iOS 15 palera1n compatible

[likertuban]

Hello, at the moment, shadow tweak doesn't work on palera1n (at least on my device iphone X iOS 15.4.1), just by installing the tweak (without enabling it) all app crash on launch, this probably related to cephei tweak, because all tweak that I've installed on palera1n and using cephei as dependency always crash all user app regardless whether you enabled the tweak on tweak setting or not, also it might not working with subtitutes as well, just hoping you could update it for iOS 15

[jjolano]

It does depend on Cephei for preferences and RocketBootstrap for unsandboxed functions. Until both are updated, the current version will likely not work.

[jjolano]

@likertuban could you check if version 3.1.1 works with palera1n? If it still crashes apps, is it an instant-crash or delayed crash?

[likertuban]

@likertuban could you check if version 3.1.1 works with palera1n? If it still crashes apps, is it an instant-crash or delayed crash?

as of now, when resrping after installing at least it won't enter spring loop like before, the app I tested so far (shadow setting disabled on all app in setting preference):

• whatsapp : launcher screen/logo then crash
• safari : white blank
• instagram : opened successfully no problem/crash

I got an info that RocketBootstrap is currently causing trouble with iOS 15 palera1n (will cause respring loop and we do a respring) and I don't know if app crash when using shadow is related to rocketbootstrap or shadow tweak itself,

[jjolano]

Thank you for that valuable information. I did make a change in latest versions to try and have a fallback incase RocketBootstrap doesn't work. Do the apps crash only when Shadow is installed? All it does is load preferences, and if it is disabled on an app then it doesn't do anything. If this is the case, then it may point to Cephei.

I believe Cephei depends on RocketBootstrap, but that may have changed in recent versions.

If you are also able to get crash logs they will definitely be useful.

[likertuban]

yes, apps crash only by installing shadow tweak, without enabling the tweak on setting, I tried to disabled RocketBoostrap on choicy, but the crash still happened, sadly cr4shed can't be installed on my palera1n device either, so I don't know how to get crash log, but I am with you regarding cephei, I think that dependency is the main problem

[jjolano]

I'll work towards removing Cephei as a dependency. For crash logs, I believe you can access them through Settings > Privacy > Analytics & Improvements > Analytics Data.

[likertuban]

