Post AcF7CJ9JJ22RDCMGMy by zhuowei@notnow.dev
(DIR) More posts by zhuowei@notnow.dev
(DIR) Post #AcF3xqaWOni6iMUzho by zhuowei@notnow.dev
2023-11-27T19:47:36.063885Z
0 likes, 0 repeats
The unreleased Cheyote jailbreak, which used the Fugu15 fast path, required tweaks to hook all functions in one call so it can resign it using the fast path (https://www.tumblr.com/coolstarorg/713631798916202496/leaving-the-jailbreak-community)However, the XinaA15 jailbreak, which used the same Fugu15 fast path (https://twitter.com/opa334dev/status/1619601941234946050), supported regular tweaks on Substrate.... how?! Does it resign pages on the fly or something?
(DIR) Post #AcF6rdprCSKVHuP8hU by opa334@infosec.exchange
2023-11-27T20:19:46Z
1 likes, 0 repeats
@zhuowei Xina gives all binaries the get-task-allow entitlement and then uses ptrace to attach and immediately detach, which gives the process debug flags which allows it to have unsigned executable pages.
(DIR) Post #AcF7CJ9JJ22RDCMGMy by zhuowei@notnow.dev
2023-11-27T20:23:55.213564Z
0 likes, 0 repeats
@opa334 Ah, thanks. I guess this wasn't possible on Cheyote because Apple patched it, or something else? I know PojavLauncher used a slightly different workaround for JIT on TrollStore where it spawns a subprocess to do TRACE_ME; I guess that's not doable on Cheyote? (https://www.reddit.com/r/jailbreak/comments/xcd2v4/news_found_way_to_achieve_wx_jit_for/) (Sorry for the stupid question.)
(DIR) Post #AcFCaprjokvBOweb3I by opa334@infosec.exchange
2023-11-27T21:12:38Z
1 likes, 0 repeats
@zhuowei Coolstar just wasn't aware of it, I think.
(DIR) Post #AcHn2Ub4TPcMDBGUd6 by saagar@federated.saagarjha.com
2023-11-29T00:41:41.602090Z
0 likes, 0 repeats
@opa334 @zhuowei Seems unlikely considering she reviewed this: https://github.com/utmapp/UTM/pull/38
(DIR) Post #AcHn2VWr0Zq36OIdhA by opa334@infosec.exchange
2023-11-29T01:18:37Z
1 likes, 0 repeats
@saagar @zhuowei idk maybe she forgot, also the only reason why xina was able to do it was the CoreTrust bug