<br />
<br />
Failure to do this will invalidate the process and make it lose all entitlements. The standard symptom is the following, but frankly, it is confusing why any binaries are in the wild that haven't at least been passed through ldid, so please don't rely on this symptom and just fix your build environment.<br />
<br />
When the process is invalid and thus entitlements are lost, this is output to console on launch:<br />
<source lang="text"><br />
pmpd[13381] <Error>: MS:Error: process is not CS_VALID<br />
</source><br />
<br />
And then this is shown when the required entitlement no longer exists, despite being included in the binary!<br />
<source lang="text"><br />
xbs/Sources/BackBoardServices/SpringBoard-3296.10.2/megatrond/SystemAppService/BKSSystemApplicationClient.m:32<br />
Oct 14 21:29:57 iPhone SpringBoard[1860] <Error>: *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'Client lacks entitlement com.apple.backboard.client’<br />
</source><br />
<br />
=== Granting them at runtime ===<br />
<br />
To grant entitlements to a specific process in iOS 9, it seems that iOS 8's _BSAuditTokenTaskHasEntitlement function in assertiond no longer does the trick, the new _BSXPCConnectionHasEntitlement needs to be hooked instead.<br />
<br />
== Sandbox Restrictions ==<br />
<br />
Tweaks that create or edit files from a sandbox application outside the app's container is no longer allowed<br />
* Use an XPC method to communicate with SpringBoard from the sandbox application<br />
See [http://iphonedevwiki.net/index.php/CPDistributedMessagingCenter CPDistributedMessagingCenter] for some example code.<br />
<br />
This way you could communicate with a SpringBoard class to get it to save or create your files <br />
<br />
You would need to add AppSupport framework in your makefile<br />
XXX_FRAMEWORKS = AppSupport<br />
<br />
* After the v1.1 Pangu Untether update it is no longer possible to save/create/modify the preferences from Sandboxed applications in "atomically" mode.<br />
You will get something like this:<br />
<br />
<source lang="text"><br />
Sandbox: processname(PID) deny(1) file-write-unlink/file-write-create /private/var/mobile/Library/Preferences/prefs_file_name.plist<br />
</source><br />
<br />
As a workaround you can just replace "atomically:YES" with "atomically:NO":<br />
<br />
<source lang="objc"><br />
[prefsDict writeToFile:settingsFilePath atomically:NO];<br />
</source><br />
<br />
* some sysctl calls and proc_* functions cannot be used in a sandbox now<br />
trying to use these functions in a sandboxed app will throw an error like:<br />
<br />
<source lang="text"><br />
Sandbox: [PROCCESSNAME] deny(1) process-info-listpids<br />
</source><br />
<br />
== UIScreen changes (unfinished section) ==<br />
<br />
Specifically iPads now seems to have been broken when using UIScreen bounds and does not seem to take orientation into account. Please add solution to here.<br />
<br />
== File protection after reboot ==<br />
<br />
Some tweaks are still affected by file access being restricted after a reboot until the device is unlocked, e.g. a Springboard tweak cannot read some file it previously created causing undefined behaviour and most likely cause a Springboard crash. e.g.<br />
https://www.reddit.com/r/jailbreak/comments/458dl0/question_why_does_some_tweaks_stop_working_after/?<br />
This post discusses workarounds:<br />
http://stackoverflow.com/questions/15079765/dealing-with-background-location-updates-and-core-data-file-protection<br />
I was using Core Data and used the option key NSPersistentStoreFileProtectionKey with value NSFileProtectionNone to fix my crash. Other APIs that create files have similar ways to disable the protection.<br />
<br />
= Which tools and other preexisting things are still working on iOS 9? Which ones don't work? =<br />
<br />
No fixes for the following at the time of this writing. Note that these work on 32-bit devices, such as an iPhone 5.<br />
<br />
* Cycript works as of 28/10/2015 version 0.9.503<br />
<br />
* the official python from cydia may fail however due to the work of Linus Yang and reddit user ryley_angus we have a working binary that works on iOS 9 !<br />
install all packages from [https://www.ryleyangus.com/Python-2.7.8-arm64.zip], most things I tested worked. The Python packages built by ryley_angus are also available from his repo [https://ryleyangus.com/repo].<br />
<br />
* python fails with the following error (the one on cydia)<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/libpython2.7.dylib<br />
Referenced from: /usr/bin/python<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x00242000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x003D6000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* As of (unknown date) in version 1.4.18-7, lighttpd works on iOS 9.<br />
<br />
* ruby fails with the following error<br />
<br />
<source lang="text"><br />
dyld: lazy symbol binding failed: re-exported symbol 'unknown' not found for image libgcc_s.1.dylib expected re-exported in libSystem.B.dylib, node=0x3980b148<br />
</source><br />
<br />
This occurs due to the change in the 32-bit pagesize on 64-bit CPUs in iOS 9. The libraries noted above need to be rebuilt with "-Wl,-segalign,4000".<br />
<br />
== Killed: 9 ==<br />
<br />
Pangu9 causes many command-line tools to not work, with the error "Killed: 9"<br />
<br />
This can be solved by running "ldid -S `which <command>`"<br />
<br />
== Daemons ==<br />
<br />
In iOS 9 the way daemons are loaded appears to have changed. Daemons prefixed with "com.apple" are loaded first with other daemons being loaded by launchd significantly later. This creates a bug for daemons that use XPC to communicate with SpringBoard. SpringBoard will be loaded before the daemon meaning a connection can never be established. Changing the daemon prefix to "com.apple" appears to make it load at the same time as SpringBoard allowing for the connection to succeed. More research is required into why other daemons are being loaded much later than in iOS 8.<br />
<br />
Additionally, daemons are now outputting the error:<br />
<br />
<source lang="text"><br />
This daemon is not allowed to execute. Running anyway.<br />
</source><br />
<br />
This can be fixed by adding the plist entry ExecuteAllowed with a boolean YES.<br />
<br />
Daemons that use more than 5MB are killed via Jetsam with no crash report saved:<br />
<br />
<source lang="text"><br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s diagnosticd[209] <Error>: error evaluating process info - pid: 13166, punique: 13166<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Notice>: Formulating report for process[13166] pmpd<br />
Oct 28 12:24:30 My-iPhone-6s com.apple.xpc.launchd[1] (org.protectmyprivacy.pmpd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.<br />
Oct 28 12:24:30 My-iPhone-6s UserEventAgent[128] <Notice>: jetsam: kernel termination snapshot being created<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Warning>: report not saved because it is non-actionable<br />
</source><br />
<br />
This can be fixed by using [https://github.com/mariociabarra/jetslammed jetslammed] and raising the memory limit, e.g.<br />
<source lang="text"><br />
if([UIDevice currentDevice].systemVersion.integerValue > 8){<br />
jetslammed_updateWaterMark(240, "pmpd"); // the param is currently range checked by the library and must be > 0 and < 1024. The string param can be anything in a daemon, it's main use is in tweaks to ensure its set to the highest of all the different calls to that method.<br />
}else{<br />
NSLog(@"jetslammed_updateWaterMark not required");<br />
}</source><br />
<br />
== Connecting to UNIX sockets ==<br />
<br />
Tweaks built with a library injected into an app, communicating to a daemon using a UNIX a socket, might fail to connect to the UNIX socket, with error code EPERM, and the following syslog message:<br />
<br />
kernel[0] <Notice>: Sandbox: app-name(<pid>) deny(1) network-outbound /private/var/tmp/mysocket<br />
<br />
Note that this worked with the original Pangu untether and has been failing to work (as described) with the latest (1.1.0) Pangu Fuxi Qin.<br />
<br />
'''Update:''' This seems to be untrue. This doesn't work with the original Pangu untether as well. Maybe the Cydia update process has to do something with it? Maybe stashing?<br />
<br />
A current workaround is to place the UNIX socket inside the app's sandbox.<br />
<br />
== Extension does not have filter ==<br />
<br />
Starting on 0.9.6100 version of CydiaSubstrate, tweaks '''''must''''' specify a [[Cydia_Substrate#MobileLoader|MobileLoader filter]] or Substrate will prevent the tweak from getting injected at all, with the following error:<br />
<br />
<source lang="text"><br />
MS:Error: extension does not have filter<br />
</source><br />
<br />
== canOpenURL restrictions ==<br />
<br />
If you have a tweak that relies on canOpenURL it might not work because now the URLs that are allowed to be checked are required to be specified in the host app's Info.plist under LSApplicationQueriesSchemes. Unfortunately editing this list does not work because it appears to be checked at installation time, and also it can only be called with 50 URLs, once that limit is reached it fails regardless of any edits to the list. It's currently unknown where the database is stored on the device.<br />
<br />
iOS 9 Launch scheme approval where it asks for permission to open an app:<br />
/private/var/preferences/com.apple.launchservices.schemeapproval.plist<br />
<br />
For error-free access to this data query the canOpenURL: status in a daemon with the appropriate entitlements or inside SpringBoard using its entitlements and make the specific query accessible over IPC using RocketBootstrap, darwin_set_state or similar if necessary.<br />
<br />
'''Update:''' It's now possible to bypass this restriction by hooking isApplicationAvailableToOpenURL in LSApplicationWorkspace. For example code, see this issue in a redundant project that was created before this hook was known: https://github.com/r-plus/libcanopenurl/issues/3</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_9&diff=4550Updating extensions for iOS 92016-06-09T11:28:20Z<p>Indiekiduk: </p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 8]] and [[Updating extensions for iOS 7]] - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+9&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_9&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
= Compiling ldid on El Capitan =<br />
<br />
ldid [https://github.com/Homebrew/homebrew/commit/ac8d9201b8ae5ffe2d6aef6acf08cf1f654caccc was recently added to] the main Homebrew repo.<br />
<br />
brew update<br />
brew install ldid<br />
<br />
This is more convenient for ensuring ldid is kept up to date in future.<br />
<br />
= What has changed in iOS 9? (Classes, frameworks, etc.) =<br />
<br />
== Compilation changes ==<br />
<br />
32 bit binaries loaded on 64 bit devices fail to do so since the 32 bit pagesize has been changed from 4096 bytes to 16384 bytes.<br />
<br />
Tweaks targeted at 32 bit binaries on iOS 9 must now be compiled with<br />
<br />
-Wl,-segalign,4000<br />
<br />
This LDFLAG can be used to compile for older iOS versions as it had to be a multiple of 1000 and this new alignment is compatible.<br />
<br />
If using [[Theos]], add it like so to your makefile:<br />
<br />
XXX_LDFLAGS += -Wl,-segalign,4000<br />
<br />
This fix is [https://github.com/kirb/theos/commit/bbf282bd3d2fccd5cbadaeac699820fec0f1e533 integrated with kirb/theos]. (Be sure to <code>make update-theos</code> regularly.)<br />
<br />
If using [[Xcode]], add a new entry to ''Other linker flags'' containing "-Wl,-segalign,4000" to the build settings of your project or target and make sure that the build option "Enable Bitcode" is disabled.<br />
<br />
Source: [http://twitter.com/saurik/status/654198997024796672 saurik's tweet]<br />
<br />
One example of this are tweaks that modify Cydia, which is a 32 bit app.<br />
<br />
== Entitlements ==<br />
<br />
'''''Every''''' dylib meant for injection has to be signed to work on iOS, even if no entitlements are required. Please make sure that your toolchain of choice is producing signed dylibs, if it is a fat binary, make sure that ''all'' slices are signed.<br />
<br />
Use ldid to sign:<br />
<br />
ldid -S Tweak.dylib<br />
<br />
Failure to do this will invalidate the process and make it lose all entitlements. The standard symptom is the following, but frankly, it is confusing why any binaries are in the wild that haven't at least been passed through ldid, so please don't rely on this symptom and just fix your build environment.<br />
<br />
When the process is invalid and thus entitlements are lost, this is output to console on launch:<br />
<source lang="text"><br />
pmpd[13381] <Error>: MS:Error: process is not CS_VALID<br />
</source><br />
<br />
And then this is shown when the required entitlement no longer exists, despite being included in the binary!<br />
<source lang="text"><br />
xbs/Sources/BackBoardServices/SpringBoard-3296.10.2/megatrond/SystemAppService/BKSSystemApplicationClient.m:32<br />
Oct 14 21:29:57 iPhone SpringBoard[1860] <Error>: *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'Client lacks entitlement com.apple.backboard.client’<br />
</source><br />
<br />
=== Granting them at runtime ===<br />
<br />
To grant entitlements to a specific process in iOS 9, it seems that iOS 8's _BSAuditTokenTaskHasEntitlement function in assertiond no longer does the trick, the new _BSXPCConnectionHasEntitlement needs to be hooked instead.<br />
<br />
== Sandbox Restrictions ==<br />
<br />
Tweaks that create or edit files from a sandbox application outside the app's container is no longer allowed<br />
* Use an XPC method to communicate with SpringBoard from the sandbox application<br />
See [http://iphonedevwiki.net/index.php/CPDistributedMessagingCenter CPDistributedMessagingCenter] for some example code.<br />
<br />
This way you could communicate with a SpringBoard class to get it to save or create your files <br />
<br />
You would need to add AppSupport framework in your makefile<br />
XXX_FRAMEWORKS = AppSupport<br />
<br />
* After the v1.1 Pangu Untether update it is no longer possible to save/create/modify the preferences from Sandboxed applications in "atomically" mode.<br />
You will get something like this:<br />
<br />
<source lang="text"><br />
Sandbox: processname(PID) deny(1) file-write-unlink/file-write-create /private/var/mobile/Library/Preferences/prefs_file_name.plist<br />
</source><br />
<br />
As a workaround you can just replace "atomically:YES" with "atomically:NO":<br />
<br />
<source lang="objc"><br />
[prefsDict writeToFile:settingsFilePath atomically:NO];<br />
</source><br />
<br />
* some sysctl calls and proc_* functions cannot be used in a sandbox now<br />
trying to use these functions in a sandboxed app will throw an error like:<br />
<br />
<source lang="text"><br />
Sandbox: [PROCCESSNAME] deny(1) process-info-listpids<br />
</source><br />
<br />
== UIScreen changes (unfinished section) ==<br />
<br />
Specifically iPads now seems to have been broken when using UIScreen bounds and does not seem to take orientation into account. Please add solution to here.<br />
<br />
== File restrictions after reboot ==<br />
<br />
File access is restricted after a reboot until the device is unlocked, e.g. a Springboard tweak cannot read its preferences causing undefined behaviour and most likely cause a Springboard crash.<br />
<br />
https://www.reddit.com/r/jailbreak/comments/458dl0/question_why_does_some_tweaks_stop_working_after/?<br />
<br />
= Which tools and other preexisting things are still working on iOS 9? Which ones don't work? =<br />
<br />
No fixes for the following at the time of this writing. Note that these work on 32-bit devices, such as an iPhone 5.<br />
<br />
* Cycript works as of 28/10/2015 version 0.9.503<br />
<br />
* the official python from cydia may fail however due to the work of Linus Yang and reddit user ryley_angus we have a working binary that works on iOS 9 !<br />
install all packages from [https://www.ryleyangus.com/Python-2.7.8-arm64.zip], most things I tested worked. The Python packages built by ryley_angus are also available from his repo [https://ryleyangus.com/repo].<br />
<br />
* python fails with the following error (the one on cydia)<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/libpython2.7.dylib<br />
Referenced from: /usr/bin/python<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x00242000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x003D6000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* As of (unknown date) in version 1.4.18-7, lighttpd works on iOS 9.<br />
<br />
* ruby fails with the following error<br />
<br />
<source lang="text"><br />
dyld: lazy symbol binding failed: re-exported symbol 'unknown' not found for image libgcc_s.1.dylib expected re-exported in libSystem.B.dylib, node=0x3980b148<br />
</source><br />
<br />
This occurs due to the change in the 32-bit pagesize on 64-bit CPUs in iOS 9. The libraries noted above need to be rebuilt with "-Wl,-segalign,4000".<br />
<br />
== Killed: 9 ==<br />
<br />
Pangu9 causes many command-line tools to not work, with the error "Killed: 9"<br />
<br />
This can be solved by running "ldid -S `which <command>`"<br />
<br />
== Daemons ==<br />
<br />
In iOS 9 the way daemons are loaded appears to have changed. Daemons prefixed with "com.apple" are loaded first with other daemons being loaded by launchd significantly later. This creates a bug for daemons that use XPC to communicate with SpringBoard. SpringBoard will be loaded before the daemon meaning a connection can never be established. Changing the daemon prefix to "com.apple" appears to make it load at the same time as SpringBoard allowing for the connection to succeed. More research is required into why other daemons are being loaded much later than in iOS 8.<br />
<br />
Additionally, daemons are now outputting the error:<br />
<br />
<source lang="text"><br />
This daemon is not allowed to execute. Running anyway.<br />
</source><br />
<br />
This can be fixed by adding the plist entry ExecuteAllowed with a boolean YES.<br />
<br />
Daemons that use more than 5MB are killed via Jetsam with no crash report saved:<br />
<br />
<source lang="text"><br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s diagnosticd[209] <Error>: error evaluating process info - pid: 13166, punique: 13166<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Notice>: Formulating report for process[13166] pmpd<br />
Oct 28 12:24:30 My-iPhone-6s com.apple.xpc.launchd[1] (org.protectmyprivacy.pmpd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.<br />
Oct 28 12:24:30 My-iPhone-6s UserEventAgent[128] <Notice>: jetsam: kernel termination snapshot being created<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Warning>: report not saved because it is non-actionable<br />
</source><br />
<br />
This can be fixed by using [https://github.com/mariociabarra/jetslammed jetslammed] and raising the memory limit, e.g.<br />
<source lang="text"><br />
if([UIDevice currentDevice].systemVersion.integerValue > 8){<br />
jetslammed_updateWaterMark(240, "pmpd"); // the param is currently range checked by the library and must be > 0 and < 1024. The string param can be anything in a daemon, it's main use is in tweaks to ensure its set to the highest of all the different calls to that method.<br />
}else{<br />
NSLog(@"jetslammed_updateWaterMark not required");<br />
}</source><br />
<br />
== Connecting to UNIX sockets ==<br />
<br />
Tweaks built with a library injected into an app, communicating to a daemon using a UNIX a socket, might fail to connect to the UNIX socket, with error code EPERM, and the following syslog message:<br />
<br />
kernel[0] <Notice>: Sandbox: app-name(<pid>) deny(1) network-outbound /private/var/tmp/mysocket<br />
<br />
Note that this worked with the original Pangu untether and has been failing to work (as described) with the latest (1.1.0) Pangu Fuxi Qin.<br />
<br />
'''Update:''' This seems to be untrue. This doesn't work with the original Pangu untether as well. Maybe the Cydia update process has to do something with it? Maybe stashing?<br />
<br />
A current workaround is to place the UNIX socket inside the app's sandbox.<br />
<br />
== Extension does not have filter ==<br />
<br />
Starting on 0.9.6100 version of CydiaSubstrate, tweaks '''''must''''' specify a [[Cydia_Substrate#MobileLoader|MobileLoader filter]] or Substrate will prevent the tweak from getting injected at all, with the following error:<br />
<br />
<source lang="text"><br />
MS:Error: extension does not have filter<br />