Here's discord app crash when installing shadow {"app_name":"Discord","timestamp":"2022-11-21 15:44:59.00 +0700","app_version":"153.0","slice_uuid":"152d6ae8-d5cb-3ae9-ba5d-323894e6933f","adam_id":"985746746","build_version":"37270","platform":2,"bundleID":"com.hammerandchisel.discord","share_with_app_devs":0,"is_first_party":0,"bug_type":"309","os_version":"iPhone OS 15.4.1 (19E258)","incident_id":"FE8CA99D-A22F-4C70-81C6-F8D188ED32BE","name":"Discord"} { "uptime" : 72000, "procLaunch" : "2022-11-21 15:44:58.8712 +0700", "procRole" : "Foreground", "version" : 2, "userID" : 501, "deployVersion" : 210, "modelCode" : "iPhone10,6", "procStartAbsTime" : 1730288677143, "coalitionID" : 774, "osVersion" : { "isEmbedded" : true, "train" : "iPhone OS 15.4.1", "releaseType" : "User", "build" : "19E258" }, "captureTime" : "2022-11-21 15:44:59.1269 +0700", "incident" : "FE8CA99D-A22F-4C70-81C6-F8D188ED32BE", "bug_type" : "309", "pid" : 9272, "procExitAbsTime" : 1730294807718, "cpuType" : "ARM-64", "procName" : "Discord", "procPath" : "\/private\/var\/containers\/Bundle\/Application\/05B1E674-F7C0-424E-B2D0-3990A7DA2C4B\/Discord.app\/Discord", "bundleInfo" : {"CFBundleShortVersionString":"153.0","CFBundleVersion":"37270","CFBundleIdentifier":"com.hammerandchisel.discord","DTAppStoreToolsBuild":"14B44"}, "storeInfo" : {"storeCohortMetadata":"10|date=1668441600000&sf=143476&pgtp=Search&pgid=cd957cea-4b8e-4e5c-acb2-f81d3a48d91b&prpg=Genre_179183&ctxt=Search&issrch=1&imptyp=card&kind=iosSoftware&itpltyp=PI3&lngid=2","itemID":"985746746","deviceIdentifierForVendor":"9E53A98B-6849-4BE6-8426-CFC964A5DBF9","softwareVersionExternalIdentifier":"853308485","thirdParty":true,"applicationVariant":"1:iPhone10,6:15"}, "parentProc" : "launchd", "parentPid" : 1, "coalitionName" : "com.hammerandchisel.discord", "crashReporterKey" : "49e7c83caebf4339d33208cf8ed5eeefe54cd605", "basebandVersion" : "5.03.01", "isCorpse" : 1, "exception" : {"port":9987,"signal":"SIGKILL","guardId":0,"codes":"0x0000000000002703, 0x0000000000000000","violations":["INVALID_RIGHT"],"message":" INVALID_RIGHT on mach port 9987 (guarded with 0x0000000000000000)","subtype":"GUARD_TYPE_MACH_PORT","type":"EXC_GUARD","rawCodes":[9987,0]}, "termination" : {"namespace":"GUARD","flags":2,"code":2305844108725331715}, "faultingThread" : 0, "threads" : [{"triggered":true,"id":548084,"threadState":{"x":[{"value":17},{"value":9987},{"value":72},{"value":72},{"value":9987},{"value":300},{"value":0},{"value":1984},{"value":268435459},{"value":10243},{"value":9987},{"value":2045},{"value":20},{"value":3796162572},{"value":3798261760},{"value":156},{"value":18446744073709551598},{"value":1650458624},{"value":0},{"value":9987},{"value":515},{"value":515},{"value":1},{"value":6136866320},{"value":6136866408},{"value":6136866400},{"value":4357397144},{"value":8417367076,"symbolLocation":0,"symbol":"mach_taskself"},{"value":1799}],"flavor":"ARM_THREAD_STATE64","lr":{"value":7435237764},"cpsr":{"value":2147483648},"fp":{"value":6136866304},"sp":{"value":6136866288},"esr":{"value":1442840704,"description":" Address size fault"},"pc":{"value":7435233820,"matchesCrashFrame":1},"far":{"value":0}},"queue":"com.apple.main-thread","frames":[{"imageOffset":2588,"symbol":"_kernelrpc_mach_port_deallocate_trap","symbolLocation":8,"imageIndex":0},{"imageOffset":6532,"symbol":"mach_port_deallocate","symbolLocation":24,"imageIndex":0},{"imageOffset":20096,"imageIndex":1},{"imageOffset":34544,"imageIndex":2},{"imageOffset":32948,"imageIndex":2},{"imageOffset":33648,"imageIndex":2},{"imageOffset":28852,"imageIndex":2},{"imageOffset":112848,"imageIndex":3},{"imageOffset":33124,"symbol":"invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const","symbolLocation":152,"imageIndex":4},{"imageOffset":227944,"symbol":"invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const) const","symbolLocation":160,"imageIndex":4},{"imageOffset":24360,"symbol":"invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const","symbolLocation":520,"imageIndex":4},{"imageOffset":21072,"symbol":"dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const, bool&) block_pointer) const","symbolLocation":160,"imageIndex":4},{"imageOffset":17772,"symbol":"dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const","symbolLocation":164,"imageIndex":4},{"imageOffset":226852,"symbol":"dyld3::MachOAnalyzer::forEachInitializerPointerSection(Diagnostics&, void (unsigned int, unsigned int, unsigned char const, bool&) block_pointer) const","symbolLocation":120,"imageIndex":4},{"imageOffset":69676,"symbol":"dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const) const","symbolLocation":324,"imageIndex":4},{"imageOffset":56844,"symbol":"dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const","symbolLocation":144,"imageIndex":4},{"imageOffset":39776,"symbol":"dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const>&) const","symbolLocation":212,"imageIndex":4},{"imageOffset":63424,"symbol":"dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const","symbolLocation":120,"imageIndex":4},{"imageOffset":37740,"symbol":"dyld4::APIs::dlopen_from(char