Note
Due to the sandbox of the affected app, it is only possible to write to /var/mobile/Containers, and you cannot overwrite file with this, hence Apple closed the report.
@verygenericname told me he found an arbitrary write to /var/mobile/Containers, using the Files app, with the following steps:
As you may have known, we recently managed to bring multitask to LiveContainer. This originally came from FrontBoardAppLauncher which was reverse engineered of various Apple apps: ClarityBoard, SpringBoard, Xcode PreviewShell, etc. A quick recap of how we worked on it:
FrontBoard, RunningBoardServices and UIKit, resulted in MySystemShell and FrontBoardAppLauncherNSExtensionPointIdentifierHowever, as more and more people get to try it, we were reported that physical keyboard input wouldn't work. (LiveContainer/LiveContainer#524)
If anyone could figure it out, we will forever owe you.
| #ifndef _MOUNT_ARGS_H | |
| #define _MOUNT_ARGS_H | |
| #include <stdint.h> | |
| #include <sys/time.h> | |
| #include <unistd.h> | |
| #include <fcntl.h> | |
| #include <sys/types.h> | |
| enum { |
| @import UIKit; | |
| @interface UIWindow() | |
| - (void)setAutorotates:(BOOL)autorotates forceUpdateInterfaceOrientation:(BOOL)force; | |
| @end | |
| @interface SBSystemApertureWindow : UIWindow | |
| @end | |
| // SBSystemApertureWindow has a hidden override to always set autorotates to false, we must call super |
Caution
By following this guide, you're responsible for any damage that could be done to your device. Be careful for any commands you're going to run.
Some parts are based on dualbootfun.
Tested iOS versions: 14.8 and 16.5
| #import <UIKit/UIKit.h> | |
| // Make Dynamic Island transparent | |
| @interface _SBGainMapView : UIView | |
| @end | |
| %hook _SBGainMapView | |
| - (void)setFrame:(CGRect)frame { | |
| %orig(frame); | |
| self.hidden = YES; |
| // fork() and rootless fix for Procursus bootstrap (named libTS2JailbreakEnv.dylib) | |
| // there's lots of stuff not cleaned up, feel free to play around | |
| // Requires fishhook from https://github.com/khanhduytran0/fishhook | |
| // Usage: inject to libiosexec.dylib, ensure all binaries have get-task-allow entitlement | |
| #include <assert.h> | |
| #include <errno.h> | |
| #include <fcntl.h> | |
| #include <mach/mach_init.h> | |
| #include <mach-o/dyld.h> |
| /* | |
| * These following steps are not currently automated, so you need to do manually for now. | |
| * download assets-v0.zip at https://cdn.discordapp.com/attachments/724163890803638277/923349783589056522/assets-v0.zip | |
| * extract and copy the shaders folder to the resources folder. | |
| * edit include/light.glsl add `#define texture texture2D` after `#version 100` line | |
| */ | |
| import javax.swing.*; | |
| import java.awt.*; | |
| import java.awt.event.WindowAdapter; |
| #include <dlfcn.h> | |
| #include <cstring> | |
| #include <android/dlext.h> | |
| #include "log.h" // LOGE, LOGW, etc... | |
| bool (*_android_init_namespaces)(const char* public_ns_sonames, const char* anon_ns_library_path) = nullptr; | |
| bool __unused android_init_namespaces(const char* public_ns_sonames, const char* anon_ns_library_path) { | |
| if (!_android_init_namespaces) { | |
| void *libdl_handle; |
| import java.util.*; | |
| import java.io.*; | |
| public class GLSCommandFinder | |
| { | |
| private static final String glsCmdHeaderPath = "/sdcard/AppProjects/gl-streaming/common/gls_command.h"; | |
| private static List<Integer> cmdlineList; | |
| private static List<String> commandList; | |
| public static void main(String[] args) | |
| { |