</source><br />
<br />
== canOpenURL restrictions ==<br />
<br />
If you have a tweak that relies on canOpenURL it might not work because now the URLs that are allowed to be checked are required to be specified in the host app's Info.plist under LSApplicationQueriesSchemes. Unfortunately editing this list does not work because it appears to be checked at installation time, and also it can only be called with 50 URLs, once that limit is reached it fails regardless of any edits to the list. It's currently unknown where the database is stored on the device.<br />
<br />
iOS 9 Launch scheme approval where it asks for permission to open an app:<br />
/private/var/preferences/com.apple.launchservices.schemeapproval.plist<br />
<br />
For error-free access to this data query the canOpenURL: status in a daemon with the appropriate entitlements or inside SpringBoard using its entitlements and make the specific query accessible over IPC using RocketBootstrap, darwin_set_state or similar if necessary.<br />
<br />
'''Update:''' It's now possible to bypass this restriction by hooking isApplicationAvailableToOpenURL in LSApplicationWorkspace. For example code, see this issue in a redundant project that was created before this hook was known: https://github.com/r-plus/libcanopenurl/issues/3</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_9&diff=4526Updating extensions for iOS 92016-05-11T20:51:02Z<p>Indiekiduk: /* Daemons */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 8]] and [[Updating extensions for iOS 7]] - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+9&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_9&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
= Compiling ldid on El Capitan =<br />
<br />
ldid [https://github.com/Homebrew/homebrew/commit/ac8d9201b8ae5ffe2d6aef6acf08cf1f654caccc was recently added to] the main Homebrew repo.<br />
<br />
brew update<br />
brew install ldid<br />
<br />
This is more convenient for ensuring ldid is kept up to date in future.<br />
<br />
= What has changed in iOS 9? (Classes, frameworks, etc.) =<br />
<br />
== Compilation changes ==<br />
<br />
32 bit binaries loaded on 64 bit devices fail to do so since the 32 bit pagesize has been changed from 4096 bytes to 16384 bytes.<br />
<br />
Tweaks targeted at 32 bit binaries on iOS 9 must now be compiled with<br />
<br />
-Wl,-segalign,4000<br />
<br />
This LDFLAG can be used to compile for older iOS versions as it had to be a multiple of 1000 and this new alignment is compatible.<br />
<br />
If using [[Theos]], add it like so to your makefile:<br />
<br />
XXX_LDFLAGS += -Wl,-segalign,4000<br />
<br />
This fix is [https://github.com/kirb/theos/commit/bbf282bd3d2fccd5cbadaeac699820fec0f1e533 integrated with kirb/theos]. (Be sure to <code>make update-theos</code> regularly.)<br />
<br />
If using [[Xcode]], add a new entry to ''Other linker flags'' containing "-Wl,-segalign,4000" to the build settings of your project or target and make sure that the build option "Enable Bitcode" is disabled.<br />
<br />
Source: [http://twitter.com/saurik/status/654198997024796672 saurik's tweet]<br />
<br />
One example of this are tweaks that modify Cydia, which is a 32 bit app.<br />
<br />
== Entitlements ==<br />
<br />
'''''Every''''' dylib meant for injection has to be signed to work on iOS, even if no entitlements are required. Please make sure that your toolchain of choice is producing signed dylibs, if it is a fat binary, make sure that ''all'' slices are signed.<br />
<br />
Use ldid to sign:<br />
<br />
ldid -S Tweak.dylib<br />
<br />
Failure to do this will invalidate the process and make it lose all entitlements. The standard symptom is the following, but frankly, it is confusing why any binaries are in the wild that haven't at least been passed through ldid, so please don't rely on this symptom and just fix your build environment.<br />
<br />
When the process is invalid and thus entitlements are lost, this is output to console on launch:<br />
<source lang="text"><br />
pmpd[13381] <Error>: MS:Error: process is not CS_VALID<br />
</source><br />
<br />
And then this is shown when the required entitlement no longer exists, despite being included in the binary!<br />
<source lang="text"><br />
xbs/Sources/BackBoardServices/SpringBoard-3296.10.2/megatrond/SystemAppService/BKSSystemApplicationClient.m:32<br />
Oct 14 21:29:57 iPhone SpringBoard[1860] <Error>: *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'Client lacks entitlement com.apple.backboard.client’<br />
</source><br />
<br />
=== Granting them at runtime ===<br />
<br />
To grant entitlements to a specific process in iOS 9, it seems that iOS 8's _BSAuditTokenTaskHasEntitlement function in assertiond no longer does the trick, the new _BSXPCConnectionHasEntitlement needs to be hooked instead.<br />
<br />
== Sandbox Restrictions ==<br />
<br />
Tweaks that create or edit files from a sandbox application outside the app's container is no longer allowed<br />
* Use an XPC method to communicate with SpringBoard from the sandbox application<br />
See [http://iphonedevwiki.net/index.php/CPDistributedMessagingCenter CPDistributedMessagingCenter] for some example code.<br />
<br />
This way you could communicate with a SpringBoard class to get it to save or create your files <br />
<br />
You would need to add AppSupport framework in your makefile<br />
XXX_FRAMEWORKS = AppSupport<br />
<br />
* After the v1.1 Pangu Untether update it is no longer possible to save/create/modify the preferences from Sandboxed applications in "atomically" mode.<br />
You will get something like this:<br />
<br />
<source lang="text"><br />
Sandbox: processname(PID) deny(1) file-write-unlink/file-write-create /private/var/mobile/Library/Preferences/prefs_file_name.plist<br />
</source><br />
<br />
As a workaround you can just replace "atomically:YES" with "atomically:NO":<br />
<br />
<source lang="objc"><br />
[prefsDict writeToFile:settingsFilePath atomically:NO];<br />
</source><br />
<br />
* some sysctl calls and proc_* functions cannot be used in a sandbox now<br />
trying to use these functions in a sandboxed app will throw an error like:<br />
<br />
<source lang="text"><br />
Sandbox: [PROCCESSNAME] deny(1) process-info-listpids<br />
</source><br />
<br />
== UIScreen changes (unfinished section) ==<br />
<br />
Specifically iPads now seems to have been broken when using UIScreen bounds and does not seem to take orientation into account. Please add solution to here.<br />
<br />
= Which tools and other preexisting things are still working on iOS 9? Which ones don't work? =<br />
<br />
No fixes for the following at the time of this writing. Note that these work on 32-bit devices, such as an iPhone 5.<br />
<br />
* Cycript works as of 28/10/2015 version 0.9.503<br />
<br />
* the official python from cydia may fail however due to the work of Linus Yang and reddit user ryley_angus we have a working binary that works on iOS 9 !<br />
install all packages from [https://www.ryleyangus.com/Python-2.7.8-arm64.zip], most things I tested worked. The Python packages built by ryley_angus are also available from his repo [https://ryleyangus.com/repo].<br />
<br />
* python fails with the following error (the one on cydia)<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/libpython2.7.dylib<br />
Referenced from: /usr/bin/python<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x00242000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x003D6000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* As of (unknown date) in version 1.4.18-7, lighttpd works on iOS 9.<br />
<br />
* ruby fails with the following error<br />
<br />
<source lang="text"><br />
dyld: lazy symbol binding failed: re-exported symbol 'unknown' not found for image libgcc_s.1.dylib expected re-exported in libSystem.B.dylib, node=0x3980b148<br />
</source><br />
<br />
This occurs due to the change in the 32-bit pagesize on 64-bit CPUs in iOS 9. The libraries noted above need to be rebuilt with "-Wl,-segalign,4000".<br />
<br />
== Killed: 9 ==<br />
<br />
Pangu9 causes many command-line tools to not work, with the error "Killed: 9"<br />
<br />
This can be solved by running "ldid -S `which <command>`"<br />
<br />
== Daemons ==<br />
<br />
In iOS 9 the way daemons are loaded appears to have changed. Daemons prefixed with "com.apple" are loaded first with other daemons being loaded by launchd significantly later. This creates a bug for daemons that use XPC to communicate with SpringBoard. SpringBoard will be loaded before the daemon meaning a connection can never be established. Changing the daemon prefix to "com.apple" appears to make it load at the same time as SpringBoard allowing for the connection to succeed. More research is required into why other daemons are being loaded much later than in iOS 8.<br />
<br />
Additionally, daemons are now outputting the error:<br />
<br />
<source lang="text"><br />
This daemon is not allowed to execute. Running anyway.<br />
</source><br />
<br />
This can be fixed by adding the plist entry ExecuteAllowed with a boolean YES.<br />
<br />
Daemons that use more than 5MB are killed via Jetsam with no crash report saved:<br />
<br />
<source lang="text"><br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s diagnosticd[209] <Error>: error evaluating process info - pid: 13166, punique: 13166<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Notice>: Formulating report for process[13166] pmpd<br />
Oct 28 12:24:30 My-iPhone-6s com.apple.xpc.launchd[1] (org.protectmyprivacy.pmpd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.<br />
Oct 28 12:24:30 My-iPhone-6s UserEventAgent[128] <Notice>: jetsam: kernel termination snapshot being created<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Warning>: report not saved because it is non-actionable<br />
</source><br />
<br />
This can be fixed by using [https://github.com/mariociabarra/jetslammed jetslammed] and raising the memory limit, e.g.<br />
<source lang="text"><br />
if([UIDevice currentDevice].systemVersion.integerValue > 8){<br />
jetslammed_updateWaterMark(240, "pmpd"); // the param is currently range checked by the library and must be > 0 and < 1024. The string param can be anything in a daemon, it's main use is in tweaks to ensure its set to the highest of all the different calls to that method.<br />
}else{<br />
NSLog(@"jetslammed_updateWaterMark not required");<br />
}</source><br />
<br />
== Connecting to UNIX sockets ==<br />
<br />
Tweaks built with a library injected into an app, communicating to a daemon using a UNIX a socket, might fail to connect to the UNIX socket, with error code EPERM, and the following syslog message:<br />
<br />
kernel[0] <Notice>: Sandbox: app-name(<pid>) deny(1) network-outbound /private/var/tmp/mysocket<br />
<br />
Note that this worked with the original Pangu untether and has been failing to work (as described) with the latest (1.1.0) Pangu Fuxi Qin.<br />
<br />
'''Update:''' This seems to be untrue. This doesn't work with the original Pangu untether as well. Maybe the Cydia update process has to do something with it? Maybe stashing?<br />
<br />
A current workaround is to place the UNIX socket inside the app's sandbox.<br />
<br />
== Extension does not have filter ==<br />
<br />
Starting on 0.9.6100 version of CydiaSubstrate, tweaks '''''must''''' specify a [[Cydia_Substrate#MobileLoader|MobileLoader filter]] or Substrate will prevent the tweak from getting injected at all, with the following error:<br />
<br />
<source lang="text"><br />
MS:Error: extension does not have filter<br />
</source><br />
<br />
== canOpenURL restrictions ==<br />
<br />
If you have a tweak that relies on canOpenURL it might not work because now the URLs that are allowed to be checked are required to be specified in the host app's Info.plist under LSApplicationQueriesSchemes. Unfortunately editing this list does not work because it appears to be checked at installation time, and also it can only be called with 50 URLs, once that limit is reached it fails regardless of any edits to the list. It's currently unknown where the database is stored on the device.<br />
<br />
iOS 9 Launch scheme approval where it asks for permission to open an app:<br />
/private/var/preferences/com.apple.launchservices.schemeapproval.plist<br />
<br />
For error-free access to this data query the canOpenURL: status in a daemon with the appropriate entitlements or inside SpringBoard using its entitlements and make the specific query accessible over IPC using RocketBootstrap, darwin_set_state or similar if necessary.<br />
<br />
'''Update:''' It's now possible to bypass this restriction by hooking isApplicationAvailableToOpenURL in LSApplicationWorkspace. For example code, see this issue in a redundant project that was created before this hook was known: https://github.com/r-plus/libcanopenurl/issues/3</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_9&diff=4522Updating extensions for iOS 92016-04-29T23:23:07Z<p>Indiekiduk: /* Entitlements */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 8]] and [[Updating extensions for iOS 7]] - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+9&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_9&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
= Compiling ldid on El Capitan =<br />
<br />
ldid [https://github.com/Homebrew/homebrew/commit/ac8d9201b8ae5ffe2d6aef6acf08cf1f654caccc was recently added to] the main Homebrew repo.<br />
<br />
brew update<br />
brew install ldid<br />
<br />
This is more convenient for ensuring ldid is kept up to date in future.<br />
<br />
= What has changed in iOS 9? (Classes, frameworks, etc.) =<br />
<br />
== Compilation changes ==<br />
<br />
32 bit binaries loaded on 64 bit devices fail to do so since the 32 bit pagesize has been changed from 4096 bytes to 16384 bytes.<br />
<br />
Tweaks targeted at 32 bit binaries on iOS 9 must now be compiled with<br />
<br />
-Wl,-segalign,4000<br />
<br />
This LDFLAG can be used to compile for older iOS versions as it had to be a multiple of 1000 and this new alignment is compatible.<br />
<br />
If using [[Theos]], add it like so to your makefile:<br />
<br />
XXX_LDFLAGS += -Wl,-segalign,4000<br />
<br />
This fix is [https://github.com/kirb/theos/commit/bbf282bd3d2fccd5cbadaeac699820fec0f1e533 integrated with kirb/theos]. (Be sure to <code>make update-theos</code> regularly.)<br />
<br />
If using [[Xcode]], add a new entry to ''Other linker flags'' containing "-Wl,-segalign,4000" to the build settings of your project or target and make sure that the build option "Enable Bitcode" is disabled.<br />
<br />
Source: [http://twitter.com/saurik/status/654198997024796672 saurik's tweet]<br />
<br />
One example of this are tweaks that modify Cydia, which is a 32 bit app.<br />
<br />
== Entitlements ==<br />
<br />
'''''Every''''' dylib meant for injection has to be signed to work on iOS, even if no entitlements are required. Please make sure that your toolchain of choice is producing signed dylibs, if it is a fat binary, make sure that ''all'' slices are signed.<br />
<br />
Use ldid to sign:<br />
<br />
ldid -S Tweak.dylib<br />
<br />
Failure to do this will invalidate the process and make it lose all entitlements. The standard symptom is the following, but frankly, it is confusing why any binaries are in the wild that haven't at least been passed through ldid, so please don't rely on this symptom and just fix your build environment.<br />
<br />
When the process is invalid and thus entitlements are lost, this is output to console on launch:<br />
<source lang="text"><br />
pmpd[13381] <Error>: MS:Error: process is not CS_VALID<br />
</source><br />
<br />
And then this is shown when the required entitlement no longer exists, despite being included in the binary!<br />
<source lang="text"><br />
xbs/Sources/BackBoardServices/SpringBoard-3296.10.2/megatrond/SystemAppService/BKSSystemApplicationClient.m:32<br />
Oct 14 21:29:57 iPhone SpringBoard[1860] <Error>: *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'Client lacks entitlement com.apple.backboard.client’<br />
</source><br />
<br />
=== Granting them at runtime ===<br />
<br />
To grant entitlements to a specific process in iOS 9, it seems that iOS 8's _BSAuditTokenTaskHasEntitlement function in assertiond no longer does the trick, the new _BSXPCConnectionHasEntitlement needs to be hooked instead.<br />
<br />
== Sandbox Restrictions ==<br />
<br />
Tweaks that create or edit files from a sandbox application outside the app's container is no longer allowed<br />
* Use an XPC method to communicate with SpringBoard from the sandbox application<br />
See [http://iphonedevwiki.net/index.php/CPDistributedMessagingCenter CPDistributedMessagingCenter] for some example code.<br />
<br />
This way you could communicate with a SpringBoard class to get it to save or create your files <br />
<br />
You would need to add AppSupport framework in your makefile<br />
XXX_FRAMEWORKS = AppSupport<br />
<br />
* After the v1.1 Pangu Untether update it is no longer possible to save/create/modify the preferences from Sandboxed applications in "atomically" mode.<br />
You will get something like this:<br />
<br />
<source lang="text"><br />
Sandbox: processname(PID) deny(1) file-write-unlink/file-write-create /private/var/mobile/Library/Preferences/prefs_file_name.plist<br />
</source><br />
<br />
As a workaround you can just replace "atomically:YES" with "atomically:NO":<br />
<br />
<source lang="objc"><br />
[prefsDict writeToFile:settingsFilePath atomically:NO];<br />
</source><br />
<br />
* some sysctl calls and proc_* functions cannot be used in a sandbox now<br />
trying to use these functions in a sandboxed app will throw an error like:<br />
<br />
<source lang="text"><br />
Sandbox: [PROCCESSNAME] deny(1) process-info-listpids<br />
</source><br />
<br />
== UIScreen changes (unfinished section) ==<br />
<br />
Specifically iPads now seems to have been broken when using UIScreen bounds and does not seem to take orientation into account. Please add solution to here.<br />
<br />
= Which tools and other preexisting things are still working on iOS 9? Which ones don't work? =<br />
<br />
No fixes for the following at the time of this writing. Note that these work on 32-bit devices, such as an iPhone 5.<br />
<br />
* Cycript works as of 28/10/2015 version 0.9.503<br />
<br />
* the official python from cydia may fail however due to the work of Linus Yang and reddit user ryley_angus we have a working binary that works on iOS 9 !<br />
install all packages from [https://www.ryleyangus.com/Python-2.7.8-arm64.zip], most things I tested worked. The Python packages built by ryley_angus are also available from his repo [https://ryleyangus.com/repo].<br />
<br />
* python fails with the following error (the one on cydia)<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/libpython2.7.dylib<br />
Referenced from: /usr/bin/python<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x00242000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x003D6000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* As of (unknown date) in version 1.4.18-7, lighttpd works on iOS 9.<br />
<br />
* ruby fails with the following error<br />
<br />
<source lang="text"><br />
dyld: lazy symbol binding failed: re-exported symbol 'unknown' not found for image libgcc_s.1.dylib expected re-exported in libSystem.B.dylib, node=0x3980b148<br />
</source><br />
<br />
This occurs due to the change in the 32-bit pagesize on 64-bit CPUs in iOS 9. The libraries noted above need to be rebuilt with "-Wl,-segalign,4000".<br />
<br />
== Killed: 9 ==<br />
<br />
Pangu9 causes many command-line tools to not work, with the error "Killed: 9"<br />
<br />
This can be solved by running "ldid -S `which <command>`"<br />
<br />
== Daemons ==<br />
<br />
In iOS 9 the way daemons are loaded appears to have changed. Daemons prefixed with "com.apple" are loaded first with other daemons being loaded by launchd significantly later. This creates a bug for daemons that use XPC to communicate with SpringBoard. SpringBoard will be loaded before the daemon meaning a connection can never be established. Changing the daemon prefix to "com.apple" appears to make it load at the same time as SpringBoard allowing for the connection to succeed. More research is required into why other daemons are being loaded much later than in iOS 8.<br />
<br />
Additionally, daemons are now outputting the error:<br />
<br />
<source lang="text"><br />
This daemon is not allowed to execute. Running anyway.<br />
</source><br />
<br />
This can be fixed by adding the plist entry ExecuteAllowed with a boolean YES.<br />
<br />
