fsebugoutzone.org:9999

       Post AcPWM4VD3eFF7Gx9Dk by zhuowei@notnow.dev
 (DIR) More posts by zhuowei@notnow.dev
 (DIR) Post #AcOPuRkIFivKDFUb6O by zhuowei@notnow.dev
       2023-12-02T08:05:55.287254Z
       
       0 likes, 0 repeats
       
       On jailbroken iOS, there&#39;s no way to mount a .dmg over /sbin without kernel PAC and PPL bypass, right? Are there any entitlements I could try?Context: to prototype a stupid project, I want to mount over /sbin on an iOS 14.1/Taurine jailbroken device. I could do what I want with a bunch of kernel r/w instead, but UGH...(No, the stupid project is not useful; sorry.)What I know currently:On iOS 14/Taurine, iOS only lets me mount a .dmg to /var/mnt, not over anything on the root FS.Dopamine can mount anywhere since it uses the PPL bypass to disable sandboxing first (https://github.com/opa334/Dopamine/blob/0c2268f719eee5b0195321d2726694da31c30f45/BaseBin/jailbreakd/src/fakelib.m#L178), and prior to that used kernel PAC to call kernel_mount directly (https://github.com/opa334/Dopamine/blob/7d88a6ca099fed96806d21075bb14a7c3a4df3fa/BaseBin/jailbreakd/src/bind_mount.m).(and of course checkra1n/palera1n patches out all the sandbox checks in PongoOS so anything can mount anywhere)
       
 (DIR) Post #AcPWM3KXPq79Tsx6wq by spv@mastodon.spv.sh
       2023-12-02T14:24:42Z
       
       0 likes, 0 repeats
       
       @zhuowei on 14 couldn&#39;t you just *actually* overwrite the files? no ssv
       
 (DIR) Post #AcPWM4VD3eFF7Gx9Dk by zhuowei@notnow.dev
       2023-12-02T20:52:47.433128Z
       
       0 likes, 0 repeats
       
       @spv I would like to replace /sbin/launchd with TikTokThis may potentially cause some minor bootlooping if I put it on the real root partition
       
 (DIR) Post #AcPWjTBXSDfWKRuQVc by siguza@infosec.exchange
       2023-12-02T20:09:36Z
       
       0 likes, 0 repeats
       
       @zhuowei how did you try to mount? `hdik -nomount` followed by `mount`? if so, did you specify readonly for the latter?
       
 (DIR) Post #AcPWjUHxLqOdkdv49Q by zhuowei@notnow.dev
       2023-12-02T20:57:08.490432Z
       
       0 likes, 0 repeats
       
       @siguza Yes. This worked with mounting to /var/mnt.(I already found out the -r thing after half an hour fighting with macOS to get _it_ to mount onto /sbin. I did manage to do it on macOS, although macOS 14&#39;s launchd uses Launch Constraints to check the signature of the new launchd on userspace reboot. I&#39;m downgrading to macOS 13 specifically so I can mount over /sbin/launchd with Fate/Grand Order.app)
       
 (DIR) Post #AcQ32VMSmgkB768i9Y by shac@ioc.exchange
       2023-12-02T22:21:55Z
       
       1 likes, 0 repeats
       
       @zhuowei @spv You can’t replace launchd, you will regret this
       
 (DIR) Post #AcQ32Wds1SGJ5NI7vM by spv@mastodon.spv.sh
       2023-12-02T22:22:34Z
       
       1 likes, 0 repeats
       
       @shac @zhuowei as someone with experience in this particular form of regret, i can confirm that this is accurate
       
 (DIR) Post #AcQ32ZnYHumysGqOvo by stig@toot.wales
       2023-12-03T02:41:27Z
       
       1 likes, 0 repeats
       
       @shac @zhuowei @spv
       
 (DIR) Post #AcQ32dlDYXIZABmaqe by qwertyoruiop@nso.group
       2023-12-02T21:47:17Z
       
       0 likes, 0 repeats
       
       @zhuowei @spv paging @enhancedscurry on this one
       
 (DIR) Post #AcQ32eYUbKiJd0pweW by enhancedscurry@mastodon.social
       2023-12-02T22:13:19Z
       
       1 likes, 0 repeats
       
       @qwertyoruiop @zhuowei @spv The microkernel philosophy is that if you implement the MIG/IPC protocol and have everyone&#39;s task bootstrap port pointing at you, you get to be the bootstrap server. So if TikTok wants to do that, I guess you do you. You&#39;ll pretty quickly crash once CoreFoundation tries to initialize though.
       
 (DIR) Post #AcQ347PmmsotQMSmDQ by spv@mastodon.spv.sh
       2023-12-02T21:45:51Z
       
       1 likes, 0 repeats
       
       @zhuowei i hate you so much whyyyyyyyyyyyyyyyyyyyyyyyyyyyyalso without launchd running you&#39;re not getting any display from tiktok, you need springboard and allalso if you want to do this you&#39;ll either need to use a ct bug or a platform bypass as while tiktok is signed, it doesn&#39;t have platform-application
       
 (DIR) Post #AcQ34JYNekpD4UZoHI by saagar@federated.saagarjha.com
       2023-12-02T21:06:03.280788Z
       
       1 likes, 0 repeats
       
       @zhuowei @spv I would be shocked if this actually works
       
 (DIR) Post #AcQQcOuMYJmOTC563s by madcoder@infosec.exchange
       2023-12-03T04:57:36Z
       
       0 likes, 0 repeats
       
       @enhancedscurry @qwertyoruiop @zhuowei @spv we killed mach on mach on iOS eons ago. Sorry.
       
 (DIR) Post #AcQQcPrZ0D8PQnmNKy by saagar@federated.saagarjha.com
       2023-12-03T06:44:24.401352Z
       
       0 likes, 0 repeats
       
       @madcoder @enhancedscurry @qwertyoruiop @zhuowei @spv You’re no fun you know that?
       
 (DIR) Post #AcQQcQqtKCBuV0TLvc by zhuowei@notnow.dev
       2023-12-03T07:23:11.911513Z
       
       0 likes, 0 repeats
       
       @saagar @madcoder @enhancedscurry @qwertyoruiop @spv I wondered what Mach-on-Mach was ever since I saw it while browsing XNU sources earlier this year. I had expected it to be an up-to-date thing since one of the comments was in mach_msg2 filtering. I guess we&#39;ll never know now...