Skip to content

Instantly share code, notes, and snippets.

View Lessica's full-sized avatar

i_82 Lessica

1.8k followers · 127 following
View GitHub Profile
@khanhduytran0
khanhduytran0 / LC research issue 524.md
Last active June 23, 2025 10:23
LiveContainer multitask external keyboard input research

Recap

As you may have known, we recently managed to bring multitask to LiveContainer. This originally came from FrontBoardAppLauncher which was reverse engineered of various Apple apps: ClarityBoard, SpringBoard, Xcode PreviewShell, etc. A quick recap of how we worked on it:

  • I began reverse engineering said apps to study how to use various Private API of FrontBoard, RunningBoardServices and UIKit, resulted in MySystemShell and FrontBoardAppLauncher
  • I found app could spawn multiple processes thanks to the writeup of NSExtension
  • We found we could extend memory limit by setting a hidden NSExtensionPointIdentifier

However, as more and more people get to try it, we were reported that physical keyboard input wouldn't work. (LiveContainer/LiveContainer#524)

If anyone could figure it out, we will forever owe you.

@leminlimez
leminlimez / Domains.md
Last active August 14, 2025 14:00
A deep dive into the iOS backup/restore system

Domains.plist

Documentation of /System/Library/Backup/Domains.plist. File taken from iOS 16.4 iPhone SE 3. The file was removed in iOS 17.0

Values

Values in the plist. Other than SystemDomains, these are not really important and are just here for preservation sake.

A domain in domains.plist contains keys that determine what gets backed up for what types of devices and where (i.e. iCloud vs iTunes). Not all domains have each key. The only 2 keys that must be in every domain are RootPath and RelativePathsToBackupAndRestore. Some domains have the value ShouldDigest. I am not sure exactly what it means but I have included it for documentation purposes.

  • Version: "24.0"
  • SystemDomains: (Dictionary), see below
@elvis-iOS
elvis-iOS / disable-ssl-pin.js
Created June 25, 2023 06:39 — forked from azenla/disable-ssl-pin.js
This Frida script disables SSL pinning and verification on any target macOS Catalina process.
var SecTrustEvaluate_handle =
Module.findExportByName('Security', 'SecTrustEvaluate');
var SecTrustEvaluateWithError_handle =
Module.findExportByName('Security', 'SecTrustEvaluateWithError');
var SSL_CTX_set_custom_verify_handle =
Module.findExportByName('libboringssl.dylib', 'SSL_CTX_set_custom_verify');
var SSL_get_psk_identity_handle =
Module.findExportByName('libboringssl.dylib', 'SSL_get_psk_identity');
var boringssl_context_set_verify_mode_handle = Module.findExportByName(
'libboringssl.dylib', 'boringssl_context_set_verify_mode');
@elvis-iOS
elvis-iOS / gist:df47649e0e3c96f89ca4a46b81f2f7c3
Created March 29, 2023 04:09 — forked from knightsc/gist:758783181e41a986fceea6901b8853e3
AKNativeAnisetteService.m
//
// AKNativeAnisetteService.m
// akd
//
// Created by Scott Knight on 5/10/19.
// Copyright © 2019 Scott Knight. All rights reserved.
//
#import <AuthKit/AuthKit.h>
#import "AKNativeAnisetteService.h"
@yarshure
yarshure / iphone12_iOS_keys.txt
Created May 17, 2021 04:31
gestalt_query keys
Key Name Description
======== ===========
3GProximityCapability Whether the device has a 3G proximity sensor
3GVeniceCapability Whether the device supports FaceTime over cellular
720pPlaybackCapability Whether the device supports 720p video (identical to kMGQDeviceSupports720p)
APNCapability
ARM64ExecutionCapability Whether the device supports executing arm64 binaries
ARMV6ExecutionCapability Whether the device supports executing armv6 binaries
ARMV7ExecutionCapability Whether the device supports executing armv7 binaries
ARMV7SExecutionCapability Whether the device supports executing armv7s binaries
@Lessica
Lessica / MyStackView.swift
Created April 17, 2021 16:30
Make toggleSidebar(_:) available again while firstResponder locates inside nested NSSplitView
import Cocoa
class MyStackView: NSStackView {
override func responds(to aSelector: Selector!) -> Bool {
if aSelector == #selector(NSSplitViewController.toggleSidebar(_:)) {
return false
}
return super.responds(to: aSelector)
}
@pwn0rz
pwn0rz / fairplay_iokit_uc_run_versioned.c
Created February 2, 2021 05:59
CVE-2021-1791 Fairplay OOB Read POC
#include <IOKit/IOKitLib.h>
#include <mach/mach.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <ctype.h>
void hexdump(void *ptr, int buflen) {
unsigned char *buf = (unsigned char*)ptr;
int i, j;
@zhuowei
zhuowei / WDBSetWebSecurityEnabled.m
Created September 1, 2020 04:47
Disable same-origin policy on iOS WKWebView with private API.
// Allows disabling Same-Origin Policy on iOS WKWebView.
// Tested on iOS 12.4.
// Uses private API; obviously can't be used on app store.
@import WebKit;
@import ObjectiveC;
void WKPreferencesSetWebSecurityEnabled(id, bool);
@interface WDBFakeWebKitPointer: NSObject
@neoighodaro
neoighodaro / open_shortcut.m
Created April 5, 2020 10:46 — forked from CPDigitalDarkroom/open_shortcut.m
Open an app shortcut programmatically
- (void)openShortcut:(SBSApplicationShortcutItem *)shortcutItem {
UIHandleApplicationShortcutAction *openAction = [[UIHandleApplicationShortcutAction alloc] initWithSBSShortcutItem:shortcutItem];
NSDictionary *activationOptions = @{
@"__ActivateSuspended" : [NSNumber numberWithBool:(shortcutItem.activationMode == 1)],
@"__Actions": @[
openAction
],
@"__PromptUnlockDevice" : [NSNumber numberWithBool:YES],
@nullpixel
nullpixel / write_memory.c
Last active June 16, 2025 06:57
MSHookMemory wrapper for all modern jailbreaks.
#include <mach/mach.h> // mach_task_self, vm_protect
#include <substrate.h> // MSFindSymbol
// MARK: - Types
typedef void (*MSHookMemory_ptr_t)(void *target, const void *data, size_t size);
#define ENSURE_KERN_SUCCESS(ret) \
if (ret != KERN_SUCCESS) { \