Daemons that use more than 5MB are killed via Jetsam:<br />
<br />
<source lang="text"><br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s diagnosticd[209] <Error>: error evaluating process info - pid: 13166, punique: 13166<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Notice>: Formulating report for process[13166] pmpd<br />
Oct 28 12:24:30 My-iPhone-6s com.apple.xpc.launchd[1] (org.protectmyprivacy.pmpd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.<br />
Oct 28 12:24:30 My-iPhone-6s UserEventAgent[128] <Notice>: jetsam: kernel termination snapshot being created<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Warning>: report not saved because it is non-actionable<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Warning>: report not saved because the limit of 25 for 298 logs has been reached.<br />
</source><br />
<br />
The Jetsam log is written to ~mobile/Library/Logs/CrashReporter however it doesnt contain anything useful. It's possible Jetsam properties are required to be added to the plist to raise the daemon's memory limit. Apples launch daemon plists use properties in a device specific globals file at /System/Library/LaunchDaemons/com.apple.jetsamproperties.N71.plist<br />
It's not clear if you can still put the JetsamProperties keys in your daemon plist or if you need to add to the globals list, some Apple ones still have them e.g. com.apple.ac.plist.<br />
<br />
I've tried adding overrides for custom daemons but it has no effect, still are killed when 5MB is reached.<br />
Tweaks that erroneously add UIKit to daemons will cause them to be killed since they unexpectedly will go over 5MB.<br />
<br />
== Connecting to UNIX sockets ==<br />
<br />
Tweaks built with a library injected into an app, communicating to a daemon using a UNIX a socket, might fail to connect to the UNIX socket, with error code EPERM, and the following syslog message:<br />
<br />
kernel[0] <Notice>: Sandbox: app-name(<pid>) deny(1) network-outbound /private/var/tmp/mysocket<br />
<br />
Note that this worked with the original Pangu untether and has been failing to work (as described) with the latest (1.1.0) Pangu Fuxi Qin.<br />
<br />
'''Update:''' This seems to be untrue. This doesn't work with the original Pangu untether as well. Maybe the Cydia update process has to do something with it? Maybe stashing?<br />
<br />
A current workaround is to place the UNIX socket inside the app's sandbox.<br />
<br />
== Extension does not have filter ==<br />
<br />
Starting on 0.9.6100 version of CydiaSubstrate, tweaks '''''must''''' specify a [[Cydia_Substrate#MobileLoader|MobileLoader filter]] or Substrate will prevent the tweak from getting injected at all, with the following error:<br />
<br />
<source lang="text"><br />
MS:Error: extension does not have filter<br />
</source><br />
<br />
== canOpenURL restrictions ==<br />
<br />
If you have a tweak that relies on canOpenURL it might not work because now the URLs that are allowed to be checked are required to be specified in the host app's Info.plist under LSApplicationQueriesSchemes. Unfortunately editing this list does not work because it appears to be checked at installation time, and also it can only be called with 50 URLs, once that limit is reached it fails regardless of any edits to the list. It's currently unknown where the database is stored on the device.<br />
<br />
iOS 9 Launch scheme approval where it asks for permission to open an app:<br />
/private/var/preferences/com.apple.launchservices.schemeapproval.plist<br />
<br />
For error-free access to this data query the canOpenURL: status in a daemon with the appropriate entitlements or inside SpringBoard using its entitlements and make the specific query accessible over IPC using RocketBootstrap, darwin_set_state or similar if necessary.<br />
<br />
'''Update:''' It's now possible to bypass this restriction by hooking isApplicationAvailableToOpenURL in LSApplicationWorkspace. For example code, see this issue in a redundant project that was created before this hook was known: https://github.com/r-plus/libcanopenurl/issues/3</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_9&diff=4521Updating extensions for iOS 92016-04-29T23:19:48Z<p>Indiekiduk: /* canOpenURL restrictions */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 8]] and [[Updating extensions for iOS 7]] - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+9&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_9&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
= Compiling ldid on El Capitan =<br />
<br />
ldid [https://github.com/Homebrew/homebrew/commit/ac8d9201b8ae5ffe2d6aef6acf08cf1f654caccc was recently added to] the main Homebrew repo.<br />
<br />
brew update<br />
brew install ldid<br />
<br />
This is more convenient for ensuring ldid is kept up to date in future.<br />
<br />
= What has changed in iOS 9? (Classes, frameworks, etc.) =<br />
<br />
== Compilation changes ==<br />
<br />
32 bit binaries loaded on 64 bit devices fail to do so since the 32 bit pagesize has been changed from 4096 bytes to 16384 bytes.<br />
<br />
Tweaks targeted at 32 bit binaries on iOS 9 must now be compiled with<br />
<br />
-Wl,-segalign,4000<br />
<br />
This LDFLAG can be used to compile for older iOS versions as it had to be a multiple of 1000 and this new alignment is compatible.<br />
<br />
If using [[Theos]], add it like so to your makefile:<br />
<br />
XXX_LDFLAGS += -Wl,-segalign,4000<br />
<br />
This fix is [https://github.com/kirb/theos/commit/bbf282bd3d2fccd5cbadaeac699820fec0f1e533 integrated with kirb/theos]. (Be sure to <code>make update-theos</code> regularly.)<br />
<br />
If using [[Xcode]], add a new entry to ''Other linker flags'' containing "-Wl,-segalign,4000" to the build settings of your project or target and make sure that the build option "Enable Bitcode" is disabled.<br />
<br />
Source: [http://twitter.com/saurik/status/654198997024796672 saurik's tweet]<br />
<br />
One example of this are tweaks that modify Cydia, which is a 32 bit app.<br />
<br />
== Entitlements ==<br />
<br />
'''''Every''''' dylib meant for injection has to be signed to work on iOS, even if no entitlements are required. Please make sure that your toolchain of choice is producing signed dylibs, if it is a fat binary, make sure that ''all'' slices are signed.<br />
<br />
Use ldid to sign:<br />
<br />
ldid -S Tweak.dylib<br />
<br />
Failure to do this will invalidate the process and make it lose all entitlements. The standard symptom is the following, but frankly, it is confusing why any binaries are in the wild that haven't at least been passed through ldid, so please don't rely on this symptom and just fix your build environment.<br />
<br />
<source lang="text"><br />
xbs/Sources/BackBoardServices/SpringBoard-3296.10.2/megatrond/SystemAppService/BKSSystemApplicationClient.m:32<br />
Oct 14 21:29:57 iPhone SpringBoard[1860] <Error>: *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'Client lacks entitlement com.apple.backboard.client’<br />
</source><br />
<br />
=== Granting them at runtime ===<br />
<br />
To grant entitlements to a specific process in iOS 9, it seems that iOS 8's _BSAuditTokenTaskHasEntitlement function in assertiond no longer does the trick, the new _BSXPCConnectionHasEntitlement needs to be hooked instead.<br />
<br />
== Sandbox Restrictions ==<br />
<br />
Tweaks that create or edit files from a sandbox application outside the app's container is no longer allowed<br />
* Use an XPC method to communicate with SpringBoard from the sandbox application<br />
See [http://iphonedevwiki.net/index.php/CPDistributedMessagingCenter CPDistributedMessagingCenter] for some example code.<br />
<br />
This way you could communicate with a SpringBoard class to get it to save or create your files <br />
<br />
You would need to add AppSupport framework in your makefile<br />
XXX_FRAMEWORKS = AppSupport<br />
<br />
* After the v1.1 Pangu Untether update it is no longer possible to save/create/modify the preferences from Sandboxed applications in "atomically" mode.<br />
You will get something like this:<br />
<br />
<source lang="text"><br />
Sandbox: processname(PID) deny(1) file-write-unlink/file-write-create /private/var/mobile/Library/Preferences/prefs_file_name.plist<br />
</source><br />
<br />
As a workaround you can just replace "atomically:YES" with "atomically:NO":<br />
<br />
<source lang="objc"><br />
[prefsDict writeToFile:settingsFilePath atomically:NO];<br />
</source><br />
<br />
* some sysctl calls and proc_* functions cannot be used in a sandbox now<br />
trying to use these functions in a sandboxed app will throw an error like:<br />
<br />
<source lang="text"><br />
Sandbox: [PROCCESSNAME] deny(1) process-info-listpids<br />
</source><br />
<br />
== UIScreen changes (unfinished section) ==<br />
<br />
Specifically iPads now seems to have been broken when using UIScreen bounds and does not seem to take orientation into account. Please add solution to here.<br />
<br />
= Which tools and other preexisting things are still working on iOS 9? Which ones don't work? =<br />
<br />
No fixes for the following at the time of this writing. Note that these work on 32-bit devices, such as an iPhone 5.<br />
<br />
* Cycript works as of 28/10/2015 version 0.9.503<br />
<br />
* the official python from cydia may fail however due to the work of Linus Yang and reddit user ryley_angus we have a working binary that works on iOS 9 !<br />
install all packages from [https://www.ryleyangus.com/Python-2.7.8-arm64.zip], most things I tested worked. The Python packages built by ryley_angus are also available from his repo [https://ryleyangus.com/repo].<br />
<br />
* python fails with the following error (the one on cydia)<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/libpython2.7.dylib<br />
Referenced from: /usr/bin/python<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x00242000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x003D6000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* As of (unknown date) in version 1.4.18-7, lighttpd works on iOS 9.<br />
<br />
* ruby fails with the following error<br />
<br />
<source lang="text"><br />
dyld: lazy symbol binding failed: re-exported symbol 'unknown' not found for image libgcc_s.1.dylib expected re-exported in libSystem.B.dylib, node=0x3980b148<br />
</source><br />
<br />
This occurs due to the change in the 32-bit pagesize on 64-bit CPUs in iOS 9. The libraries noted above need to be rebuilt with "-Wl,-segalign,4000".<br />
<br />
== Killed: 9 ==<br />
<br />
Pangu9 causes many command-line tools to not work, with the error "Killed: 9"<br />
<br />
This can be solved by running "ldid -S `which <command>`"<br />
<br />
== Daemons ==<br />
<br />
In iOS 9 the way daemons are loaded appears to have changed. Daemons prefixed with "com.apple" are loaded first with other daemons being loaded by launchd significantly later. This creates a bug for daemons that use XPC to communicate with SpringBoard. SpringBoard will be loaded before the daemon meaning a connection can never be established. Changing the daemon prefix to "com.apple" appears to make it load at the same time as SpringBoard allowing for the connection to succeed. More research is required into why other daemons are being loaded much later than in iOS 8.<br />
<br />
Additionally, daemons are now outputting the error:<br />
<br />
<source lang="text"><br />
This daemon is not allowed to execute. Running anyway.<br />
</source><br />
<br />
This can be fixed by adding the plist entry ExecuteAllowed with a boolean YES.<br />
<br />
Daemons that use more than 5MB are killed via Jetsam:<br />
<br />
<source lang="text"><br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s diagnosticd[209] <Error>: error evaluating process info - pid: 13166, punique: 13166<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Notice>: Formulating report for process[13166] pmpd<br />
Oct 28 12:24:30 My-iPhone-6s com.apple.xpc.launchd[1] (org.protectmyprivacy.pmpd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.<br />
Oct 28 12:24:30 My-iPhone-6s UserEventAgent[128] <Notice>: jetsam: kernel termination snapshot being created<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Warning>: report not saved because it is non-actionable<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Warning>: report not saved because the limit of 25 for 298 logs has been reached.<br />
</source><br />
<br />
The Jetsam log is written to ~mobile/Library/Logs/CrashReporter however it doesnt contain anything useful. It's possible Jetsam properties are required to be added to the plist to raise the daemon's memory limit. Apples launch daemon plists use properties in a device specific globals file at /System/Library/LaunchDaemons/com.apple.jetsamproperties.N71.plist<br />
It's not clear if you can still put the JetsamProperties keys in your daemon plist or if you need to add to the globals list, some Apple ones still have them e.g. com.apple.ac.plist.<br />
<br />
I've tried adding overrides for custom daemons but it has no effect, still are killed when 5MB is reached.<br />
Tweaks that erroneously add UIKit to daemons will cause them to be killed since they unexpectedly will go over 5MB.<br />
<br />
== Connecting to UNIX sockets ==<br />
<br />
Tweaks built with a library injected into an app, communicating to a daemon using a UNIX a socket, might fail to connect to the UNIX socket, with error code EPERM, and the following syslog message:<br />
<br />
kernel[0] <Notice>: Sandbox: app-name(<pid>) deny(1) network-outbound /private/var/tmp/mysocket<br />
<br />
Note that this worked with the original Pangu untether and has been failing to work (as described) with the latest (1.1.0) Pangu Fuxi Qin.<br />
<br />
'''Update:''' This seems to be untrue. This doesn't work with the original Pangu untether as well. Maybe the Cydia update process has to do something with it? Maybe stashing?<br />
<br />
A current workaround is to place the UNIX socket inside the app's sandbox.<br />
<br />
== Extension does not have filter ==<br />
<br />
Starting on 0.9.6100 version of CydiaSubstrate, tweaks '''''must''''' specify a [[Cydia_Substrate#MobileLoader|MobileLoader filter]] or Substrate will prevent the tweak from getting injected at all, with the following error:<br />
<br />
<source lang="text"><br />
MS:Error: extension does not have filter<br />
</source><br />
<br />
== canOpenURL restrictions ==<br />
<br />
If you have a tweak that relies on canOpenURL it might not work because now the URLs that are allowed to be checked are required to be specified in the host app's Info.plist under LSApplicationQueriesSchemes. Unfortunately editing this list does not work because it appears to be checked at installation time, and also it can only be called with 50 URLs, once that limit is reached it fails regardless of any edits to the list. It's currently unknown where the database is stored on the device.<br />
<br />
iOS 9 Launch scheme approval where it asks for permission to open an app:<br />
/private/var/preferences/com.apple.launchservices.schemeapproval.plist<br />
<br />
For error-free access to this data query the canOpenURL: status in a daemon with the appropriate entitlements or inside SpringBoard using its entitlements and make the specific query accessible over IPC using RocketBootstrap, darwin_set_state or similar if necessary.<br />
<br />
'''Update:''' It's now possible to bypass this restriction by hooking isApplicationAvailableToOpenURL in LSApplicationWorkspace. For example code, see this issue in a redundant project that was created before this hook was known: https://github.com/r-plus/libcanopenurl/issues/3</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_9&diff=4305Updating extensions for iOS 92015-12-14T18:59:29Z<p>Indiekiduk: </p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 8]] and [[Updating extensions for iOS 7]] - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+9&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_9&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== Compiling ldid on El Capitan ==<br />
<br />
ldid [https://github.com/Homebrew/homebrew/commit/ac8d9201b8ae5ffe2d6aef6acf08cf1f654caccc was recently added to] the main Homebrew repo.<br />
<br />
brew update<br />
brew install ldid<br />
<br />
This is more convenient for ensuring ldid is kept up to date in future.<br />
<br />
== What has changed in iOS 9? (Classes, frameworks, etc.) ==<br />
<br />
=== Compilation changes ===<br />
<br />
32 bit binaries loaded on 64 bit devices fail to do so since the 32 bit pagesize has been changed from 4096 bytes to 16384 bytes.<br />
<br />
Tweaks targeted at 32 bit binaries on iOS 9 must now be compiled with<br />
<br />
-Wl,-segalign,4000<br />
<br />
This LDFLAG can be used to compile for older iOS versions as it had to be a multiple of 1000 and this new alignment is compatible.<br />
<br />
If using [[Theos]], add it like so to your makefile:<br />
<br />
XXX_LDFLAGS += -Wl,-segalign,4000<br />
<br />
This fix is [https://github.com/kirb/theos/commit/bbf282bd3d2fccd5cbadaeac699820fec0f1e533 integrated with kirb/theos]. (Be sure to <code>make update-theos</code> regularly.)<br />
<br />
If using [[Xcode]], add a new entry to ''Other linker flags'' containing "-Wl,-segalign,4000" to the build settings of your project or target and make sure that the build option "Enable Bitcode" is disabled.<br />
<br />
Source: [http://twitter.com/saurik/status/654198997024796672 saurik's tweet]<br />
<br />
One example of this are tweaks that modify Cydia, which is a 32 bit app.<br />
<br />
=== Entitlements ===<br />
<br />
''Every'' dylib meant for injection has to be signed to work on iOS, even if no entitlements are required. Please make sure that your toolchain of choice is producing signed dylibs, if it is a fat binary, make sure that ''all'' slices are signed.<br />
<br />
Use ldid to sign:<br />
<br />
ldid -S Tweak.dylib<br />
<br />
Failure to do this will invalidate the process and make it lose all entitlements. The standard symptom is the following, but frankly, it is confusing why any binaries are in the wild that haven't at least been passed through ldid, so please don't rely on this symptom and just fix your build environment.<br />
<br />
<source lang="text"><br />
xbs/Sources/BackBoardServices/SpringBoard-3296.10.2/megatrond/SystemAppService/BKSSystemApplicationClient.m:32<br />
Oct 14 21:29:57 iPhone SpringBoard[1860] <Error>: *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'Client lacks entitlement com.apple.backboard.client’<br />
</source><br />
<br />
==== Granting them at runtime ====<br />
<br />
To grant entitlements to a specific process in iOS 9, it seems that iOS 8's _BSAuditTokenTaskHasEntitlement function in assertiond no longer does the trick, the new _BSXPCConnectionHasEntitlement needs to be hooked instead.<br />
<br />
=== Sandbox Restrictions ===<br />
Tweaks that create or edit files from a sandbox application outside the app's container is no longer allowed<br />
* Use an XPC method to communicate with SpringBoard from the sandbox application<br />
See [http://iphonedevwiki.net/index.php/CPDistributedMessagingCenter CPDistributedMessagingCenter] for some example code.<br />
<br />
This way you could communicate with a SpringBoard class to get it to save or create your files <br />
<br />
You would need to add AppSupport framework in your makefile<br />
XXX_FRAMEWORKS = AppSupport<br />
<br />
* After the v1.1 Pangu Untether update it is no longer possible to save/create/modify the preferences from Sandboxed applications in "atomically" mode.<br />
You will get something like this:<br />
<source lang="text"><br />
Sandbox: processname(PID) deny(1) file-write-unlink/file-write-create /private/var/mobile/Library/Preferences/prefs_file_name.plist<br />
</source><br />
As a workaround you can just replace "atomically:YES" with "atomically:NO":<br />
<source lang="objc"><br />
[prefsDict writeToFile:settingsFilePath atomically:NO];<br />
</source><br />
<br />
* some sysctl calls and proc_* functions cannot be used in a sandbox now<br />
trying to use these functions in a sandboxed app will throw an error like:<br />
<source lang="text"><br />
Sandbox: [PROCCESSNAME] deny(1) process-info-listpids<br />
</source><br />
<br />
=== UIScreen changes (unfinished section) ===<br />
<br />
Specifically iPads now seems to have been broken when using UIScreen bounds and does not seem to take orientation into account. Please add solution to here.<br />
<br />
== Which tools and other preexisting things are still working on iOS 9? Which ones don't work? ==<br />
<br />
No fixes for the following at the time of this writing. Note that these work on 32-bit devices, such as an iPhone 5.<br />