const, int, void)","symbolLocation":496,"imageIndex":4},{"imageOffset":2497240,"imageIndex":5},{"imageOffset":2497272,"imageIndex":5},{"imageOffset":2497304,"imageIndex":5},{"imageOffset":2265944,"imageIndex":5},{"imageOffset":1469860,"imageIndex":5},{"imageOffset":1466468,"imageIndex":5},{"imageOffset":1916296,"imageIndex":5},{"imageOffset":1492524,"imageIndex":5},{"imageOffset":33124,"symbol":"invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const","symbolLocation":152,"imageIndex":4},{"imageOffset":227944,"symbol":"invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const) const","symbolLocation":160,"imageIndex":4},{"imageOffset":24360,"symbol":"invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const","symbolLocation":520,"imageIndex":4},{"imageOffset":21072,"symbol":"dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const, bool&) block_pointer) const","symbolLocation":160,"imageIndex":4},{"imageOffset":17772,"symbol":"dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const","symbolLocation":164,"imageIndex":4},{"imageOffset":226852,"symbol":"dyld3::MachOAnalyzer::forEachInitializerPointerSection(Diagnostics&, void (unsigned int, unsigned int, unsigned char const, bool&) block_pointer) const","symbolLocation":120,"imageIndex":4},{"imageOffset":69676,"symbol":"dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const) const","symbolLocation":324,"imageIndex":4},{"imageOffset":56844,"symbol":"dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const","symbolLocation":144,"imageIndex":4},{"imageOffset":39776,"symbol":"dyld4::Loader::runInitializersBottomUp(dyld4::RuntimeState&, dyld3::Array<dyld4::Loader const>&) const","symbolLocation":212,"imageIndex":4},{"imageOffset":63424,"symbol":"dyld4::Loader::runInitializersBottomUpPlusUpwardLinks(dyld4::RuntimeState&) const","symbolLocation":120,"imageIndex":4},{"imageOffset":181768,"symbol":"dyld4::APIs::runAllInitializersForMain()","symbolLocation":244,"imageIndex":4},{"imageOffset":105308,"symbol":"dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*)","symbolLocation":2620,"imageIndex":4},{"imageOffset":99248,"symbol":"start","symbolLocation":412,"imageIndex":4}]},{"id":548098,"frames":[{"imageOffset":6452,"symbol":"start_wqthread","symbolLocation":0,"imageIndex":6}]}], "usedImages" : [ { "source" : "P", "arch" : "arm64", "base" : 7435231232, "size" : 212992, "uuid" : "3d363709-8d2d-3d1e-8cab-11d232e5d508", "path" : "\/usr\/lib\/system\/libsystem_kernel.dylib", "name" : "libsystem_kernel.dylib" }, { "source" : "P", "arch" : "arm64", "base" : 4357275648, "size" : 32768, "uuid" : "7b00129b-c5d3-312f-a1c8-d737c7fb67fe", "path" : "\/usr\/lib\/librocketbootstrap.dylib", "name" : "librocketbootstrap.dylib" }, { "source" : "P", "arch" : "arm64", "base" : 4357341184, "size" : 49152, "uuid" : "b4b0ea4d-adac-357e-96f5-9c7c17f3ed0a", "path" : "\/usr\/lib\/Cephei.framework\/Cephei", "name" : "Cephei" }, { "source" : "P", "arch" : "arm64", "base" : 4358012928, "size" : 131072, "uuid" : "aaaa5764-d604-3993-9ac9-d569f65a3ffb", "path" : "\/Library\/MobileSubstrate\/DynamicLibraries\/Shadow.dylib", "name" : "Shadow.dylib" }, { "source" : "P", "arch" : "arm64", "base" : 4356603904, "size" : 344064, "uuid" : "5c4972a8-ef81-32dc-a848-42cc7f7874cf", "path" : "\/usr\/lib\/dyld", "name" : "dyld" }, { "source" : "P", "arch" : "arm64", "base" : 4364468224, "size" : 2883584, "uuid" : "17f0fb61-e3eb-3a7c-b2fe-6e82d6769b0c", "path" : "\/usr\/lib\/substitute-loader.dylib", "name" : "substitute-loader.dylib" }, { "source" : "P", "arch" : "arm64", "base" : 7982129152, "size" : 69632, "uuid" : "7e417a07-6533-3ee7-b0de-623b5fb464fd", "path" : "\/usr\/lib\/system\/libsystem_pthread.dylib", "name" : "libsystem_pthread.dylib" } ], "sharedCache" : { "base" : 6450888704, "size" : 2334900224, "uuid" : "29b9376b-ea64-3f87-abf5-b96b6a73d75c" }, "vmSummary" : "ReadOnly portion of Libraries: Total=837.6M resident=0K(0%) swapped_out_or_unallocated=837.6M(100%)\nWritable regions: Total=545.4M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=545.4M(100%)\n\n VIRTUAL REGION \nREGION TYPE SIZE COUNT (non-coalesced) \n=========== ======= ======= \nActivity Tracing 256K 1 \nKernel Alloc Once 32K 1 \nMALLOC 541.6M 22 \nMALLOC guard page 64K 4 \nSTACK GUARD 32K 2 \nStack 1552K 2 \nVM_ALLOCATE 80K 5 \nCTF 759 1 \nDATA 26.3M 672 \nDATA_CONST 59.7M 683 \n__DATA_DIRTY 2777K 567 \nFONT_DATA 4K 1 \nLINKEDIT 191.0M 15 \nOBJC_RO 92.0M 1 \n__OBJC_RW 3520K 1 \nTEXT 646.6M 704 \nUNICODE 592K 1 \ndyld private memory 1024K 1 \nmapped file 29.1M 3 \nshared memory 48K 3 \n=========== ======= ======= \nTOTAL 1.6G 2690 \n", "legacyInfo" : { "threadTriggered" : { "queue" : "com.apple.main-thread" } }, "trialInfo" : { "rollouts" : [ { "rolloutId" : "5ffde50ce2aacd000d47a95f", "factorPackIds" : {

