#import <NanoTimeKit/NanoTimeKit.h>

[matthijsotterloo]

How can I import this file? I don't understand what you mean with import carousel into the dylib

[BlueSpud]

I also can't find anything that would get a dylib called Carousel, and can't find the framework on my computer. Running El Capitan 6 and Watch OS 2 5

[carbamide]

It's a from the private framework, NanoTimeKit. We need to find a private header dump from a watch device to even build this. I have no clue how make Carousel pick it up though. I've never done jailbreak dev, just regular.

[BlueSpud]

@carbamide do you have any idea what Carousel even is? Maybe we can figure it out.

[asmeurer]

Carousel is the equivalent of SpringBoard for WatchOS.

[Cclleemm]

Hello @carbamide, do you have a link to download NanoTimeKit header ?

[matthijsotterloo]

Seems like this is the dump we need? https://github.com/nickfrey/WatchOS-Headers/tree/master/Device/NanoTimeKit.framework

[Cclleemm]

Thank's @matthijsotterloo, but I allready include this framework in my project but it doesn't compile.

[matthijsotterloo]

Yes also tried that, it doesn't compile because it's missing NanoTimekit.h which is not included in this framework...

[codyd51]

As stated above, NanoTimeKit is an internal framework running on the Watch. To get headers you can either class dump the binary, or simply write them yourself.

I do not know how he has gotten Carousel to load the dylib, however. That is something I would be very interested in hearing, purely to satiate my curiosity.

[hamzasood]

Carousel is the watchOS equivalent of SpringBoard. It's the app that displays the home screen, notification centre, glances, watch faces etc. I haven't open sourced how I got Carousel to load the dylib. This repo only contains the watch face code and what you'd need to hook once you've got code running in Carousel.

[codyd51]

@hamzasood Would you be willing to share what vector/general starting point you're using to get Carousal to load dylibs? Fully understand you don't want to share all your goodies, though this is something that seems very interesting and I'd love to look into it for myself, though I'm not sure where to start.

[biscuitehh]

+1 @codyd51

[galli-leo]

@codyd51 I may have found at least a way to load the dylib on the simulator. At the moment I am trying to get the dylib to compile.

The NanoTimeKit.h file is pretty much just a file to import everything from the Framework. This can easily be done yourself.

[VedBoon]

@DJLectr0 I finally decompiled the Carousel headers and compiled the dylib.... would really appreciate your thoughts on loading it.

[codyd51]

@DJLectr0 Hey, that's better than nothing! Mind divulging how you did that? Maybe we could go digging together and see what we can figure out :-)

[galli-leo]

@VedBoon Sure. Could you also share your xcodeproject with me where you got it to compile? (Best would be private because of the NDA)

I thought of loading in the Simulator like when you load tweaks in the ios sim (http://sharedinstance.net/2013/10/running-tweaks-in-simulator/) so editing the lanchdaemons of the sim sdk to include the Dylib injection like in the article just instead of springboard the carousel plist.

[codyd51]

@DJLectr0 That post is sorely outdated and does not work on recent versions of the iOS sim. I cannot speak for the Watch sim as I have not tried it, but the current method for loading dylibs into the iOS sim is utilizing optool by @alexzielenski

[galli-leo]

@codyd51 Ok did not know that :( So maybe try optool?

[codyd51]

@DJLectr0 Actually, I have. I totally forgot about this earlier, but @EthanArbuckle and I fooled around with loading some dylibs into the Watch sim's Prefs.app - nothing big, mind you; pushing dumb view controllers and changing color schemes. Neat, but it does not help the final goal of getting dylibs loaded onto an actual device.

[galli-leo]

@codyd51 Well its a start ;) We could try to load a custom firmware or with the new independent apps look if we can use some methods from some private Frameworks to get it to load the dylib. Another thought: If we can load dylibs we could theoretically change everything hookable in the system (e.g. Making whatsapp quick reply)

[EthanArbuckle]

Share your magix hamza

[galli-leo]

@codyd51 When I get home, I will try to load some simple dylibs in the Simulator and then look at how to get the watch OS 2 Firmware

[codyd51]

(Addressing each sentence in order)

@DJLectr0 Loading a custom firmware isn't in the spirit of what we're trying to achieve IMHO. It's the argument of using Substrate over manually replacing binaries.

We can't use private frameworks while sandboxed.

Yes, that's kind of the whole idea regarding tweak development ;P

[codyd51]

@EthanArbuckle +1

[galli-leo]

@codyd51 Yes I know, but if we could load a custom Firmware we could inject a dylib, which is what we are trying here. I know its really manual but it would be a nice start. Hamzasood is also in an internal testing mode. Maybe this allows him to load dylibs? I will also dig through the carousel headers, maybe there is something there.

[AlexeyBelezeko]

@DJLectr0 @codyd51 Maybe I didn't unsderstand. But we can try to load dylib to carusel with lldb like this http://www.ifans.com/forums/threads/dylib-injection-with-iphone-simulator.109242/

[galli-leo]

@AlexeyBlezeko the problem is that we need to find a way to inject the dylib into carousel on an actual watch.

[AlexeyBelezeko]

@DJLectr0 Can we use gdb on actual watch?