<br />
* Cycript works as of 28/10/2015 version 0.9.503<br />
<br />
* the official python from cydia may fail however due to the work of Linus Yang and reddit user ryley_angus we have a working binary that works on iOS 9 !<br />
install all packages from [https://www.dropbox.com/s/qp862ppjz3rzi81/Python-2.7.8-arm64.zip?dl=0], most things I tested worked.<br />
<br />
* python fails with the following error (the one on cydia)<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/libpython2.7.dylib<br />
Referenced from: /usr/bin/python<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x00242000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x003D6000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* As of (unknown date) in version 1.4.18-7, lighttpd works on iOS 9.<br />
<br />
* ruby fails with the following error<br />
<br />
<source lang="text"><br />
dyld: lazy symbol binding failed: re-exported symbol 'unknown' not found for image libgcc_s.1.dylib expected re-exported in libSystem.B.dylib, node=0x3980b148<br />
</source><br />
<br />
This occurs due to the change in the 32-bit pagesize on 64-bit CPUs in iOS 9. The libraries noted above need to be rebuilt with "-Wl,-segalign,4000".<br />
<br />
=== Killed: 9 ===<br />
<br />
Pangu9 causes many command-line tools to not work, with the error "Killed: 9"<br />
<br />
This can be solved by running "ldid -S `which <command>`"<br />
<br />
=== Daemons ===<br />
<br />
In iOS 9 the way daemons are loaded appears to have changed. Daemons prefixed with "com.apple" are loaded first with other daemons being loaded by launchd significantly later. This creates a bug for daemons that use XPC to communicate with SpringBoard. SpringBoard will be loaded before the daemon meaning a connection can never be established. Changing the daemon prefix to "com.apple" appears to make it load at the same time as SpringBoard allowing for the connection to succeed. More research is required into why other daemons are being loaded much later than in iOS 8.<br />
<br />
Additionally, daemons are now outputting the error:<br />
<source lang="text"><br />
This daemon is not allowed to execute. Running anyway.<br />
</source><br />
<br />
This can be fixed by adding the plist entry ExecuteAllowed with a boolean YES.<br />
<br />
Daemons that use more than 5MB are killed via Jetsam:<br />
<source lang="text"><br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s diagnosticd[209] <Error>: error evaluating process info - pid: 13166, punique: 13166<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Notice>: Formulating report for process[13166] pmpd<br />
Oct 28 12:24:30 My-iPhone-6s com.apple.xpc.launchd[1] (org.protectmyprivacy.pmpd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.<br />
Oct 28 12:24:30 My-iPhone-6s UserEventAgent[128] <Notice>: jetsam: kernel termination snapshot being created<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Warning>: report not saved because it is non-actionable<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Warning>: report not saved because the limit of 25 for 298 logs has been reached.<br />
</source><br />
The Jetsam log is written to ~mobile/Library/Logs/CrashReporter however it doesnt contain anything useful. It's possible Jetsam properties are required to be added to the plist to raise the daemon's memory limit. Apples launch daemon plists use properties in a device specific globals file at /System/Library/LaunchDaemons/com.apple.jetsamproperties.N71.plist<br />
It's not clear if you can still put the JetsamProperties keys in your daemon plist or if you need to add to the globals list, some Apple ones still have them e.g. com.apple.ac.plist.<br />
I've tried adding overrides for custom daemons but it has no effect, still are killed when 5MB is reached.<br />
Tweaks that erroneously add UIKit to daemons will cause them to be killed since they unexpectedly will go over 5MB.<br />
<br />
=== Connecting to UNIX sockets ===<br />
Tweaks built with a library injected into an app, communicating to a daemon using a UNIX a socket, might fail to connect to the UNIX socket, with error code EPERM, and the following syslog message:<br />
kernel[0] <Notice>: Sandbox: app-name(<pid>) deny(1) network-outbound /private/var/tmp/mysocket<br />
Note that this worked with the original Pangu untether and has been failing to work (as described) with the latest (1.1.0) Pangu Fuxi Qin.<br />
<br />
'''Update:''' This seems to be untrue. This doesn't work with the original Pangu untether as well. Maybe the Cydia update process has to do something with it? Maybe stashing?<br />
<br />
A current workaround is to place the UNIX socket inside the app's sandbox.<br />
<br />
=== Extension does not have filter ===<br />
On iOS 9, tweaks '''must''' specify a [[Cydia_Substrate#MobileLoader|MobileLoader filter]] or Substrate will prevent the tweak from getting injected, with the following error:<br />
<source lang="text"><br />
MS:Error: extension does not have filter<br />
</source><br />
<br />
=== canOpenURL restrictions ===<br />
If you have a tweak that relies on canOpenURL it might not work because now the URLs that are allowed to be checked are required to be specified in the host app's Info.plist under LSApplicationQueriesSchemes. Unfortunately editing this list does not work because it appears to be checked at installation time, and also it can only be called with 50 URLs, once that limit is reached it fails regardless of any edits to the list. It's currently unknown where the database is stored on the device.<br />
<br />
iOS 9 Launch scheme approval where it asks for permission to open an app:<br />
/private/var/preferences/com.apple.launchservices.schemeapproval.plist</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_9&diff=4239Updating extensions for iOS 92015-11-13T08:12:36Z<p>Indiekiduk: /* Daemons */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 8]] and [[Updating extensions for iOS 7]] - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+9&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_9&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== Compiling ldid on El Capitan ==<br />
<br />
ldid [https://github.com/Homebrew/homebrew/commit/ac8d9201b8ae5ffe2d6aef6acf08cf1f654caccc was recently added to] the main Homebrew repo.<br />
<br />
brew update<br />
brew install ldid<br />
<br />
This is more convenient for ensuring ldid is kept up to date in future.<br />
<br />
== What has changed in iOS 9? (Classes, frameworks, etc.) ==<br />
<br />
=== Compilation changes ===<br />
<br />
32 bit binaries loaded on 64 bit devices fail to do so since the 32 bit pagesize has been changed from 4096 bytes to 16384 bytes.<br />
<br />
Tweaks targeted at 32 bit binaries on iOS 9 must now be compiled with<br />
<br />
-Wl,-segalign,4000<br />
<br />
This LDFLAG can be used to compile for older iOS versions as it had to be a multiple of 1000 and this new alignment is compatible.<br />
<br />
If using [[Theos]], add it like so to your makefile:<br />
<br />
XXX_LDFLAGS += -Wl,-segalign,4000<br />
<br />
This fix is [https://github.com/kirb/theos/commit/bbf282bd3d2fccd5cbadaeac699820fec0f1e533 integrated with kirb/theos]. (Be sure to <code>make update-theos</code> regularly.)<br />
<br />
If using [[Xcode]], add a new entry to ''Other linker flags'' containing "-Wl,-segalign,4000" to the build settings of your project or target and make sure that the build option "Enable Bitcode" is disabled.<br />
<br />
Source: [http://twitter.com/saurik/status/654198997024796672 saurik's tweet]<br />
<br />
One example of this are tweaks that modify Cydia, which is a 32 bit app.<br />
<br />
=== Entitlements ===<br />
<br />
''Every'' dylib meant for injection has to be signed to work on iOS, even if no entitlements are required. Please make sure that your toolchain of choice is producing signed dylibs, if it is a fat binary, make sure that ''all'' slices are signed.<br />
<br />
Use ldid to sign:<br />
<br />
ldid -S Tweak.dylib<br />
<br />
Failure to do this will invalidate the process and make it lose all entitlements. The standard symptom is the following, but frankly, it is confusing why any binaries are in the wild that haven't at least been passed through ldid, so please don't rely on this symptom and just fix your build environment.<br />
<br />
<source lang="text"><br />
xbs/Sources/BackBoardServices/SpringBoard-3296.10.2/megatrond/SystemAppService/BKSSystemApplicationClient.m:32<br />
Oct 14 21:29:57 iPhone SpringBoard[1860] <Error>: *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'Client lacks entitlement com.apple.backboard.client’<br />
</source><br />
<br />
==== Granting them at runtime ====<br />
<br />
To grant entitlements to a specific process in iOS 9, it seems that iOS 8's _BSAuditTokenTaskHasEntitlement function in assertiond no longer does the trick, the new _BSXPCConnectionHasEntitlement needs to be hooked instead.<br />
<br />
=== Sandbox Restrictions ===<br />
Tweaks that create or edit files from a sandbox application outside the app's container is no longer allowed<br />
* Use an XPC method to communicate with SpringBoard from the sandbox application<br />
See [http://iphonedevwiki.net/index.php/CPDistributedMessagingCenter CPDistributedMessagingCenter] for some example code.<br />
<br />
This way you could communicate with a SpringBoard class to get it to save or create your files <br />
<br />
You would need to add AppSupport framework in your makefile<br />
XXX_FRAMEWORKS = AppSupport<br />
<br />
* After the v1.1 Pangu Untether update it is no longer possible to save/create/modify the preferences from Sandboxed applications in "atomically" mode.<br />
You will get something like this:<br />
<source lang="text"><br />
Sandbox: processname(PID) deny(1) file-write-unlink/file-write-create /private/var/mobile/Library/Preferences/prefs_file_name.plist<br />
</source><br />
As a workaround you can just replace "atomically:YES" with "atomically:NO":<br />
<source lang="objc"><br />
[prefsDict writeToFile:settingsFilePath atomically:NO];<br />
</source><br />
<br />
* some sysctl calls and proc_* functions cannot be used in a sandbox now<br />
trying to use these functions in a sandboxed app will throw an error like:<br />
<source lang="text"><br />
Sandbox: [PROCCESSNAME] deny(1) process-info-listpids<br />
</source><br />
<br />
=== UIScreen changes (unfinished section) ===<br />
<br />
Specifically iPads now seems to have been broken when using UIScreen bounds and does not seem to take orientation into account. Please add solution to here.<br />
<br />
== Which tools and other preexisting things are still working on iOS 9? Which ones don't work? ==<br />
<br />
No fixes for the following at the time of this writing. Note that these work on 32-bit devices, such as an iPhone 5.<br />
<br />
* Cycript works as of 28/10/2015 version 0.9.503<br />
<br />
* python fails with the following error<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/libpython2.7.dylib<br />
Referenced from: /usr/bin/python<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x00242000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x003D6000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* lighttpd fails with the following error<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/lighttpd/liblightcomp.dylib<br />
Referenced from: /usr/sbin/lighttpd<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/lighttpd/liblightcomp.dylib: mmap() error 22 at address=0x0012F000, size=0x00001000 segment=__DATA in Segment::map() mapping /usr/lib/lighttpd/liblightcomp.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* ruby fails with the following error<br />
<br />
<source lang="text"><br />
dyld: lazy symbol binding failed: re-exported symbol 'unknown' not found for image libgcc_s.1.dylib expected re-exported in libSystem.B.dylib, node=0x3980b148<br />
</source><br />
<br />
This occurs due to the change in the 32-bit pagesize on 64-bit CPUs in iOS 9. The libraries noted above need to be rebuilt with "-Wl,-segalign,4000".<br />
<br />
=== Killed: 9 ===<br />
<br />
Pangu9 causes many command-line tools to not work, with the error "Killed: 9"<br />
<br />
This can be solved by running "ldid -S `which <command>`"<br />
<br />
=== Daemons ===<br />
<br />
In iOS 9 the way daemons are loaded appears to have changed. Daemons prefixed with "com.apple" are loaded first with other daemons being loaded by launchd significantly later. This creates a bug for daemons that use XPC to communicate with SpringBoard. SpringBoard will be loaded before the daemon meaning a connection can never be established. Changing the daemon prefix to "com.apple" appears to make it load at the same time as SpringBoard allowing for the connection to succeed. More research is required into why other daemons are being loaded much later than in iOS 8.<br />
<br />
Additionally, daemons are now outputting the error:<br />
<source lang="text"><br />
This daemon is not allowed to execute. Running anyway.<br />
</source><br />
<br />
This can be fixed by adding the plist entry ExecuteAllowed with a boolean YES.<br />
<br />
Daemons that use more than 5MB are killed via Jetsam:<br />
<source lang="text"><br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s diagnosticd[209] <Error>: error evaluating process info - pid: 13166, punique: 13166<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Notice>: Formulating report for process[13166] pmpd<br />
Oct 28 12:24:30 My-iPhone-6s com.apple.xpc.launchd[1] (org.protectmyprivacy.pmpd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.<br />
Oct 28 12:24:30 My-iPhone-6s UserEventAgent[128] <Notice>: jetsam: kernel termination snapshot being created<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Warning>: report not saved because it is non-actionable<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Warning>: report not saved because the limit of 25 for 298 logs has been reached.<br />
</source><br />
The Jetsam log is written to ~mobile/Library/Logs/CrashReporter however it doesnt contain anything useful. It's possible Jetsam properties are required to be added to the plist to raise the daemon's memory limit. Apples launch daemon plists use properties in a device specific globals file at /System/Library/LaunchDaemons/com.apple.jetsamproperties.N71.plist<br />
It's not clear if you can still put the JetsamProperties keys in your daemon plist or if you need to add to the globals list, some Apple ones still have them e.g. com.apple.ac.plist.<br />
I've tried adding overrides for custom daemons but it has no effect, still are killed when 5MB is reached.<br />
Tweaks that erroneously add UIKit to daemons will cause them to be killed since they unexpectedly will go over 5MB.<br />
<br />
=== Connecting to UNIX sockets ===<br />
Tweaks built with a library injected into an app, communicating to a daemon using a UNIX a socket, might fail to connect to the UNIX socket, with error code EPERM, and the following syslog message:<br />
kernel[0] <Notice>: Sandbox: app-name(<pid>) deny(1) network-outbound /private/var/tmp/mysocket<br />
Note that this worked with the original Pangu untether and has been failing to work (as described) with the latest (1.1.0) Pangu Fuxi Qin.<br />
<br />
'''Update:''' This seems to be untrue. This doesn't work with the original Pangu untether as well. Maybe the Cydia update process has to do something with it? Maybe stashing?<br />
<br />
A current workaround is to place the UNIX socket inside the app's sandbox.<br />
<br />
=== Extension does not have filter ===<br />
On iOS 9, tweaks '''must''' specify a [[Cydia_Substrate#MobileLoader|MobileLoader filter]] or Substrate will prevent the tweak from getting injected, with the following error:<br />
<source lang="text"><br />
MS:Error: extension does not have filter<br />
</source></div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_9&diff=4212Updating extensions for iOS 92015-10-28T13:40:30Z<p>Indiekiduk: /* Daemons */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 8]] and [[Updating extensions for iOS 7]] - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+9&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_9&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== Compiling ldid on El Capitan ==<br />
<br />
Not quite iOS 9, but still something to be aware of: El Capitan does not include OpenSSL, which ldid requires to compile. In order to get OpenSSL and modify ldid's make script to use it, follow these steps.<br />
<br />
* Install [http://brew.sh Homebrew] if you haven't already.<br />
* Install OpenSSL through Homebrew:<br />
brew install openssl<br />
* Clone ldid as normal.<br />
* Download [https://gist.github.com/aarzee/7b071088c4fca0b3ee25/raw/d62d89e72c0a0625512a81eea7562cef970f430e/make.sh this modded make.sh] and replace the old one with this one.<br />
* Make as normal:<br />
./make.sh<br />
<br />
Alternatively, kirb (hi, that's me) just got ldid [https://github.com/Homebrew/homebrew/commit/ac8d9201b8ae5ffe2d6aef6acf08cf1f654caccc added to] the main Homebrew repo.<br />
<br />
brew update<br />
brew install ldid<br />
<br />
This may be seen as more convenient for ensuring ldid is kept up to date in future.<br />
<br />
== What has changed in iOS 9? (Classes, frameworks, etc.) ==<br />
<br />
=== Compilation changes ===<br />
<br />
32 bit binaries loaded on 64 bit devices fail to do so since the 32 bit pagesize has been changed from 4096 bytes to 16384 bytes.<br />
<br />
Tweaks targeted at 32 bit binaries on iOS 9 must now be compiled with<br />
<br />
-Wl,-segalign,4000<br />
<br />
This LDFLAG can be used to compile for older iOS versions as it had to be a multiple of 1000 and this new alignment is compatible.<br />
<br />
If using [[Theos]], add it like so to your makefile:<br />
<br />
XXX_LDFLAGS += -Wl,-segalign,4000<br />
<br />
This fix is [https://github.com/kirb/theos/commit/bbf282bd3d2fccd5cbadaeac699820fec0f1e533 integrated with kirb/theos]. (Be sure to <code>make update-theos</code> regularly.)<br />
<br />
If using [[Xcode]], add a new entry to ''Other linker flags'' containing "-Wl,-segalign,4000" to the build settings of your project or target and make sure that the build option "Enable Bitcode" is disabled.<br />
<br />
Source: [http://twitter.com/saurik/status/654198997024796672 saurik's tweet]<br />
<br />
One example of this are tweaks that modify Cydia, which is a 32 bit app.<br />
<br />
=== Entitlements ===<br />
<br />
''Every'' dylib meant for injection has to be signed to work on iOS, even if no entitlements are required. Please make sure that your toolchain of choice is producing signed dylibs, if it is a fat binary, make sure that ''all'' slices are signed.<br />
<br />
Use ldid to sign:<br />
<br />
ldid -S Tweak.dylib<br />
<br />
Failure to do this will invalidate the process and make it lose all entitlements. The standard symptom is the following, but frankly, it is confusing why any binaries are in the wild that haven't at least been passed through ldid, so please don't rely on this symptom and just fix your build environment.<br />
<br />
<source lang="text"><br />
xbs/Sources/BackBoardServices/SpringBoard-3296.10.2/megatrond/SystemAppService/BKSSystemApplicationClient.m:32<br />
Oct 14 21:29:57 iPhone SpringBoard[1860] <Error>: *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'Client lacks entitlement com.apple.backboard.client’<br />
</source><br />
<br />
==== Granting them at runtime ====<br />
<br />
To grant entitlements to a specific process in iOS 9, it seems that iOS 8's _BSAuditTokenTaskHasEntitlement function in assertiond no longer does the trick, the new _BSXPCConnectionHasEntitlement needs to be hooked instead.<br />
<br />
=== Sandbox Restrictions ===<br />
Tweaks that create or edit files from a sandbox application outside the app's container is no longer allowed<br />
* Use an XPC method to communicate with SpringBoard from the sandbox application<br />
See [http://iphonedevwiki.net/index.php/CPDistributedMessagingCenter CPDistributedMessagingCenter] for some example code.<br />
<br />
This way you could communicate with a SpringBoard class to get it to save or create your files <br />
<br />
You would need to add AppSupport framework in your makefile<br />
XXX_FRAMEWORKS = AppSupport<br />
<br />
* After the v1.1 Pangu Untether update it is no longer possible to save/create/modify the preferences from Sandboxed applications in "atomically" mode.<br />
You will get something like this:<br />
<source lang="text"><br />
Sandbox: processname(PID) deny(1) file-write-unlink/file-write-create /private/var/mobile/Library/Preferences/prefs_file_name.plist<br />
</source><br />
As a workaround you can just replace "atomically:YES" with "atomically:NO":<br />
