Add support for Roothide Bootstrap / Serotonin

thatmarcel / beepserv-rewrite

A small service that generates iMessage registration data on a jailbroken iPhone, now with an app and local state notifications

GNU Affero General Public License v3.0

57 stars 5 forks source link

Add support for Roothide Bootstrap / Serotonin #3

Open thatmarcel opened 7 months ago

thatmarcel commented 7 months ago

According to this comment from @tmcelroy2202, the tweak does not work correctly on setups running Serotonin / RootHide Bootstrap.

A part of this is launchctl not working but there also seem to be problems with tweak injection into identityservicesd(I'm not sure whether that is supported at all).

Additionally, the app is crashing on launch.

I don't currently have a device running Serotonin / RootHide Bootstrap.

tmcelroy2202 commented 7 months ago

I'm fully willing to help with testing of solutions on my serotonin device and also fully willing to provide further logs from my serotonin device. I Understand developing this without actually physically having the device is unrealistic though.

thatmarcel commented 7 months ago

I think porting the tweak to TrollStore / RootHide / Serotonin should be possible by utilizing the same method the mac-registration-provider uses, without hooking the running identityservicesd process at all. That said, I don't know whether I'll have the time and motivation to do that any time soon.

JJTech0130 commented 7 months ago

Unfortunately the process mac-registration-provider uses cannot be replicated on iOS. The reason for this is twofold:

On iOS, you cannot dlopen() application binaries without patching them
On iOS, identityservicesd does NOT run the NAC algorithm in-process, instead it makes XPC calls to absd and fairplayd.

However, it is probably possible to come up with something that would work. Since this is TrollStore, you can sign any binary with arbitrary entitlements, right? So you could in theory either create a patched version of identityservicesd on the fly and give yourself the necessary XPC entitlements, or you could distribute a patched and signed version of identityservicesd inside the IPA.

itsjunetime commented 7 months ago

What prevents one from dlopen()ing binaries on iOS? Like, what would you need to patch? And would it not be possible to just mmap the binary data into memory, mark the memory as rx and execute it? (I know on normal iOS you can't mark pages as rx, but I don't know if jailbreaks can)

JJTech0130 commented 7 months ago

iOS dyld is more strict about what binary types it will dlopen(), the Mach-O header has to be patched to say it is a dylib and the a few other changes like removing the null page.

EDIT: Found the repo: https://github.com/jevinskie/dylibify

tmcelroy2202 commented 6 months ago

This should be doable now with the release of dopamine ( https://ellekit.space/dopamine/ ), as dopamine is a full jailbreak, yes?