  },
  "deploymentId" : 240000223
},
{
  "rolloutId" : "61030413bfe6dc472e1c980c",
  "factorPackIds" : {

  },
  "deploymentId" : 240000485
}

], "experiments" : [ { "treatmentId" : "8cf30c1d-2301-4048-ba76-1b7f560bb69d", "experimentId" : "6192fb082171a2330e561df0", "deploymentId" : 400000037 } ] } }

[jjolano]

I'm curious to know: does version 2 work? You should be able to downgrade to it from the repo. It only depends on Cephei but not RocketBootstrap. If this does work I can reimplement the same system into version 3.

[likertuban]

no, it doesn't works, I've tried it when I first jailbroken with palera1n, and I tried it again just now, applist dependency causing respring loop, even if I manage to enter home screen (disabling injection on substitute before respring, and enabling injection after respring) all app is still crashing too

[jjolano]

I forgot about AppList - that does depend on RocketBootstrap. Seems like going no-Cephei is starting to be the play, but I will have a new version specifically for palera1n to try out before that.

[jjolano]

@likertuban can you try version 3.2 with the Use Local Service option enabled in settings? If this still doesn't work then it's definitely Cephei 😢

[likertuban]

still crash, does cephei so convenient that it would hurt? :-D I would love to help you test any version for palera1n :-D if you think cephei is hard to replace, you can just make a fake preference and remove cephei for testing, and I will gladly test it for you, just to make sure whether the problem is coming from shadow or cephei

[likertuban]

it's even respring looped when I enabling Use Local Service option on setting and then respring :D

[jjolano]

It is pretty convenient for preferences, but I'm surprised you can access the settings without it crashing since it loads Cephei there too. I will push another update that further controls RocketBootstrap functions before fully blaming Cephei.

[jjolano]

Give v3.2.1 a try. Make sure "Enable Shadow Service" is disabled (it should be by default)

[likertuban]

@jjolano it's still crashing :-D

[jjolano]

No Cephei it is then. I'll start with just the tweak side for now if the settings app is working fine.