<source lang="objc"><br />
[prefsDict writeToFile:settingsFilePath atomically:NO];<br />
</source><br />
<br />
* some sysctl calls and proc_* functions cannot be used in a sandbox now<br />
trying to use these functions in a sandboxed app will throw an error like:<br />
<source lang="text"><br />
Sandbox: [PROCCESSNAME] deny(1) process-info-listpids<br />
</source><br />
<br />
== Which tools and other preexisting things are still working on iOS 9? Which ones don't work? ==<br />
<br />
No fixes for the following at the time of this writing. Note that these work on 32-bit devices, such as an iPhone 5.<br />
<br />
* Cycript fails with the following error:<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/libapr-1.0.dylib<br />
Referenced from: /usr/bin/cycript<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/libapr-1.0.dylib: mmap() error 22 at address=0x0013F000, size=0x00001000 segment=__DATA in Segment::map() mapping /usr/lib/libapr-1.0.dylib<br />
/usr/lib/libapr-1.0.dylib: mmap() error 22 at address=0x00163000, size=0x00001000 segment=__DATA in Segment::map() mapping /usr/lib/libapr-1.0.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* python fails with the following error<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/libpython2.7.dylib<br />
Referenced from: /usr/bin/python<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x00242000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x003D6000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* lighttpd fails with the following error<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/lighttpd/liblightcomp.dylib<br />
Referenced from: /usr/sbin/lighttpd<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/lighttpd/liblightcomp.dylib: mmap() error 22 at address=0x0012F000, size=0x00001000 segment=__DATA in Segment::map() mapping /usr/lib/lighttpd/liblightcomp.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
=== Killed: 9 ===<br />
<br />
Pangu9 causes many command-line tools to not work, with the error "Killed: 9"<br />
<br />
This can be solved by running "ldid -S `which <command>`"<br />
<br />
=== Daemons ===<br />
<br />
In iOS 9 the way daemons are loaded appears to have changed. Daemons prefixed with "com.apple" are loaded first with other daemons being loaded by launchd significantly later. This creates a bug for daemons that use XPC to communicate with SpringBoard. SpringBoard will be loaded before the daemon meaning a connection can never be established. Changing the daemon prefix to "com.apple" appears to make it load at the same time as SpringBoard allowing for the connection to succeed. More research is required into why other daemons are being loaded much later than in iOS 8.<br />
<br />
Additionally, daemons are now outputting the error:<br />
<source lang="text"><br />
This daemon is not allowed to execute. Running anyway.<br />
</source><br />
<br />
This can be fixed by adding the plist entry ExecuteAllowed with a boolean YES.<br />
<br />
Daemons that use more than around 10MB are killed via Jetsam:<br />
<source lang="text"><br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s diagnosticd[209] <Error>: error evaluating process info - pid: 13166, punique: 13166<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Notice>: Formulating report for process[13166] pmpd<br />
Oct 28 12:24:30 My-iPhone-6s com.apple.xpc.launchd[1] (org.protectmyprivacy.pmpd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.<br />
Oct 28 12:24:30 My-iPhone-6s UserEventAgent[128] <Notice>: jetsam: kernel termination snapshot being created<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Warning>: report not saved because it is non-actionable<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Warning>: report not saved because the limit of 25 for 298 logs has been reached.<br />
</source><br />
The Jetsam log is written to ~mobile/Library/Logs/CrashReporter however it doesnt contain anything useful. It's possible Jetsam properties are required to be added to the plist to raise the daemon's memory limit. Apples launch daemon plists use properties in a device specific globals file at /System/Library/LaunchDaemons/com.apple.jetsamproperties.N71.plist<br />
It's not clear if you can still put the JetsamProperties keys in your daemon plist or if you need to add to the globals list, some Apple ones still have them e.g. com.apple.atc.plist.<br />
<br />
=== Connecting to UNIX sockets ===<br />
Tweaks built with a library injected into an app, communicating to a daemon using a UNIX a socket, might fail to connect to the UNIX socket, with error code EPERM, and the following syslog message:<br />
kernel[0] <Notice>: Sandbox: app-name(<pid>) deny(1) network-outbound /private/var/tmp/mysocket<br />
Note that this worked with the original Pangu untether and has been failing to work (as described) with the latest (1.1.0) Pangu Fuxi Qin.<br />
<br />
'''Update:''' This seems to be untrue. This doesn't work with the original Pangu untether as well. Maybe the Cydia update process has to do something with it? Maybe stashing?<br />
<br />
A current workaround is to place the UNIX socket inside the app's sandbox.</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_9&diff=4211Updating extensions for iOS 92015-10-28T12:30:58Z<p>Indiekiduk: /* Daemons */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 8]] and [[Updating extensions for iOS 7]] - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+9&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_9&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== Compiling ldid on El Capitan ==<br />
<br />
Not quite iOS 9, but still something to be aware of: El Capitan does not include OpenSSL, which ldid requires to compile. In order to get OpenSSL and modify ldid's make script to use it, follow these steps.<br />
<br />
* Install [http://brew.sh Homebrew] if you haven't already.<br />
* Install OpenSSL through Homebrew:<br />
brew install openssl<br />
* Clone ldid as normal.<br />
* Download [https://gist.github.com/aarzee/7b071088c4fca0b3ee25/raw/d62d89e72c0a0625512a81eea7562cef970f430e/make.sh this modded make.sh] and replace the old one with this one.<br />
* Make as normal:<br />
./make.sh<br />
<br />
Alternatively, kirb (hi, that's me) just got ldid [https://github.com/Homebrew/homebrew/commit/ac8d9201b8ae5ffe2d6aef6acf08cf1f654caccc added to] the main Homebrew repo.<br />
<br />
brew update<br />
brew install ldid<br />
<br />
This may be seen as more convenient for ensuring ldid is kept up to date in future.<br />
<br />
== What has changed in iOS 9? (Classes, frameworks, etc.) ==<br />
<br />
=== Compilation changes ===<br />
<br />
32 bit binaries loaded on 64 bit devices fail to do so since the 32 bit pagesize has been changed from 4096 bytes to 16384 bytes.<br />
<br />
Tweaks targeted at 32 bit binaries on iOS 9 must now be compiled with<br />
<br />
-Wl,-segalign,4000<br />
<br />
This LDFLAG can be used to compile for older iOS versions as it had to be a multiple of 1000 and this new alignment is compatible.<br />
<br />
If using [[Theos]], add it like so to your makefile:<br />
<br />
XXX_LDFLAGS += -Wl,-segalign,4000<br />
<br />
This fix is [https://github.com/kirb/theos/commit/bbf282bd3d2fccd5cbadaeac699820fec0f1e533 integrated with kirb/theos]. (Be sure to <code>make update-theos</code> regularly.)<br />
<br />
If using [[Xcode]], add a new entry to ''Other linker flags'' containing "-Wl,-segalign,4000" to the build settings of your project or target and make sure that the build option "Enable Bitcode" is disabled.<br />
<br />
Source: [http://twitter.com/saurik/status/654198997024796672 saurik's tweet]<br />
<br />
One example of this are tweaks that modify Cydia, which is a 32 bit app.<br />
<br />
=== Entitlements ===<br />
<br />
''Every'' dylib meant for injection has to be signed to work on iOS, even if no entitlements are required. Please make sure that your toolchain of choice is producing signed dylibs, if it is a fat binary, make sure that ''all'' slices are signed.<br />
<br />
Use ldid to sign:<br />
<br />
ldid -S Tweak.dylib<br />
<br />
Failure to do this will invalidate the process and make it lose all entitlements. The standard symptom is the following, but frankly, it is confusing why any binaries are in the wild that haven't at least been passed through ldid, so please don't rely on this symptom and just fix your build environment.<br />
<br />
<source lang="text"><br />
xbs/Sources/BackBoardServices/SpringBoard-3296.10.2/megatrond/SystemAppService/BKSSystemApplicationClient.m:32<br />
Oct 14 21:29:57 iPhone SpringBoard[1860] <Error>: *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'Client lacks entitlement com.apple.backboard.client’<br />
</source><br />
<br />
==== Granting them at runtime ====<br />
<br />
To grant entitlements to a specific process in iOS 9, it seems that iOS 8's _BSAuditTokenTaskHasEntitlement function in assertiond no longer does the trick, the new _BSXPCConnectionHasEntitlement needs to be hooked instead.<br />
<br />
=== Sandbox Restrictions ===<br />
Tweaks that create or edit files from a sandbox application outside the app's container is no longer allowed<br />
* Use an XPC method to communicate with SpringBoard from the sandbox application<br />
See [http://iphonedevwiki.net/index.php/CPDistributedMessagingCenter CPDistributedMessagingCenter] for some example code.<br />
<br />
This way you could communicate with a SpringBoard class to get it to save or create your files <br />
<br />
You would need to add AppSupport framework in your makefile<br />
XXX_FRAMEWORKS = AppSupport<br />
<br />
* After the v1.1 Pangu Untether update it is no longer possible to save/create/modify the preferences from Sandboxed applications in "atomically" mode.<br />
You will get something like this:<br />
<source lang="text"><br />
Sandbox: processname(PID) deny(1) file-write-unlink/file-write-create /private/var/mobile/Library/Preferences/prefs_file_name.plist<br />
</source><br />
As a workaround you can just replace "atomically:YES" with "atomically:NO":<br />
<source lang="objc"><br />
[prefsDict writeToFile:settingsFilePath atomically:NO];<br />
</source><br />
<br />
* some sysctl calls and proc_* functions cannot be used in a sandbox now<br />
trying to use these functions in a sandboxed app will throw an error like:<br />
<source lang="text"><br />
Sandbox: [PROCCESSNAME] deny(1) process-info-listpids<br />
</source><br />
<br />
== Which tools and other preexisting things are still working on iOS 9? Which ones don't work? ==<br />
<br />
No fixes for the following at the time of this writing. Note that these work on 32-bit devices, such as an iPhone 5.<br />
<br />
* Cycript fails with the following error:<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/libapr-1.0.dylib<br />
Referenced from: /usr/bin/cycript<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/libapr-1.0.dylib: mmap() error 22 at address=0x0013F000, size=0x00001000 segment=__DATA in Segment::map() mapping /usr/lib/libapr-1.0.dylib<br />
/usr/lib/libapr-1.0.dylib: mmap() error 22 at address=0x00163000, size=0x00001000 segment=__DATA in Segment::map() mapping /usr/lib/libapr-1.0.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* python fails with the following error<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/libpython2.7.dylib<br />
Referenced from: /usr/bin/python<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x00242000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x003D6000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* lighttpd fails with the following error<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/lighttpd/liblightcomp.dylib<br />
Referenced from: /usr/sbin/lighttpd<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/lighttpd/liblightcomp.dylib: mmap() error 22 at address=0x0012F000, size=0x00001000 segment=__DATA in Segment::map() mapping /usr/lib/lighttpd/liblightcomp.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
=== Killed: 9 ===<br />
<br />
Pangu9 causes many command-line tools to not work, with the error "Killed: 9"<br />
<br />
This can be solved by running "ldid -S `which <command>`"<br />
<br />
=== Daemons ===<br />
<br />
In iOS 9 the way daemons are loaded appears to have changed. Daemons prefixed with "com.apple" are loaded first with other daemons being loaded by launchd significantly later. This creates a bug for daemons that use XPC to communicate with SpringBoard. SpringBoard will be loaded before the daemon meaning a connection can never be established. Changing the daemon prefix to "com.apple" appears to make it load at the same time as SpringBoard allowing for the connection to succeed. More research is required into why other daemons are being loaded much later than in iOS 8.<br />
<br />
Additionally, daemons are now outputting the error:<br />
<source lang="text"><br />
This daemon is not allowed to execute. Running anyway.<br />
</source><br />
<br />
This can be fixed by adding the plist entry ExecuteAllowed with a boolean YES.<br />
<br />
Daemons that use more than around 10MB are killed via Jetsam:<br />
<source lang="text"><br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:29 My-iPhone-6s ReportCrash[13169] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s diagnosticd[209] <Error>: error evaluating process info - pid: 13166, punique: 13166<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Notice>: Formulating report for process[13166] pmpd<br />
Oct 28 12:24:30 My-iPhone-6s com.apple.xpc.launchd[1] (org.protectmyprivacy.pmpd) <Notice>: Service only ran for 0 seconds. Pushing respawn out by 10 seconds.<br />
Oct 28 12:24:30 My-iPhone-6s UserEventAgent[128] <Notice>: jetsam: kernel termination snapshot being created<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13169] <Warning>: report not saved because it is non-actionable<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Notice>: MS:Notice: Injecting: (null) [ReportCrash] (1240.10)<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib<br />
Oct 28 12:24:30 My-iPhone-6s ReportCrash[13172] <Warning>: report not saved because the limit of 25 for 298 logs has been reached.<br />
</source><br />
It's likely Jetsam properties are required to be added to the plist to raise this limit. Apples launch daemon plists use properties in a device specific globals file at /System/Library/LaunchDaemons/com.apple.jetsamproperties.N71.plist<br />
It's not clear if you can still put the JetsamProperties keys in your daemon plist or if you need to add to the globals list, some Apple ones still have them e.g. com.apple.atc.plist.<br />
<br />
=== Connecting to UNIX sockets ===<br />
Tweaks built with a library injected into an app, communicating to a daemon using a UNIX a socket, might fail to connect to the UNIX socket, with error code EPERM, and the following syslog message:<br />
kernel[0] <Notice>: Sandbox: app-name(<pid>) deny(1) network-outbound /private/var/tmp/mysocket<br />
Note that this worked with the original Pangu untether and has been failing to work (as described) with the latest (1.1.0) Pangu Fuxi Qin.<br />
<br />
'''Update:''' This seems to be untrue. This doesn't work with the original Pangu untether as well. Maybe the Cydia update process has to do something with it? Maybe stashing?<br />
<br />
A current workaround is to place the UNIX socket inside the app's sandbox.</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_9&diff=4210Updating extensions for iOS 92015-10-28T12:21:36Z<p>Indiekiduk: /* Daemons */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 8]] and [[Updating extensions for iOS 7]] - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+9&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_9&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== Compiling ldid on El Capitan ==<br />
<br />
Not quite iOS 9, but still something to be aware of: El Capitan does not include OpenSSL, which ldid requires to compile. In order to get OpenSSL and modify ldid's make script to use it, follow these steps.<br />
<br />
* Install [http://brew.sh Homebrew] if you haven't already.<br />
* Install OpenSSL through Homebrew:<br />
brew install openssl<br />
* Clone ldid as normal.<br />
* Download [https://gist.github.com/aarzee/7b071088c4fca0b3ee25/raw/d62d89e72c0a0625512a81eea7562cef970f430e/make.sh this modded make.sh] and replace the old one with this one.<br />
* Make as normal:<br />
./make.sh<br />
<br />
Alternatively, kirb (hi, that's me) just got ldid [https://github.com/Homebrew/homebrew/commit/ac8d9201b8ae5ffe2d6aef6acf08cf1f654caccc added to] the main Homebrew repo.<br />
<br />
brew update<br />
brew install ldid<br />
<br />
This may be seen as more convenient for ensuring ldid is kept up to date in future.<br />
<br />
== What has changed in iOS 9? (Classes, frameworks, etc.) ==<br />
<br />
=== Compilation changes ===<br />
<br />
32 bit binaries loaded on 64 bit devices fail to do so since the 32 bit pagesize has been changed from 4096 bytes to 16384 bytes.<br />
<br />
Tweaks targeted at 32 bit binaries on iOS 9 must now be compiled with<br />
<br />
-Wl,-segalign,4000<br />
<br />
This LDFLAG can be used to compile for older iOS versions as it had to be a multiple of 1000 and this new alignment is compatible.<br />
<br />
If using [[Theos]], add it like so to your makefile:<br />
<br />
XXX_LDFLAGS += -Wl,-segalign,4000<br />
<br />
This fix is [https://github.com/kirb/theos/commit/bbf282bd3d2fccd5cbadaeac699820fec0f1e533 integrated with kirb/theos]. (Be sure to <code>make update-theos</code> regularly.)<br />
<br />
If using [[Xcode]], add a new entry to ''Other linker flags'' containing "-Wl,-segalign,4000" to the build settings of your project or target and make sure that the build option "Enable Bitcode" is disabled.<br />
<br />
Source: [http://twitter.com/saurik/status/654198997024796672 saurik's tweet]<br />
<br />
One example of this are tweaks that modify Cydia, which is a 32 bit app.<br />
<br />
=== Entitlements ===<br />
<br />
''Every'' dylib meant for injection has to be signed to work on iOS, even if no entitlements are required. Please make sure that your toolchain of choice is producing signed dylibs, if it is a fat binary, make sure that ''all'' slices are signed.<br />
<br />
Use ldid to sign:<br />
<br />
ldid -S Tweak.dylib<br />
<br />
Failure to do this will invalidate the process and make it lose all entitlements. The standard symptom is the following, but frankly, it is confusing why any binaries are in the wild that haven't at least been passed through ldid, so please don't rely on this symptom and just fix your build environment.<br />
<br />
<source lang="text"><br />
xbs/Sources/BackBoardServices/SpringBoard-3296.10.2/megatrond/SystemAppService/BKSSystemApplicationClient.m:32<br />
Oct 14 21:29:57 iPhone SpringBoard[1860] <Error>: *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'Client lacks entitlement com.apple.backboard.client’<br />
</source><br />
<br />
==== Granting them at runtime ====<br />
<br />
To grant entitlements to a specific process in iOS 9, it seems that iOS 8's _BSAuditTokenTaskHasEntitlement function in assertiond no longer does the trick, the new _BSXPCConnectionHasEntitlement needs to be hooked instead.<br />
<br />
=== Sandbox Restrictions ===<br />
Tweaks that create or edit files from a sandbox application outside the app's container is no longer allowed<br />
* Use an XPC method to communicate with SpringBoard from the sandbox application<br />
See [http://iphonedevwiki.net/index.php/CPDistributedMessagingCenter CPDistributedMessagingCenter] for some example code.<br />
<br />
This way you could communicate with a SpringBoard class to get it to save or create your files <br />
<br />
You would need to add AppSupport framework in your makefile<br />
XXX_FRAMEWORKS = AppSupport<br />
<br />
* After the v1.1 Pangu Untether update it is no longer possible to save/create/modify the preferences from Sandboxed applications in "atomically" mode.<br />
You will get something like this:<br />
<source lang="text"><br />
Sandbox: processname(PID) deny(1) file-write-unlink/file-write-create /private/var/mobile/Library/Preferences/prefs_file_name.plist<br />
</source><br />
As a workaround you can just replace "atomically:YES" with "atomically:NO":<br />
<source lang="objc"><br />
[prefsDict writeToFile:settingsFilePath atomically:NO];<br />
</source><br />
<br />
* some sysctl calls and proc_* functions cannot be used in a sandbox now<br />
trying to use these functions in a sandboxed app will throw an error like:<br />
<source lang="text"><br />
Sandbox: [PROCCESSNAME] deny(1) process-info-listpids<br />
</source><br />
<br />
== Which tools and other preexisting things are still working on iOS 9? Which ones don't work? ==<br />