[codyd51]

@AlexeyBelezeko Simple answer: no. The reason is twofold:

1) That would mean we need native code execution on the watch, which is the end goal in the first place

2) watchOS is just iOS 8.4 using Carousel as a launcher instead of SpringBoard. There is no working version of gdb on > iOS 8, so even if we had native code exec. we could not use gdb.

[hamzasood]

@codyd51 Not quite true. The DeveloperDiskImage for iOS and watchOS both have debugserver. But it can only attach to processes with the get-task-allow entitlement.

[codyd51]

Ah! My mistake, then.

[galli-leo]

@codyd51 How did you manage to load dylibs on the simulator. Using optool it throws no error but the Watch Simulator seems without changes.

[galli-leo]

@VedBoon How did you get the UIKit headers? I cannot find nor extract them from Carousel.

[Baddaboo]

@DJLectr0 As of the watchOS 2 SDK, UIKit (at least the modified version for watchOS) is a supported framework you don't need to classdump https://developer.apple.com/library/prerelease/watchos/documentation/UIKit/Reference/UIKitFunctionReference/index.html

[galli-leo]

@Baddaboo Ok, but to compile the NTK headers I need the full UIKit headers. The ones from the watch OS 2 SDK only are around 10, without UIView, UIControl, etc.

[Baddaboo]

@DJLectr0 Yeah I realized that right after I posted that comment. I quickly tried tossing in a few from the iOS framework but that didn't resolve anything. I know the standard UIKit has been shown to work on the watch, so maybe that's worth exploring

[galli-leo]

@Baddaboo I thought of that as well since you only need the headers, not actual working code.

[VedBoon]

@DJLectr0 You only need a handful of NTK and UIKit headers to get Xcode to stop complaining from building.

@codyd51 where you successful in patching debugserver? I received a "malformed object (unknown load command 9)" from codesign_allocate

[galli-leo]

@VedBoon Oh ok. I think you need to xcode-select the beta to get the latest code-signing binary. I did this and it did the trick.

[galli-leo]

@VedBoon At the moment I am trying to get the debugserver running on the simulator. It definitely sees the executable with NSTask. (Every other path it crashes and says invalid path), but I cant get any output from the Task and I think it immediately closes. With posix_spawn I get a status code of some random number. I also can't get a const char array to work. With breakpoints it seems always empty. system() just downright crashes on the watch.

[tokamac]

40 messages and no answer to the questions asked here by the community. What a shame.

What is the point of announcing the hack on Twitter then publishing the code on GitHub, a public OPEN-SOURCE web site to SHARE code, but not giving a single clue about how to load the dylib in Carousel, NanoTimeKit.h and the like?

[VedBoon]

@DJLectr0 We don't have write/execute permissions for root, only read. Once we do have full permissions, it's a matter of replacing the debugserver with one that has been modified with a get-task-allow entitlement and having Carousel call dlopen to the dylib.

@tokamac this hasn't been open sourced yet because watchOS 2 isn't officially released. This is more for the ones that have already rooted/jailbroken their device and a teaser for everyone else.

[tokamac]

@VedBoon watchOS 2 beta has been made available by Apple for developers: https://developer.apple.com/watchos/pre-release/

OS in beta versions are meant for developers to test their apps BEFORE the OS is released so the apps are ready for prime time. Github is also meant for developers. There is absolutely no justification why the code and technique are not fully shared already. An no, the project presented by Hamza Sood is not a solution for jailbroken devices.

[VedBoon]

@tokamac the term "jailbroken" refers to having full root permissions on your idevice. Hamza sood and a number of other already do. This means they are capable of loading dylib's (such as this custom watch face). If they were to open source how to receive root permissions before the official watchOS 2, not beta, than apple will have time to patch. While you may not agree this justification, there is nothing that can be done, other than wait or try it for yourself.

[tokamac]

@VedBoon OK, do you think once watchOS 2 is released, if the technique to load a custom watchface will still need to jailbreak? It was my understanding after the news reported by the media that the device doesn't need to be jailbroken to display such a watch face, so I may be mistaken!

[VedBoon]

@tokamac I cannot truly say and neither can the media. My best guess is yes. Any other alternative (such as custom firmware as suggested by @DJLectr0) wouldn't be as efficient.

[ph1ps]

@VedBoon May I ask you to tell me how you dumped those headers and/or share this private repo with me?

[VedBoon]

@iPh1ps99 I haven't dumped all of the watchOS 2 headers, however, you don't need to. Just write out the few NTK headers you actually need in order to compile the dylib. https://github.com/nickfrey/WatchOS-Headers/tree/master/Device/NanoTimeKit.framework and the comments in https://github.com/hamzasood/CustomWatchFaceTest/blob/master/CustomWatchFaceTest/OnozOmgFaceView.h will help.

[ph1ps]

@VedBoon Can you also tell me how I get this missing <NanoTimeKit/NanoTimeKit.h> to work? How do I import this NanoTimeKit.framework from this other GIT page?

[ghost]

Use this headers https://github.com/CrazyJailHacker/NanoTimeKit-Headers

And copy it to: /Xcode.app/Contents/Developer/Platforms/WatchOS.platform/Developer/SDKs/WatchOS.sdk/System/Library/PrivateFrameworks/NanoTimeKit.framework/Headers