[likertuban]

Oh, I also just realize that your effulgence app doesn't crash and it's detecting shadow, runtime modification and code injection platform

[SATIS8CHIMPALEE]

Same problem, I'm following.

[jjolano]

Posted version 3.3 beta which removes dependency on Cephei entirely. See if it still crashes, although im unsure if preferences are applying. On my end with libhooker it works fine

[likertuban]

@jjolano no APP crash after installation :D I guess it's indeed cephei, enabling shadow service cause respring loop tho', use local service doesn't seem to be working since effulgence able to find all 5 artefact even after I enabled all option on app setting

[likertuban]

trying to enabling shadow service by force restart+rejailbreak, no spring loop but effulgence still detect everything, none of the bypass seem to be working

[jjolano]

Looks like progress. Will be posting another update soon

[jjolano]

@likertuban try this https://github.com/jjolano/shadow/releases/tag/v3.3-beta.2 Keep Shadow Service disabled, since that's the switch for RocketBootstrap

[likertuban]

@jjolano it's working now :') you have added libsandy as dependency correct, there doesn't seem to be any problem such as springloop, effulgence only detected runtime modification and shadow with essential+recommended enabled, which option to bypass effulgence runtime modification and shadow?

[jjolano]

That's correct. Seems libsandy might be the way going forward for modern iOS.

Runtime modification cannot (as far as I know) be bypassed easily, as in Effulgence it's designed to detect substrate hooks by it's signature. It does not appear in libhooker, but likely can be detected in the same way if I do some memory inspection.

For the Shadow detection, "Runtime Class Lookups" should handle that - but it is reported to have issues with substitute.

[jjolano]

Please confirm with other apps - if it is working for the most part then I will release it as a new version.

[likertuban]

@jjolano hmm, it seem that enabling "Runtime Class Lookups" crash effulgence app, I've tried with my bank app that can be bypassed with shadow before, and everything is working fine just like before, and the jailbreak detection can be bypassed with shadow correctly

[likertuban]

I've tried on 3 different bank app, and working fine on 3 of them (I shouldn't mention the app name just to be safe, just in case if the developer would patch it for shadow if they were to realize it) :-D

[likertuban]

should this issue be closed now? or should we keep this open if you want me to keep test anything else for palera1n iOS 15? I'll gladly test it for you :-)

[jjolano]

Thank you for checking. Seems it's working as it should. I'm still not sure about the whole file structure of palera1n but if it's similar to the iOS 14 jailbreaks then everything should work the same.

[likertuban]

Thank you for checking. Seems it's working as it should. I'm still not sure about the whole file structure of palera1n but if it's similar to the iOS 14 jailbreaks then everything should work the same.

hmmm, perhaps the class/method is changed by apple on iOS 15? so when hooking a class/method the parameter might be different? I've never been able to make a tweak and not good at obj c and tweak development honestly, so I don't really know the different :-D also the system structure might be different, since iOS 15 and up use rootless (but palera1n use fakefs so it's not rootless, but it might had different structure regardless)

[jjolano]

I think I may have been able to achieve Shadow Service function without using RocketBootstrap, if you can test the next update

[likertuban]

Gladly, I am ready to test it what is the downside of using local service instead of shadow service?

[jjolano]

https://github.com/jjolano/shadow/releases/tag/v3.3-beta.3

[jjolano]

Gladly, I am ready to test it what is the downside of using local service instead of shadow service?

Both services are identical in features, but Shadow Service operates outside of the sandbox. Within the sandbox (the tweak itself in the app), any file operations are restricted because all the methods are hooked by the tweak. Outside of the sandbox, we can access anything and without any restriction. Currently, this allows for enhanced path resolving.

If the latest beta doesn't crash with Shadow Service turned on, I'll go ahead and release it on the repo.

[likertuban]

it seems that everything is working just fine, no respring loop and jailbreak detection bypass also working on effulgence and my bank app

[jjolano]

v3.3 released. Thanks for your help and the useful information!