<br />
No fixes for the following at the time of this writing. Note that these work on 32-bit devices, such as an iPhone 5.<br />
<br />
* Cycript fails with the following error:<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/libapr-1.0.dylib<br />
Referenced from: /usr/bin/cycript<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/libapr-1.0.dylib: mmap() error 22 at address=0x0013F000, size=0x00001000 segment=__DATA in Segment::map() mapping /usr/lib/libapr-1.0.dylib<br />
/usr/lib/libapr-1.0.dylib: mmap() error 22 at address=0x00163000, size=0x00001000 segment=__DATA in Segment::map() mapping /usr/lib/libapr-1.0.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* python fails with the following error<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/libpython2.7.dylib<br />
Referenced from: /usr/bin/python<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x00242000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
/usr/lib/libpython2.7.dylib: mmap() error 22 at address=0x003D6000, size=0x0002A000 segment=__DATA in Segment::map() mapping /usr/lib/libpython2.7.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
* lighttpd fails with the following error<br />
<br />
<source lang="text"><br />
dyld: Library not loaded: /usr/lib/lighttpd/liblightcomp.dylib<br />
Referenced from: /usr/sbin/lighttpd<br />
Reason: no suitable image found. Did find:<br />
/usr/lib/lighttpd/liblightcomp.dylib: mmap() error 22 at address=0x0012F000, size=0x00001000 segment=__DATA in Segment::map() mapping /usr/lib/lighttpd/liblightcomp.dylib<br />
Trace/BPT trap: 5<br />
</source><br />
<br />
=== Killed: 9 ===<br />
<br />
Pangu9 causes many command-line tools to not work, with the error "Killed: 9"<br />
<br />
This can be solved by running "ldid -S `which <command>`"<br />
<br />
=== Daemons ===<br />
<br />
In iOS 9 the way daemons are loaded appears to have changed. Daemons prefixed with "com.apple" are loaded first with other daemons being loaded by launchd significantly later. This creates a bug for daemons that use XPC to communicate with SpringBoard. SpringBoard will be loaded before the daemon meaning a connection can never be established. Changing the daemon prefix to "com.apple" appears to make it load at the same time as SpringBoard allowing for the connection to succeed. More research is required into why other daemons are being loaded much later than in iOS 8.<br />
<br />
Additionally, daemons are now outputting the error:<br />
<source lang="text"><br />
This daemon is not allowed to execute. Running anyway.<br />
</source><br />
<br />
This can be fixed by adding the plist entry ExecuteAllowed with a boolean YES.<br />
<br />
=== Connecting to UNIX sockets ===<br />
Tweaks built with a library injected into an app, communicating to a daemon using a UNIX a socket, might fail to connect to the UNIX socket, with error code EPERM, and the following syslog message:<br />
kernel[0] <Notice>: Sandbox: app-name(<pid>) deny(1) network-outbound /private/var/tmp/mysocket<br />
Note that this worked with the original Pangu untether and has been failing to work (as described) with the latest (1.1.0) Pangu Fuxi Qin.<br />
<br />
'''Update:''' This seems to be untrue. This doesn't work with the original Pangu untether as well. Maybe the Cydia update process has to do something with it? Maybe stashing?<br />
<br />
A current workaround is to place the UNIX socket inside the app's sandbox.</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Welcome&diff=4209Welcome2015-10-28T11:56:16Z<p>Indiekiduk: /* Overview of contents */</p>
<hr />
<div>__NOTOC__<br />
== Welcome to the iPhoneDevWiki ==<br />
[[File:Drill bits.jpg|right]]<br />
Our goal is to share the sum of all human<ref> We'll make an exception for lawyers; they may submit too. Cf. http://wiki.creativecommons.org/Frequently_Asked_Questions#How_does_a_Creative_Commons_license_operate.3F: "Creative Commons licenses are expressed in three different formats: the Commons Deed (human-readable code), the Legal Code (lawyer-readable code); and the metadata (machine readable code)."</ref> knowledge about jailbroken iOS development. In other words, this is a collection of documentation written by developers to help each other write extensions (tweaks) for jailbroken iOS, and you're invited to learn from it and contribute to it too.<br />
<br />
What is this wiki for?<br />
<br />
* Information about using iOS [[frameworks]] (both public and [[PrivateFrameworks|private]]), [[SpringBoard.app|SpringBoard]], system [[daemons]] (for hooking and hacking), and classes in applications included with the system.<br />
* Information about third-party libraries and extensions for developers ([[ActionMenu]], [[AppList]], [[Flipswitch]], [[IconSupport]], [[libactivator]], [[libhide]], [[libobjcipc]], [[libstatusbar]], [[PreferenceLoader]], [[RocketBootstrap]], etc.).<br />
* Lists of [[Open Source Projects]], [[Reverse Engineering Tools]], [[advice for new developers]], [[List of development blogs|development blogs]], and other useful information for developers.<br />
* Documentation about making preferences for extensions: [[PreferenceLoader]], [[PreferenceBundles]], [[Preferences specifier plist]], [[Preferences.framework]].<br />
* Anything else about development for jailbroken iOS devices. (For other technical information about iOS, see [http://theiphonewiki.com The iPhone Wiki], which covers topics including jailbreak exploits, internal iOS systems, and iOS hardware details. [http://theiphonewiki.com/wiki/Up_to_Speed "Up to Speed"] is its getting-started page about learning about security research on iOS.)<br />
<br />
Current featured article: '''[[Updating extensions for iOS 9]]'''<br />
<br />
New articles: [[Kik]], [[Active Developers]], [[IPC|Inter Process Communication (IPC)]], [[Using ARC in tweaks]], [[Career advice]], [[IOMobileFramebuffer]], [[IOAudio2Device]], [[IOAudio2Transformer]], [[RocketBootstrap]].<br />
<br />
If you'd like to make a new article or improve an existing article, see [[Help:Editing]] for advice (and see [[#Editing this wiki]] for ideas). '''Articles that need work''': [[Packaging]] (tools, control file tips, troubleshooting dpkg-deb errors), [[Next Steps After Getting Started]] (a set of ideas for tutorials you could write), ''edit this page and add your idea here''.<br />
<br />
== Getting started ==<br />
<br />
New to developing for jailbroken devices? Welcome, it's fun and challenging! Hopefully you already have some experience with Objective-C. You will want to get familiar with [[MobileSubstrate|Cydia Substrate (formerly called MobileSubstrate)]] and [[Theos]], and you can study some [[Open Source Projects]] to see how existing tweaks work. See '''[[Getting Started]]''' and also take a look at [[Best Practices]] and [[MobileSubstrate Pitfalls]]. If you're looking for a more thorough and sequential tutorial, take a look at the book ''[http://iosre.com/t/ios-app-reverse-engineering-the-worlds-1st-book-of-very-detailed-ios-app-reverse-engineering-skills/1117 iOS App Reverse Engineering]'' and its forum [http://bbs.iosre.com iOSRE].<br />
<br />
'''How to ask for help:''' You can ask questions in the IRC channel [https://kiwiirc.com/client/irc.saurik.com/#iphonedev #iphonedev on irc.saurik.com] (where a bunch of developers hang out). IRC is an old-school chat system; if you don't already know how to use it, [[How to use IRC]] has details for you. There are also tags for [http://stackoverflow.com/questions/tagged/jailbreak "jailbreak"], [http://stackoverflow.com/questions/tagged/cydia "Cydia"], and [http://stackoverflow.com/questions/tagged/theos "Theos"] on Stack Overflow, a site for programming questions in general; feel free to ask there as well. (If you want to help answer questions, following [https://twitter.com/jailbreakdevqs @JailbreakDevQs] might be useful.) On reddit, there's [http://www.reddit.com/r/jailbreakdevelopers/ /r/jailbreakdevelopers]. For non-development-related troubleshooting questions, try [http://www.jailbreakqa.com/ JailbreakQA] or [http://www.reddit.com/r/jailbreak/ /r/jailbreak].<br />
<br />
== Overview of contents ==<br />
<br />
By topic:<br />
<br />
* '''Frameworks''':<br />
** {{fwlink|UIKit}} &bull; {{fwlink|GraphicsServices}} &bull; {{fwlink|AppSupport}} &bull; {{fwlink|BiometricKit}} &bull; {{fwlink|ChatKit}} &bull; {{fwlink|MobileWiFi}} &bull; '''''[[Template:Navbox Frameworks|more »]]'''''<br />
* '''Applications''':<br />
** {{applink|SpringBoard}} &bull; {{applink|Preferences}} &bull; {{applink|MobileSafari}} &bull; '''''[[Template:Navbox Applications|more »]]'''''<br />
* '''Extensions''':<br />
** [[ActionMenu]] &bull; [[AppList]] &bull; [[Cydget]] &bull; [[Flipswitch]] &bull; [[IconSupport]] &bull; [[LayerSnapshotter]] &bull; [[libactivator]] &bull; [[libhide]] &bull; [[libobjcipc]] &bull; [[libstatusbar]] &bull; [[PreferenceLoader]] &bull; [[RocketBootstrap]] &bull; [[WinterBoard]] &bull; [[libPassword]] &bull; '''''[[:Category:Cydia_packages|more »]]'''''<br />
* '''System directories''':<br />
** [[Frameworks]] &bull; [[Internet Plug-Ins]] &bull; [[PreferenceBundles]] &bull; [[PrivateFrameworks]] &bull; '''''[[Template:Navbox_Library|more »]]'''''<br />
* '''Other parts of iOS''':<br />
** [[Bluetooth]] &bull; [[CgBI file format]] &bull; [[Coprocessors]] &bull; [[Daemons]] &bull; [[dyld_shared_cache]] &bull; [[Entitlements]] &bull; [[iOS Keyboard]] &bull; [[launchd]] &bull; [[NFC]] &bull; [[Notifications]] &bull; [[Seatbelt]]<br />
* '''Development tools''':<br />
** [[Cycript]] &bull; [[MobileSubstrate|Cydia Substrate (MobileSubstrate)]] &bull; [[debugserver|debugserver (remote debugging)]] &bull; [[Jailbreak Development Tools]] &bull; [[ldid]] &bull; [[On-device toolchains]] &bull; [[Reverse Engineering Tools]] &bull; [[Theos]], [[Logos]], [[NIC]], [[Logify]] &bull; [[Retrieving SDKs]] &bull; [[Xcode|Xcode &ndash; Bypass Provisioning Profile]] &bull; [[SSH Over USB]]<br />
* '''Other articles about development''':<br />
** [[Getting Started]] &bull; [[Best Practices]] &bull; [[MobileSubstrate Pitfalls]] &bull; [[Open Source Projects]] &bull; [[Advice for new developers]] &bull; [[Updating extensions for iOS 8]] &bull; [[Updating extensions for iOS 7]] &bull; [[Debugging on iOS 7]] &bull; [[Cydia Store Integration]] &bull; [[Tweak DRM]] &bull; [[Code Signing]] &bull; [[Repository Management]] &bull; [[Packaging]] &bull; [[Crack prevention]] &bull; [[List of development blogs]] &bull; [[Using ARC in tweaks]] &bull; [[Career advice]]<br />
<br />
By iOS version:<br />
<br />
* '''New in iOS 9:''' [[Updating extensions for iOS 9]].<br />
* '''New in iOS 8:''' [[Updating extensions for iOS 8]], [[AssertionServices.framework]], [[SBSRestartRenderServerAction]], [[FBSSystemService]], [[UIAlertController]].<br />
* '''New in iOS 7:''' [[Updating extensions for iOS 7]], [[Debugging on iOS 7]], [[Downgrading iPhone 4 from iOS 7]], [[BiometricKit.framework]], [[TouchID]], [[UIBackdropView]], [[AVFlashlight]], [[SBAppSliderController]].<br />
* '''New in iOS 6:''' [[BackBoardServices.framework]], [[backboardd]], [[ChatKit.framework]], [[BKSProcessAssertion]].<br />
* '''New in iOS 5:''' [[SBIconView]], [[CKMadridService]], [[SBAppContextHostManager]].<br />
* '''New in iOS 4:''' [[SBAppSwitcherModel]].<br />
<br />
Translated articles: <br />
<br />
* '''Français''': [[Main page/fr]] &bull; [[MobileSubstrate/fr]] &bull; [[SSH Over USB/fr]] &bull; [[UIFont/fr]] &bull; [[UIColor/fr]] &bull; [[ActorKit.framework/fr]] &bull; [[IOSOpenDev/fr]]<br />
* '''ไทย''': [[MobileSubstrate/th]] &bull; [[SSH Over USB/th]] &bull; [[SpringBoard.app/th]] &bull; [[UIColor/th]]<br />
<br />
<!-- {{Navbox Frameworks}}<br />
{{Navbox Applications}} --><br />
<br />
== Editing this wiki ==<br />
<br />
* If you have anything at all to contribute, feel free to do so!<br />
* An account is required to edit pages, but everyone is welcome to make an account. If you have trouble with the account creation process, or any questions about editing the wiki, please ask in #iphonedev on irc.saurik.com for help (see [[How to use IRC]]).<br />
<br />
Some ideas for information to contribute:<br />
<br />
* Add more projects to the list of [[Open Source Projects]], or fill out details on that page.<br />
* Expand [[Getting Started]] for new developers - what do they need to know before beginning? How do they set up a development environment on OS X, Windows, and Linux? What are common beginner's mistakes that they should watch out for? How to reverse-engineer parts of iOS for writing tweaks? How to debug with GDB and learn about memory management?<br />
* Update articles that haven't been significantly edited in a few years, such as [[Seatbelt]] and [[Crack prevention]]. See [[Special:AncientPages]] for a list of articles that haven't been updated recently.<br />
* Help [[Cycript]] explain why Cycript is fun - syntax highlighting, injection, auto-completion, generally exploring around.<br />
* Make a page that documents a class or framework you're familiar with.<br />
* If you've developed a library that other developers can use or write addons/plugins/extensions for, make a page that documents your project.<br />
* Update [[Xcode]] with better information about how to build apps for jailbroken devices.<br />
* Make the homepage more useful! For example, add links to good pages that are hidden/buried deep within the wiki.<br />
* The following articles are linked from nowhere in the wiki: [[Special:LonelyPages]] - you can fix that by linking them somewhere.<br />
* Check out the most popular pages and see if they need updating: [[Special:PopularPages]].<br />
* Write an article that is in demand: [[Special:WantedPages]].<br />
* Translate an existing article into a non-English language. Check out the list at [[Special:PopularPages]] for ideas about high-priority articles to translate, and then make a new page with this name format: <code>Article name/[language code]</code>. [http://svn.wikimedia.org/svnroot/mediawiki/trunk/phase3/languages/Names.php Here's the list of language codes.] For example: [[PreferenceLoader/de]] or [[Libactivator/sv]].<br />
<br />
----<br />
<br />
<references /></div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_8&diff=3401Updating extensions for iOS 82014-12-13T02:04:47Z<p>Indiekiduk: /* Everything else */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 7]] - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+8&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_8&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== What has changed in iOS 8? (Classes, frameworks, etc.) ==<br />
<br />
=== Preference saving ===<br />
<br />
In iOS 8, the preferences daemon cfprefsd is handling all preferences in memory and writes them to the corresponding .plist file "whenever it wants". Therefore when the notification for a change is posted, the change is usually not yet written to the file. Reading preferences directly from the .plist has become problematic. The notification from the [[Preferences specifier plist]] is now posted '''before''' the plist is updated on disk — as opposed to '''after''' the plist was updated on disk, which was the case on iOS < 8.<br />
<br />
Writing directly to a plist in Preferences is also a problem because then the daemon will not know about your "manual" changes, and will overwrite those changes when it writes its in-memory settings. So either you read or write everything yourself (for example by overriding setPreferenceValue:specifier and readPreferenceValue:) or use [https://developer.apple.com/library/mac/documentation/CoreFoundation/Reference/CFPreferencesUtils/ CFPreferencesUtils].<br />
<br />
==== Solution 1: Use CFPreferences (does not work in sandboxed processes) ====<br />
<br />
'''See [[PreferenceBundles#Loading_Preferences_into_unsandboxed_processes_.28using_CFPreferences.29|Loading Preferences into unsandboxed processes (using CFPreferences)]] for what to do.''' (As that page says: this was tested back to iOS 6, it seemed to work without problems. This solution does not work if you are in third party apps or other apps that have sandboxed preferences.) Another viable option could be using GCD and using a descriptor source for that file.<br />
<br />
==== Solution 2: Override setPreferenceValue:specifier and readPreferenceValue: in preference bundle to restore old behaviour (Karen (angelXwind)'s method) ====<br />
<br />
'''See [[PreferenceBundles#Loading_Preferences_into_sandboxed.2Funsandboxed_processes_in_iOS_8|Loading Preferences into sandboxed/unsandboxed processes in iOS 8]] for instructions and code on how to achieve this.'''<br />
<br />
I've tested this on iOS 5, 6, 7, and 8, and can confirm that it works without any issues.<br />
<br />
==== Solution 3: Use CFPreferencesAppSynchronize (apparently works in sandboxed processes for some people) (iMokhles/ichitaso's method) ====<br />
<br />
'''See [https://gist.github.com/iMokhles/23061acdffbfeaa875db How to use CFPreferencesAppSynchronize with ARC and non ARC (iOS8 Tweaks) + CFNotificationCallback] for some example code.'''<br />
<br />
Above example tested with Sandbox Apps "WhatsApp" and "Tweetbot 3" and seems to work perfectly. Thanks to xTM3x, Yllier, and others for their research on this.<br />
<br />
==== Another solution ====<br />
<br />
[http://sharedinstance.net/2014/11/settings-the-right-way/ Another way on the sharedInstance blog.]<br />
<br />
==== And another solution ====<br />
<br />
<code>[[[[NSUserDefaults standardUserDefaults] persistentDomainForName:@"com.malcolmhall.StealthCam"] objectForKey:@"lock"] boolValue];</code><br />
<br />
Note on previous iOS versions the preference wasn't always up to date but on iOS 8 it appears to be. Using this in my StealthCam SpringBoard tweak. Not tested in Sandbox yet.<br />
<br />
=== Everything else ===<br />
<br />
* The term 'Display Identifier' has been removed when referring to SBApplication. Methods that used the term usually have a 'Bundle Identifier' equivalent; e.g. <code> -[SBApplicationController applicationWithDisplayIdentifier:]</code> and <code>-[SBApplication displayIdentifier]</code> are now <code>-[SBApplicationController applicationWithBundleIdentifier]</code> (as opposed to <code>-[SBApplicationController applicationsWithBundleIdentifier]</code>) and <code>-[SBApplication bundleIdentifier]</code>. Since applications are now found using their bundle identifier, <code>-[SBIconModel applicationIconForDisplayIdentifier:]</code> is now <code>-[SBIconModel applicationIconForBundleIdentifier:]</code>. A catch-all way of getting *any* icon is, <code>-[SBIconModel expectedIconForDisplayIdentifier:]</code>.<br />
<br />
* "Has anyone looked into granting entitlements in iOS 8? It would appear the popular method of hooking "_XPCConnectionHasEntitlement" no longer works." "I haven't had a whole lot of time to do testing or look for better methods but I found "_BSAuditTokenTaskHasEntitlement" which appears to have a similar function to "_XPCConnectionHasEntitlement", it's part of the "assertiond" process which must be hooked in order to access it, so far it's worked. More specifically, part of the "BaseBoard" private framework within "assertiond"."<br />
<br />
* PLBatteryPropertiesEntry no longer seems to exist for getting current battery info such as: <code>[PLBatteryPropertiesEntry batteryPropertiesEntry].currentCapacity</code>. You can still use:<br />
<source lang="objc"><br />
io_service_t powerSource = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPMPowerSource"));<br />
CFNumberRef currentCapacityNum = (CFNumberRef)IORegistryEntryCreateCFProperty(powerSource, CFSTR(kIOPMPSCurrentCapacityKey), kCFAllocatorDefault, 0);<br />
</source><br />
<br />
* launchctl appears to be slightly broken. launchctl start and stop work perfectly, but launchctl load/unload no longer works with [[daemons]] in /System/Library/LaunchDaemons/ (aborts with the cryptic error message <code>/System/Library/LaunchDaemons/com.apple.mobile.installd.plist: The specified service path was not in the service cache</code>). But you can load/unload daemons based in /Library/LaunchDaemons/ (that's where you are supposed to launch your daemons from anyway).<br />
** Use the new params e.g. <code>launchctl kickstart -k system/com.apple.locationd</code><br />
<br />
* MISValidateSignatureAndCopyInfo appears to perform additional code-signing checks during app installation.<br />
<br />
* installd cannot be reloaded via launchctl.<br />
<br />
* Mobile application containers are at /var/mobile/Containers/Bundle/Application.<br />
<br />
* Looks like certain apps don't have privileges for IORegistryEntryCreateCFProperty anymore (Safari, Mail).<br />
<br />
* PrivateFrameworks (and possibly others) in the iOS 8 SDK are missing the __TEXT section. Frameworks must be extracted from a device's dyld_shared_cache using a tool like [http://www.newosxbook.com/index.php?page=downloads JTool] or IDA before they can be (statically) reverse engineered. See [[dyld_shared_cache]] for more info.<br />
<br />
* Many functions from SBMediaController have been removed, and it is now useless for accessing now playing information. <code>-[MPUNowPlayingController currentElapsed]</code> and <code>-[MPUNowPlayingController currentDuration]</code> can be utilized for displaying track time. Use [https://github.com/Cykey/ios-reversed-headers/blob/master/MediaRemote/MediaRemote.h MediaRemotes] <code>kMRMediaRemoteNowPlayingInfoDidChangeNotification</code> on the local notification center for updates when now playing info changes. You can also use <code>kMRMediaRemoteNowPlayingApplicationIsPlayingDidChangeNotification</code> for updates on the playback state. Use <code>MRMediaRemoteGetNowPlayingInfo(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT,0), ^(CFDictionaryRef result);</code> to access now playing info. This code works fine on iOS 7 and 8.<br />
<br />
* You can no longer mount FAT-formatted storage devices via the CCK, only HFS.<br />
<br />
* "Has anyone figured out how to add subviews to UIAlertView in iOS 8 yet?" "I found a workaround so I can at least add to the content view (which is not the size of the full alert view though). Within a subclass of UIAlertView do <code>[[[[self _alertController] contentViewController] view] addSubview:theSubview];</code>. When not subclassing, <code>[[[[alertView _alertController] contentViewController] view] addSubview:theSubview];</code> should work, although one has to figure out the right time to do that."<br />
<br />
* system() is now deprecated. Apple recommends using [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man2/posix_spawn.2.html posix_spawn()] instead. Another method that allows the use of system() in iOS 8+ can be found [http://ninjaprawn.com/blog/index.php?controller=post&action=view&id_post=2 here].<br />
<br />
* If an app is using WKWebViews, processes named com.apple.WebContent and com.apple.WebNetworking are being spawned and they each create only one NSURLCache. If you want to know the bundleIdentifier of the app they were spawned for, just hook -[NSURLCache _initWithMemoryCapacity:diskCapacity:relativePath:] in those processes. relativePath will be that bundleIdentifier. It's not perfect but a quick and neat trick.<br />
<br />
* com.apple.mobileinstallation.plist is gone on iOS 8. You can use [[AppList]] to get a list of installed apps. If you need to do this without Substrate for some reason, [http://www.reddit.com/r/jailbreakdevelopers/comments/2k6gft/list_installed_apps_on_ios_8/ this post and thread] has some discussion of alternatives.<br />
<br />
* When a passcode is set, normal UIWindows are not rendered when on the lockscreen, although touch events are still received. You can make your own UIWindows show up over the lockscreen by calling <code>-(void)_setSecure:(BOOL)secure</code>, or you can override <code>- (bool)_shouldCreateContextAsSecure;</code> in UIWindow to always return YES for all new UIWindows. (CAContext has a new property <code>bool isSecure</code> which controls this behaviour.)<br />
<br />
* SBAppSlider* is now SBAppSwitcher*<br />
<br />
* [http://newosxbook.com/articles/8-10.10.html Notes from iOS 8 and the OS X 10.10 Preview, by Jonathan Levin] - more about frameworks, daemons, and launchd.<br />
<br />
== What is new in iOS 8, and how does it work? ==<br />
<br />
* The view Reachability invokes is in the new framework FrontBoard - you can hook it. It is a FBWindowContextHostView. To toggle it: <code>[[%c(SBReachabilityManager) sharedInstance] _handleReachabilityActivated];</code><br />
<br />
* To support Reachability on smaller devices, hook SBReachabilityManager class's <code>+(BOOL)reachabilitySupported;</code><br />
<br />
* FrontBoard is a new framework that takes up a few of BackBoardServices' responsibilities. SpringBoard now inherits from FBSystemApp, which in turn is a UIApplication subclass.<br />
<br />
* CameraKit is a new framework that takes everything related to the camera out of PhotoLibrary.framework. PLCameraController is now the humungous CAMCaptureController.<br />
<br />
* Apple seems to call the iOS side Octavia and the OS X side Nero<br />
<br />
== Which tools and other preexisting things are still working on iOS 8? Which ones don't work? ==<br />
<br />
* Activator, Flipswitch and AppList updates compatible with iOS 8 are live on BigBoss repository ([https://twitter.com/rpetrich/status/527244599820288003 verified by rpetrich]).<br />
<br />
* The package <code>syslogd to /var/log/syslog</code> '''has been updated for iOS 8''', as of November 9. There are alternatives listed at [http://theiphonewiki.com/wiki/System_Log on TheiPhoneWiki] if you want to use a different method of accessing syslog though.<br />
<br />
* "Does Theos work on iOS 8?" [http://www.reddit.com/r/jailbreakdevelopers/comments/2k2eat/question_theos_and_ios_8/ uroboro responds here]<br />
<br />
* libstatusbar is compatible with iOS 8 as of version 0.9.8.<br />
<br />
* libsymbolicate doesn't work on 8. (VMUHeader is gone from Symbolication.framework.) The maintainer is looking into it, but fixing it isn't simple and may take some time.<br />
<br />
* "RocketBootstrap seems to work." - it works perfectly with my tweak [Simon Selg]. Maybe not [https://twitter.com/punksomething/status/527878336081842176 working as well with Flex though]?<br />
<br />
* "What works for dumping classes on iOS 8? classdumpz doesn't seem to work. I'm trying to dump them directly on an iPhone 6." "You could use class-dump for i386 and the iOS 8 simulator" "[http://stevenygard.com/projects/class-dump/ This class-dump works for me.]" "If you want to dump on your iPhone then just compile its source to ARM; IIRC its distributed binary is x86/64 only."<br />
<br />
* "Does weak_classdump_bundle fail for anyone else on SpringBoard?" "It fails in general, it needs to be updated. You can dump SpringBoard with classdump-dyld." An updated classdump-dyld (that supports 64bit executables dumping) is available [https://github.com/limneos/classdump-dyld on GitHub] and on BigBoss ([https://ghostbin.com/paste/3r86u changelog]).<br />
<br />
== Random assorted other notes ==<br />
<br />
* [http://developer.limneos.net/index.php?ios=8.0 iOS 8.0 Headers], [https://github.com/coolstar/iOS-8.1-SpringBoard-Headers another set of SpringBoard headers], [https://github.com/iMokhles/iPhone5S-iOS8.1-SBHeaders another set of SpringBoard headers Part-1] and [https://github.com/iMokhles/iPhone5S-iOS8.1-SBHeaders-2 another set of SpringBoard headers Part-2] (made with different [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|class dumping tools]]).<br />
<br />
* In things like SBStarkBanner* classes, Stark is the codename for CarPlay™ since iOS 7</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_8&diff=3400Updating extensions for iOS 82014-12-13T02:00:51Z<p>Indiekiduk: /* And another solution */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 7]] - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+8&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_8&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== What has changed in iOS 8? (Classes, frameworks, etc.) ==<br />
<br />
=== Preference saving ===<br />
<br />
In iOS 8, the preferences daemon cfprefsd is handling all preferences in memory and writes them to the corresponding .plist file "whenever it wants". Therefore when the notification for a change is posted, the change is usually not yet written to the file. Reading preferences directly from the .plist has become problematic. The notification from the [[Preferences specifier plist]] is now posted '''before''' the plist is updated on disk — as opposed to '''after''' the plist was updated on disk, which was the case on iOS < 8.<br />
<br />
Writing directly to a plist in Preferences is also a problem because then the daemon will not know about your "manual" changes, and will overwrite those changes when it writes its in-memory settings. So either you read or write everything yourself (for example by overriding setPreferenceValue:specifier and readPreferenceValue:) or use [https://developer.apple.com/library/mac/documentation/CoreFoundation/Reference/CFPreferencesUtils/ CFPreferencesUtils].<br />
<br />
==== Solution 1: Use CFPreferences (does not work in sandboxed processes) ====<br />
<br />
'''See [[PreferenceBundles#Loading_Preferences_into_unsandboxed_processes_.28using_CFPreferences.29|Loading Preferences into unsandboxed processes (using CFPreferences)]] for what to do.''' (As that page says: this was tested back to iOS 6, it seemed to work without problems. This solution does not work if you are in third party apps or other apps that have sandboxed preferences.) Another viable option could be using GCD and using a descriptor source for that file.<br />
<br />
==== Solution 2: Override setPreferenceValue:specifier and readPreferenceValue: in preference bundle to restore old behaviour (Karen (angelXwind)'s method) ====<br />
<br />
'''See [[PreferenceBundles#Loading_Preferences_into_sandboxed.2Funsandboxed_processes_in_iOS_8|Loading Preferences into sandboxed/unsandboxed processes in iOS 8]] for instructions and code on how to achieve this.'''<br />
<br />
I've tested this on iOS 5, 6, 7, and 8, and can confirm that it works without any issues.<br />
<br />
==== Solution 3: Use CFPreferencesAppSynchronize (apparently works in sandboxed processes for some people) (iMokhles/ichitaso's method) ====<br />
<br />
'''See [https://gist.github.com/iMokhles/23061acdffbfeaa875db How to use CFPreferencesAppSynchronize with ARC and non ARC (iOS8 Tweaks) + CFNotificationCallback] for some example code.'''<br />
<br />
Above example tested with Sandbox Apps "WhatsApp" and "Tweetbot 3" and seems to work perfectly. Thanks to xTM3x, Yllier, and others for their research on this.<br />
<br />
==== Another solution ====<br />
<br />
[http://sharedinstance.net/2014/11/settings-the-right-way/ Another way on the sharedInstance blog.]<br />
<br />
==== And another solution ====<br />
<br />
<code>[[[[NSUserDefaults standardUserDefaults] persistentDomainForName:@"com.malcolmhall.StealthCam"] objectForKey:@"lock"] boolValue];</code><br />
<br />
Note on previous iOS versions the preference wasn't always up to date but on iOS 8 it appears to be. Using this in my StealthCam SpringBoard tweak. Not tested in Sandbox yet.<br />
<br />
=== Everything else ===<br />
<br />
* The term 'Display Identifier' has been removed when referring to SBApplication. Methods that used the term usually have a 'Bundle Identifier' equivalent; e.g. <code> -[SBApplicationController applicationWithDisplayIdentifier:]</code> and <code>-[SBApplication displayIdentifier]</code> are now <code>-[SBApplicationController applicationWithBundleIdentifier]</code> (as opposed to <code>-[SBApplicationController applicationsWithBundleIdentifier]</code>) and <code>-[SBApplication bundleIdentifier]</code>. Since applications are now found using their bundle identifier, <code>-[SBIconModel applicationIconForDisplayIdentifier:]</code> is now <code>-[SBIconModel applicationIconForBundleIdentifier:]</code>. A catch-all way of getting *any* icon is, <code>-[SBIconModel expectedIconForDisplayIdentifier:]</code>.<br />
<br />
* "Has anyone looked into granting entitlements in iOS 8? It would appear the popular method of hooking "_XPCConnectionHasEntitlement" no longer works." "I haven't had a whole lot of time to do testing or look for better methods but I found "_BSAuditTokenTaskHasEntitlement" which appears to have a similar function to "_XPCConnectionHasEntitlement", it's part of the "assertiond" process which must be hooked in order to access it, so far it's worked. More specifically, part of the "BaseBoard" private framework within "assertiond"."<br />
<br />
* PLBatteryPropertiesEntry no longer seems to exist for getting current battery info such as: <code>[PLBatteryPropertiesEntry batteryPropertiesEntry].currentCapacity</code>. You can still use:<br />
<source lang="objc"><br />
io_service_t powerSource = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPMPowerSource"));<br />
CFNumberRef currentCapacityNum = (CFNumberRef)IORegistryEntryCreateCFProperty(powerSource, CFSTR(kIOPMPSCurrentCapacityKey), kCFAllocatorDefault, 0);<br />
</source><br />
<br />
* launchctl appears to be slightly broken. launchctl start and stop work perfectly, but launchctl load/unload no longer works with [[daemons]] in /System/Library/LaunchDaemons/ (aborts with the cryptic error message <code>/System/Library/LaunchDaemons/com.apple.mobile.installd.plist: The specified service path was not in the service cache</code>). But you can load/unload daemons based in /Library/LaunchDaemons/ (that's where you are supposed to launch your daemons from anyway).<br />
<br />
* MISValidateSignatureAndCopyInfo appears to perform additional code-signing checks during app installation.<br />
<br />
* installd cannot be reloaded via launchctl.<br />
<br />
* Mobile application containers are at /var/mobile/Containers/Bundle/Application.<br />
<br />
* Looks like certain apps don't have privileges for IORegistryEntryCreateCFProperty anymore (Safari, Mail).<br />
<br />
* PrivateFrameworks (and possibly others) in the iOS 8 SDK are missing the __TEXT section. Frameworks must be extracted from a device's dyld_shared_cache using a tool like [http://www.newosxbook.com/index.php?page=downloads JTool] or IDA before they can be (statically) reverse engineered. See [[dyld_shared_cache]] for more info.<br />
<br />
* Many functions from SBMediaController have been removed, and it is now useless for accessing now playing information. <code>-[MPUNowPlayingController currentElapsed]</code> and <code>-[MPUNowPlayingController currentDuration]</code> can be utilized for displaying track time. Use [https://github.com/Cykey/ios-reversed-headers/blob/master/MediaRemote/MediaRemote.h MediaRemotes] <code>kMRMediaRemoteNowPlayingInfoDidChangeNotification</code> on the local notification center for updates when now playing info changes. You can also use <code>kMRMediaRemoteNowPlayingApplicationIsPlayingDidChangeNotification</code> for updates on the playback state. Use <code>MRMediaRemoteGetNowPlayingInfo(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT,0), ^(CFDictionaryRef result);</code> to access now playing info. This code works fine on iOS 7 and 8.<br />
<br />
* You can no longer mount FAT-formatted storage devices via the CCK, only HFS.<br />
<br />
* "Has anyone figured out how to add subviews to UIAlertView in iOS 8 yet?" "I found a workaround so I can at least add to the content view (which is not the size of the full alert view though). Within a subclass of UIAlertView do <code>[[[[self _alertController] contentViewController] view] addSubview:theSubview];</code>. When not subclassing, <code>[[[[alertView _alertController] contentViewController] view] addSubview:theSubview];</code> should work, although one has to figure out the right time to do that."<br />
<br />
* system() is now deprecated. Apple recommends using [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man2/posix_spawn.2.html posix_spawn()] instead. Another method that allows the use of system() in iOS 8+ can be found [http://ninjaprawn.com/blog/index.php?controller=post&action=view&id_post=2 here].<br />
<br />
* If an app is using WKWebViews, processes named com.apple.WebContent and com.apple.WebNetworking are being spawned and they each create only one NSURLCache. If you want to know the bundleIdentifier of the app they were spawned for, just hook -[NSURLCache _initWithMemoryCapacity:diskCapacity:relativePath:] in those processes. relativePath will be that bundleIdentifier. It's not perfect but a quick and neat trick.<br />
<br />
* com.apple.mobileinstallation.plist is gone on iOS 8. You can use [[AppList]] to get a list of installed apps. If you need to do this without Substrate for some reason, [http://www.reddit.com/r/jailbreakdevelopers/comments/2k6gft/list_installed_apps_on_ios_8/ this post and thread] has some discussion of alternatives.<br />
<br />
* When a passcode is set, normal UIWindows are not rendered when on the lockscreen, although touch events are still received. You can make your own UIWindows show up over the lockscreen by calling <code>-(void)_setSecure:(BOOL)secure</code>, or you can override <code>- (bool)_shouldCreateContextAsSecure;</code> in UIWindow to always return YES for all new UIWindows. (CAContext has a new property <code>bool isSecure</code> which controls this behaviour.)<br />
<br />
* SBAppSlider* is now SBAppSwitcher*<br />
<br />
* [http://newosxbook.com/articles/8-10.10.html Notes from iOS 8 and the OS X 10.10 Preview, by Jonathan Levin] - more about frameworks, daemons, and launchd.<br />
<br />
== What is new in iOS 8, and how does it work? ==<br />
<br />
* The view Reachability invokes is in the new framework FrontBoard - you can hook it. It is a FBWindowContextHostView. To toggle it: <code>[[%c(SBReachabilityManager) sharedInstance] _handleReachabilityActivated];</code><br />
<br />
* To support Reachability on smaller devices, hook SBReachabilityManager class's <code>+(BOOL)reachabilitySupported;</code><br />
<br />
* FrontBoard is a new framework that takes up a few of BackBoardServices' responsibilities. SpringBoard now inherits from FBSystemApp, which in turn is a UIApplication subclass.<br />
<br />
* CameraKit is a new framework that takes everything related to the camera out of PhotoLibrary.framework. PLCameraController is now the humungous CAMCaptureController.<br />
<br />
* Apple seems to call the iOS side Octavia and the OS X side Nero<br />
<br />
== Which tools and other preexisting things are still working on iOS 8? Which ones don't work? ==<br />
<br />
* Activator, Flipswitch and AppList updates compatible with iOS 8 are live on BigBoss repository ([https://twitter.com/rpetrich/status/527244599820288003 verified by rpetrich]).<br />
<br />
* The package <code>syslogd to /var/log/syslog</code> '''has been updated for iOS 8''', as of November 9. There are alternatives listed at [http://theiphonewiki.com/wiki/System_Log on TheiPhoneWiki] if you want to use a different method of accessing syslog though.<br />
<br />
* "Does Theos work on iOS 8?" [http://www.reddit.com/r/jailbreakdevelopers/comments/2k2eat/question_theos_and_ios_8/ uroboro responds here]<br />
<br />
* libstatusbar is compatible with iOS 8 as of version 0.9.8.<br />
<br />
* libsymbolicate doesn't work on 8. (VMUHeader is gone from Symbolication.framework.) The maintainer is looking into it, but fixing it isn't simple and may take some time.<br />
<br />
* "RocketBootstrap seems to work." - it works perfectly with my tweak [Simon Selg]. Maybe not [https://twitter.com/punksomething/status/527878336081842176 working as well with Flex though]?<br />
<br />
* "What works for dumping classes on iOS 8? classdumpz doesn't seem to work. I'm trying to dump them directly on an iPhone 6." "You could use class-dump for i386 and the iOS 8 simulator" "[http://stevenygard.com/projects/class-dump/ This class-dump works for me.]" "If you want to dump on your iPhone then just compile its source to ARM; IIRC its distributed binary is x86/64 only."<br />
<br />
* "Does weak_classdump_bundle fail for anyone else on SpringBoard?" "It fails in general, it needs to be updated. You can dump SpringBoard with classdump-dyld." An updated classdump-dyld (that supports 64bit executables dumping) is available [https://github.com/limneos/classdump-dyld on GitHub] and on BigBoss ([https://ghostbin.com/paste/3r86u changelog]).<br />
<br />
== Random assorted other notes ==<br />
<br />
* [http://developer.limneos.net/index.php?ios=8.0 iOS 8.0 Headers], [https://github.com/coolstar/iOS-8.1-SpringBoard-Headers another set of SpringBoard headers], [https://github.com/iMokhles/iPhone5S-iOS8.1-SBHeaders another set of SpringBoard headers Part-1] and [https://github.com/iMokhles/iPhone5S-iOS8.1-SBHeaders-2 another set of SpringBoard headers Part-2] (made with different [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|class dumping tools]]).<br />
<br />
* In things like SBStarkBanner* classes, Stark is the codename for CarPlay™ since iOS 7</div>Indiekidukhttps://iphonedev.wiki/index.php?title=Updating_extensions_for_iOS_8&diff=3399Updating extensions for iOS 82014-12-13T01:59:36Z<p>Indiekiduk: /* Another solution */</p>
<hr />
<div>Let's collect knowledge like we did with [[Updating extensions for iOS 7]] - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see [[How to use IRC]] for how to connect to #theos and #iphonedev.<br />
<br />
'''Hey developer, you can add your knowledge here! Yes, you! [http://iphonedevwiki.net/index.php?title=Special:UserLogin&returnto=Updating+extensions+for+iOS+8&type=signup Make an account and edit this page!]'''<br />
<br />
It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.<br />
<br />
If you want to see what's been recently updated on this page, you can use the wiki's [http://iphonedevwiki.net/index.php?title=Updating_extensions_for_iOS_8&action=history history feature] to compare the revisions (to look at the diff) since the last time you visited this page.<br />
<br />
== What has changed in iOS 8? (Classes, frameworks, etc.) ==<br />
<br />
=== Preference saving ===<br />
<br />
In iOS 8, the preferences daemon cfprefsd is handling all preferences in memory and writes them to the corresponding .plist file "whenever it wants". Therefore when the notification for a change is posted, the change is usually not yet written to the file. Reading preferences directly from the .plist has become problematic. The notification from the [[Preferences specifier plist]] is now posted '''before''' the plist is updated on disk — as opposed to '''after''' the plist was updated on disk, which was the case on iOS < 8.<br />
<br />
Writing directly to a plist in Preferences is also a problem because then the daemon will not know about your "manual" changes, and will overwrite those changes when it writes its in-memory settings. So either you read or write everything yourself (for example by overriding setPreferenceValue:specifier and readPreferenceValue:) or use [https://developer.apple.com/library/mac/documentation/CoreFoundation/Reference/CFPreferencesUtils/ CFPreferencesUtils].<br />
<br />
==== Solution 1: Use CFPreferences (does not work in sandboxed processes) ====<br />
<br />
'''See [[PreferenceBundles#Loading_Preferences_into_unsandboxed_processes_.28using_CFPreferences.29|Loading Preferences into unsandboxed processes (using CFPreferences)]] for what to do.''' (As that page says: this was tested back to iOS 6, it seemed to work without problems. This solution does not work if you are in third party apps or other apps that have sandboxed preferences.) Another viable option could be using GCD and using a descriptor source for that file.<br />
<br />
==== Solution 2: Override setPreferenceValue:specifier and readPreferenceValue: in preference bundle to restore old behaviour (Karen (angelXwind)'s method) ====<br />
<br />
'''See [[PreferenceBundles#Loading_Preferences_into_sandboxed.2Funsandboxed_processes_in_iOS_8|Loading Preferences into sandboxed/unsandboxed processes in iOS 8]] for instructions and code on how to achieve this.'''<br />
<br />
I've tested this on iOS 5, 6, 7, and 8, and can confirm that it works without any issues.<br />
<br />
==== Solution 3: Use CFPreferencesAppSynchronize (apparently works in sandboxed processes for some people) (iMokhles/ichitaso's method) ====<br />
<br />
'''See [https://gist.github.com/iMokhles/23061acdffbfeaa875db How to use CFPreferencesAppSynchronize with ARC and non ARC (iOS8 Tweaks) + CFNotificationCallback] for some example code.'''<br />
<br />
Above example tested with Sandbox Apps "WhatsApp" and "Tweetbot 3" and seems to work perfectly. Thanks to xTM3x, Yllier, and others for their research on this.<br />
<br />
==== Another solution ====<br />
<br />
[http://sharedinstance.net/2014/11/settings-the-right-way/ Another way on the sharedInstance blog.]<br />
<br />
==== And another solution ====<br />
<br />
<code>[[[[NSUserDefaults standardUserDefaults] persistentDomainForName:@"com.malcolmhall.StealthCam"] objectForKey:@"lock"] boolValue];</code><br />
<br />
Note on previous iOS versions the preference wasn't always up to date but on iOS 8 it appears to be. Using this in my StealthCam tweak.<br />
<br />
=== Everything else ===<br />
<br />
* The term 'Display Identifier' has been removed when referring to SBApplication. Methods that used the term usually have a 'Bundle Identifier' equivalent; e.g. <code> -[SBApplicationController applicationWithDisplayIdentifier:]</code> and <code>-[SBApplication displayIdentifier]</code> are now <code>-[SBApplicationController applicationWithBundleIdentifier]</code> (as opposed to <code>-[SBApplicationController applicationsWithBundleIdentifier]</code>) and <code>-[SBApplication bundleIdentifier]</code>. Since applications are now found using their bundle identifier, <code>-[SBIconModel applicationIconForDisplayIdentifier:]</code> is now <code>-[SBIconModel applicationIconForBundleIdentifier:]</code>. A catch-all way of getting *any* icon is, <code>-[SBIconModel expectedIconForDisplayIdentifier:]</code>.<br />
<br />
* "Has anyone looked into granting entitlements in iOS 8? It would appear the popular method of hooking "_XPCConnectionHasEntitlement" no longer works." "I haven't had a whole lot of time to do testing or look for better methods but I found "_BSAuditTokenTaskHasEntitlement" which appears to have a similar function to "_XPCConnectionHasEntitlement", it's part of the "assertiond" process which must be hooked in order to access it, so far it's worked. More specifically, part of the "BaseBoard" private framework within "assertiond"."<br />
<br />
* PLBatteryPropertiesEntry no longer seems to exist for getting current battery info such as: <code>[PLBatteryPropertiesEntry batteryPropertiesEntry].currentCapacity</code>. You can still use:<br />
<source lang="objc"><br />
io_service_t powerSource = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOPMPowerSource"));<br />
CFNumberRef currentCapacityNum = (CFNumberRef)IORegistryEntryCreateCFProperty(powerSource, CFSTR(kIOPMPSCurrentCapacityKey), kCFAllocatorDefault, 0);<br />
</source><br />
<br />
* launchctl appears to be slightly broken. launchctl start and stop work perfectly, but launchctl load/unload no longer works with [[daemons]] in /System/Library/LaunchDaemons/ (aborts with the cryptic error message <code>/System/Library/LaunchDaemons/com.apple.mobile.installd.plist: The specified service path was not in the service cache</code>). But you can load/unload daemons based in /Library/LaunchDaemons/ (that's where you are supposed to launch your daemons from anyway).<br />
<br />
* MISValidateSignatureAndCopyInfo appears to perform additional code-signing checks during app installation.<br />
<br />
* installd cannot be reloaded via launchctl.<br />
<br />
* Mobile application containers are at /var/mobile/Containers/Bundle/Application.<br />
<br />
* Looks like certain apps don't have privileges for IORegistryEntryCreateCFProperty anymore (Safari, Mail).<br />
<br />
* PrivateFrameworks (and possibly others) in the iOS 8 SDK are missing the __TEXT section. Frameworks must be extracted from a device's dyld_shared_cache using a tool like [http://www.newosxbook.com/index.php?page=downloads JTool] or IDA before they can be (statically) reverse engineered. See [[dyld_shared_cache]] for more info.<br />
<br />
* Many functions from SBMediaController have been removed, and it is now useless for accessing now playing information. <code>-[MPUNowPlayingController currentElapsed]</code> and <code>-[MPUNowPlayingController currentDuration]</code> can be utilized for displaying track time. Use [https://github.com/Cykey/ios-reversed-headers/blob/master/MediaRemote/MediaRemote.h MediaRemotes] <code>kMRMediaRemoteNowPlayingInfoDidChangeNotification</code> on the local notification center for updates when now playing info changes. You can also use <code>kMRMediaRemoteNowPlayingApplicationIsPlayingDidChangeNotification</code> for updates on the playback state. Use <code>MRMediaRemoteGetNowPlayingInfo(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT,0), ^(CFDictionaryRef result);</code> to access now playing info. This code works fine on iOS 7 and 8.<br />
<br />
* You can no longer mount FAT-formatted storage devices via the CCK, only HFS.<br />
<br />
* "Has anyone figured out how to add subviews to UIAlertView in iOS 8 yet?" "I found a workaround so I can at least add to the content view (which is not the size of the full alert view though). Within a subclass of UIAlertView do <code>[[[[self _alertController] contentViewController] view] addSubview:theSubview];</code>. When not subclassing, <code>[[[[alertView _alertController] contentViewController] view] addSubview:theSubview];</code> should work, although one has to figure out the right time to do that."<br />
<br />
* system() is now deprecated. Apple recommends using [https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man2/posix_spawn.2.html posix_spawn()] instead. Another method that allows the use of system() in iOS 8+ can be found [http://ninjaprawn.com/blog/index.php?controller=post&action=view&id_post=2 here].<br />
<br />
* If an app is using WKWebViews, processes named com.apple.WebContent and com.apple.WebNetworking are being spawned and they each create only one NSURLCache. If you want to know the bundleIdentifier of the app they were spawned for, just hook -[NSURLCache _initWithMemoryCapacity:diskCapacity:relativePath:] in those processes. relativePath will be that bundleIdentifier. It's not perfect but a quick and neat trick.<br />
<br />
* com.apple.mobileinstallation.plist is gone on iOS 8. You can use [[AppList]] to get a list of installed apps. If you need to do this without Substrate for some reason, [http://www.reddit.com/r/jailbreakdevelopers/comments/2k6gft/list_installed_apps_on_ios_8/ this post and thread] has some discussion of alternatives.<br />
<br />
* When a passcode is set, normal UIWindows are not rendered when on the lockscreen, although touch events are still received. You can make your own UIWindows show up over the lockscreen by calling <code>-(void)_setSecure:(BOOL)secure</code>, or you can override <code>- (bool)_shouldCreateContextAsSecure;</code> in UIWindow to always return YES for all new UIWindows. (CAContext has a new property <code>bool isSecure</code> which controls this behaviour.)<br />
<br />
* SBAppSlider* is now SBAppSwitcher*<br />
<br />
* [http://newosxbook.com/articles/8-10.10.html Notes from iOS 8 and the OS X 10.10 Preview, by Jonathan Levin] - more about frameworks, daemons, and launchd.<br />
<br />
== What is new in iOS 8, and how does it work? ==<br />
<br />
* The view Reachability invokes is in the new framework FrontBoard - you can hook it. It is a FBWindowContextHostView. To toggle it: <code>[[%c(SBReachabilityManager) sharedInstance] _handleReachabilityActivated];</code><br />
<br />
* To support Reachability on smaller devices, hook SBReachabilityManager class's <code>+(BOOL)reachabilitySupported;</code><br />
<br />
* FrontBoard is a new framework that takes up a few of BackBoardServices' responsibilities. SpringBoard now inherits from FBSystemApp, which in turn is a UIApplication subclass.<br />
<br />
* CameraKit is a new framework that takes everything related to the camera out of PhotoLibrary.framework. PLCameraController is now the humungous CAMCaptureController.<br />
<br />
* Apple seems to call the iOS side Octavia and the OS X side Nero<br />
<br />
== Which tools and other preexisting things are still working on iOS 8? Which ones don't work? ==<br />
<br />
* Activator, Flipswitch and AppList updates compatible with iOS 8 are live on BigBoss repository ([https://twitter.com/rpetrich/status/527244599820288003 verified by rpetrich]).<br />
<br />
* The package <code>syslogd to /var/log/syslog</code> '''has been updated for iOS 8''', as of November 9. There are alternatives listed at [http://theiphonewiki.com/wiki/System_Log on TheiPhoneWiki] if you want to use a different method of accessing syslog though.<br />
<br />
* "Does Theos work on iOS 8?" [http://www.reddit.com/r/jailbreakdevelopers/comments/2k2eat/question_theos_and_ios_8/ uroboro responds here]<br />
<br />
* libstatusbar is compatible with iOS 8 as of version 0.9.8.<br />
<br />
* libsymbolicate doesn't work on 8. (VMUHeader is gone from Symbolication.framework.) The maintainer is looking into it, but fixing it isn't simple and may take some time.<br />
<br />
* "RocketBootstrap seems to work." - it works perfectly with my tweak [Simon Selg]. Maybe not [https://twitter.com/punksomething/status/527878336081842176 working as well with Flex though]?<br />
<br />
* "What works for dumping classes on iOS 8? classdumpz doesn't seem to work. I'm trying to dump them directly on an iPhone 6." "You could use class-dump for i386 and the iOS 8 simulator" "[http://stevenygard.com/projects/class-dump/ This class-dump works for me.]" "If you want to dump on your iPhone then just compile its source to ARM; IIRC its distributed binary is x86/64 only."<br />
<br />
* "Does weak_classdump_bundle fail for anyone else on SpringBoard?" "It fails in general, it needs to be updated. You can dump SpringBoard with classdump-dyld." An updated classdump-dyld (that supports 64bit executables dumping) is available [https://github.com/limneos/classdump-dyld on GitHub] and on BigBoss ([https://ghostbin.com/paste/3r86u changelog]).<br />
<br />
== Random assorted other notes ==<br />
<br />
* [http://developer.limneos.net/index.php?ios=8.0 iOS 8.0 Headers], [https://github.com/coolstar/iOS-8.1-SpringBoard-Headers another set of SpringBoard headers], [https://github.com/iMokhles/iPhone5S-iOS8.1-SBHeaders another set of SpringBoard headers Part-1] and [https://github.com/iMokhles/iPhone5S-iOS8.1-SBHeaders-2 another set of SpringBoard headers Part-2] (made with different [[Reverse_Engineering_Tools#class-dump.2C_class_dump_z.2C_classdump-dyld|class dumping tools]]).<br />
<br />
* In things like SBStarkBanner* classes, Stark is the codename for CarPlay™ since iOS 7</div>Indiekidukhttps://iphonedev.wiki/index.php?title=SBApplication&diff=852SBApplication2010-12-10T00:29:30Z<p>Indiekiduk: /* Get all active applications */</p>
<hr />
<div>[[SBApplication]] is a class representing the application screen on the {{applink|SpringBoard}}. SBApplication is a subclass of [[SBDisplay]]. See [[SBDisplay]] for more info.<br />
<br />
== Retrieving an instance of SBApplication ==<br />
To retrieve a known instance, you must go through [[SBApplicationController]]. For example, if the display ID of the application is known, you can use:<br />
<source lang="objc"><br />
SBApplication* app = [[SBApplicationController sharedInstance] applicationWithDisplayIdentifier:@"com.yourcompany.appname"];<br />
</source><br />
<br />
== Get all active applications ==<br />
{{function signature<br />
|signature=-(NSArray*)_accessibilityRunningApplications;<br />
|firmware=3.0 –<br />
}}<br />
{{function signature<br />
|signature=-(SBApplication*)_accessibilityFrontMostApplication;<br />
|firmware=3.2 –<br />
}}<br />
<br />
Getting active applications traditionally need to be done via the static function at <tt>0xeadc</tt>, or evaluate through the result of {{ObjcCall|SBApplicationController|allApplications}} and check if the <tt>pid</tt> is valid. Fortunately, starting from 3.0, the SpringBoard class provides a method {{ObjcCall| SpringBoard|_accessibilityRunningApplications}} which directly calls <tt>0xeadc</tt>. Therefore, you can get the array of active applications from this.<br />
<br />
Starting from 3.2 one can also use {{ObjcCall|SpringBoard|_accessibilityFrontMostApplication}} to get the front most application. If you know the app you can check if [[app process] isFrontmost].<br />
<br />
== Launching an SBApplication ==<br />
To launch an SBApplication you can use [[SBUIController]]:<br />
<source lang="objc"><br />
[[SBUIController sharedInstance] activateApplicationAnimated:app];<br />
</source><br />
Note 1. this method will not respect parental control. You can look up the list of restricted apps using <tt>-[</tt><tt>[[SpringBoard]] parentalControlsDisabledApplications]</tt>, however.<br />
<br />
Note 2. this method will only work if on the home screen. It will not work when already in an application.<br />
== Application Info.plist ==<br />
SpringBoard will recognize the following Info.plist keys:<br />
* UISystemProvisioning<br />
* SBDemoRole<ref name="hunt">http://blogs.oreilly.com/iphone/2008/11/hunting-down-infoplist-prefere.html</ref><br />
* SBIsRevealable<ref name="hunt"/><ref>http://www.tuaw.com/2007/11/29/enable-app-hiding-on-your-iphone/</ref><br />
* SBUsesNetwork<ref>http://stackoverflow.com/questions/596589/iphone-sdk-internet-connection-detection</ref><br />
* UIJetsamPriority<br />
* SBIconClass<br />
* SBSpotlightIcons<br />
* UIRoles<br />
* SBMachServices<br />
* disabled<br />
* CFBundleIconFile<br />
* SPSearchDomainLaunchInfo<br />
* Other UIKit keys described in http://developer.apple.com/IPhone/library/documentation/General/Reference/InfoPlistKeyReference/Articles/iPhoneOSKeys.html<br />
<br />
Starting from 3.2 these ''documented'' keys are also recognized:<br />
* ProductType, UIDeviceFamily, DeviceFamily<ref>The keys UIDeviceFamily and DeviceFamily are private but equivalent to ProductType.</ref><br />
* UIAppFonts<br />
* UIFileSharingEnabled<br />
* UISupportedInterfaceOrientations<br />
<br />
== References ==<br />
<references /><br />
* Header: http://github.com/kennytm/iphone-private-frameworks/blob/master/SpringBoard/SBApplication.h<br />
<br />
{{occlass|library=SpringBoard.app|navbox=1}}</div>Indiekidukhttps://iphonedev.wiki/index.php?title=SBApplication&diff=851SBApplication2010-12-08T22:53:35Z<p>Indiekiduk: </p>
<hr />
<div>[[SBApplication]] is a class representing the application screen on the {{applink|SpringBoard}}. SBApplication is a subclass of [[SBDisplay]]. See [[SBDisplay]] for more info.<br />
<br />
== Retrieving an instance of SBApplication ==<br />
To retrieve a known instance, you must go through [[SBApplicationController]]. For example, if the display ID of the application is known, you can use:<br />
<source lang="objc"><br />
SBApplication* app = [[SBApplicationController sharedInstance] applicationWithDisplayIdentifier:@"com.yourcompany.appname"];<br />
</source><br />
<br />
== Get all active applications ==<br />
{{function signature<br />
|signature=-(NSArray*)_accessibilityRunningApplications;<br />
|firmware=3.0 –<br />
}}<br />
{{function signature<br />
|signature=-(SBApplication*)_accessibilityFrontMostApplication;<br />
|firmware=3.2 –<br />
}}<br />
<br />
Getting active applications traditionally need to be done via the static function at <tt>0xeadc</tt>, or evaluate through the result of {{ObjcCall|SBApplicationController|allApplications}} and check if the <tt>pid</tt> is valid. Fortunately, starting from 3.0, the SpringBoard class provides a method {{ObjcCall| SpringBoard|_accessibilityRunningApplications}} which directly calls <tt>0xeadc</tt>. Therefore, you can get the array of active applications from this.<br />
<br />
Starting from 3.2 one can also use {{ObjcCall|SpringBoard|_accessibilityFrontMostApplication}} to get the front most application.<br />
<br />
== Launching an SBApplication ==<br />
To launch an SBApplication you can use [[SBUIController]]:<br />
<source lang="objc"><br />
[[SBUIController sharedInstance] activateApplicationAnimated:app];<br />
</source><br />
Note 1. this method will not respect parental control. You can look up the list of restricted apps using <tt>-[</tt><tt>[[SpringBoard]] parentalControlsDisabledApplications]</tt>, however.<br />
<br />
Note 2. this method will only work if on the home screen. It will not work when already in an application.<br />
== Application Info.plist ==<br />
SpringBoard will recognize the following Info.plist keys:<br />
* UISystemProvisioning<br />
* SBDemoRole<ref name="hunt">http://blogs.oreilly.com/iphone/2008/11/hunting-down-infoplist-prefere.html</ref><br />
* SBIsRevealable<ref name="hunt"/><ref>http://www.tuaw.com/2007/11/29/enable-app-hiding-on-your-iphone/</ref><br />
* SBUsesNetwork<ref>http://stackoverflow.com/questions/596589/iphone-sdk-internet-connection-detection</ref><br />
* UIJetsamPriority<br />
* SBIconClass<br />
* SBSpotlightIcons<br />
* UIRoles<br />
* SBMachServices<br />
* disabled<br />
* CFBundleIconFile<br />
* SPSearchDomainLaunchInfo<br />
* Other UIKit keys described in http://developer.apple.com/IPhone/library/documentation/General/Reference/InfoPlistKeyReference/Articles/iPhoneOSKeys.html<br />
<br />
Starting from 3.2 these ''documented'' keys are also recognized:<br />
* ProductType, UIDeviceFamily, DeviceFamily<ref>The keys UIDeviceFamily and DeviceFamily are private but equivalent to ProductType.</ref><br />
* UIAppFonts<br />
* UIFileSharingEnabled<br />
* UISupportedInterfaceOrientations<br />
<br />
== References ==<br />
<references /><br />
* Header: http://github.com/kennytm/iphone-private-frameworks/blob/master/SpringBoard/SBApplication.h<br />
<br />
{{occlass|library=SpringBoard.app|navbox=1}}</div>Indiekiduk