Skip to content

Instantly share code, notes, and snippets.

@Kyle-Ye
Last active October 5, 2024 08:44
Show Gist options
  • Save Kyle-Ye/e16730b59a733af37083873339b0e7a0 to your computer and use it in GitHub Desktop.
Save Kyle-Ye/e16730b59a733af37083873339b0e7a0 to your computer and use it in GitHub Desktop.
Launch iPhone Mirroring.app on macOS 15 Beta 1

Inspired by https://infosec.exchange/@jjtech/112612685494089718

Method 1: LLDB

Step 0

Reboot into Recovery OS + Disable SIP

csrutil disable

Step 1

Launch the binary via lldb. It will exit immedicately.

lldb /System/Applications/iPhone\ Mirroring.app/Contents/MacOS/iPhone\ Mirroring
(lldb) run
Process 3819 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 3819 exited with status = 0 (0x00000000)

Add a breakpoint to the SwiftUI App main entry to investigate. It still exits.

b 0x10000c840
(lldb) run
Process 5078 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 5078 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x000000010000c840 iPhone Mirroring`static SwiftUI.App.main() -> ()
iPhone Mirroring`static SwiftUI.App.main() -> ():
->  0x10000c840 <+0>:  adrp   x17, 4
    0x10000c844 <+4>:  add    x17, x17, #0x200 ; (void *)0x500f0001b5aa00fc
    0x10000c848 <+8>:  ldr    x16, [x17]
    0x10000c84c <+12>: braa   x16, x17
Target 0: (iPhone Mirroring) stopped.

(lldb) c
Process 5078 resuming
Process 5078 exited with status = 0 (0x00000000)

Step 2

Add a breakpoint to exit stub (0x10000c9c0) and get the backtrace.

lldb /System/Applications/iPhone\ Mirroring.app/Contents/MacOS/iPhone\ Mirroring
b 0x10000c840
b 0x10000c9c0

(lldb) run
Process 5113 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 5113 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x000000010000c840 iPhone Mirroring`static SwiftUI.App.main() -> ()
iPhone Mirroring`static SwiftUI.App.main() -> ():
->  0x10000c840 <+0>:  adrp   x17, 4
    0x10000c844 <+4>:  add    x17, x17, #0x200 ; (void *)0x500f0001b5aa00fc
    0x10000c848 <+8>:  ldr    x16, [x17]
    0x10000c84c <+12>: braa   x16, x17
Target 0: (iPhone Mirroring) stopped.

(lldb) c
Process 5113 resuming
Process 5113 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
    frame #0: 0x000000010000c9c0 iPhone Mirroring`exit
iPhone Mirroring`exit:
->  0x10000c9c0 <+0>:  adrp   x17, 4
    0x10000c9c4 <+4>:  add    x17, x17, #0x2c0 ; (void *)0x0c568001865c9730
    0x10000c9c8 <+8>:  ldr    x16, [x17]
    0x10000c9cc <+12>: braa   x16, x17
Target 0: (iPhone Mirroring) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
  * frame #0: 0x000000010000c9c0 iPhone Mirroring`exit
    frame #1: 0x000000010000aa78 iPhone Mirroring`___lldb_unnamed_symbol473 + 116
    frame #2: 0x00000001b6304148 SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 948
    frame #3: 0x00000001b630470c SwiftUI`merged @objc SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 140
    frame #4: 0x00000001867eb504 CoreFoundation`__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 148
    frame #5: 0x000000018687bf04 CoreFoundation`___CFXRegistrationPost_block_invoke + 88
    frame #6: 0x000000018687be4c CoreFoundation`_CFXRegistrationPost + 436
    frame #7: 0x00000001867b9a24 CoreFoundation`_CFXNotificationPost + 732
    frame #8: 0x000000018793c954 Foundation`-[NSNotificationCenter postNotificationName:object:userInfo:] + 88
    frame #9: 0x000000018a2e11b8 AppKit`-[NSApplication finishLaunching] + 248
    frame #10: 0x000000018a2e0e84 AppKit`-[NSApplication run] + 252
    frame #11: 0x000000018a2b74a8 AppKit`NSApplicationMain + 888
    frame #12: 0x00000001b541bea0 SwiftUI`merged generic specialization <SwiftUI.TestingAppDelegate> of function signature specialization <Arg[0] = Existential To Protocol Constrained Generic> of SwiftUI.runApp(__C.NSResponder & __C.NSApplicationDelegate) -> Swift.Never + 160
    frame #13: 0x00000001b57d05d0 SwiftUI`SwiftUI.runApp<τ_0_0 where τ_0_0: SwiftUI.App>(τ_0_0) -> Swift.Never + 84
    frame #14: 0x00000001b5aa01dc SwiftUI`static SwiftUI.App.main() -> () + 224
    frame #15: 0x0000000100008a20 iPhone Mirroring`___lldb_unnamed_symbol437 + 92
    frame #16: 0x000000018638d298 dyld`start + 2876

Step 3

We have almost got there. The problem is it will call exit(0) on -[iPhone_Mirroring.AppDelegate applicationWillFinishLaunching:]

So we can just add a breakpoint and return the thread here.

(lldb) run
(lldb) b 0x000000010000aa04
Breakpoint 3: where = iPhone Mirroring`___lldb_unnamed_symbol473, address = 0x000000010000aa04
(lldb) c
Process 6907 resuming
Process 6907 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
    frame #0: 0x000000010000aa04 iPhone Mirroring`___lldb_unnamed_symbol473
iPhone Mirroring`___lldb_unnamed_symbol473:
->  0x10000aa04 <+0>:  pacibsp
    0x10000aa08 <+4>:  stp    x20, x19, [sp, #-0x20]!
    0x10000aa0c <+8>:  stp    x29, x30, [sp, #0x10]
    0x10000aa10 <+12>: add    x29, sp, #0x10
Target 0: (iPhone Mirroring) stopped.
(lldb) thread return
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
    frame #0: 0x00000001b6304148 SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 948
SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> ():
->  0x1b6304148 <+948>: mov    x0, x21
    0x1b630414c <+952>: bl     0x1b665cae8    ; symbol stub for: swift_unknownObjectRelease
    0x1b6304150 <+956>: mov    x0, x19
    0x1b6304154 <+960>: bl     0x1b665c388    ; symbol stub for: objc_release
(lldb) continue

That's all. Done.

Method 2: DYLD_INSERT_LIBRARY

git clone https://github.com/Kyle-Ye/iPhoneMirroringInject.git
cd iPhoneMirroringInject
./build.sh

See detail on iPhoneMirroringInject repo

@IsThisTheCrustyCrab-was-taken
Copy link

IsThisTheCrustyCrab-was-taken commented Jun 26, 2024

A Sandbox Apple ID also works, as said above only needs to login to app store not device icloud, not sure if easier but I already had a sandbox apple id for dev purposes. I created a copy of the eligibility.plist, and just sudo cp modified.plist /private/var/db/os_eligibility/eligibility.plist when needed. I wonder how the check is done on the device, would be cool to have a feature flag that disables geo restriction.

P.S. You can use blacktop's ipsw tool to decrypt iOS 18 IPSWs, as well as split the dyld shared cache to get the binary for Sharing.framework

Assume the above doesn't mean we could sideload an app that uses that framework to start the continuity shell 🤔

Good luck anyone involved/trying to bypass region lock 👋

How'd you manage to log into the AppStore using a Sandbox ID? I created one in AppstoreConnect but every time I try to use it to login to the AppStore, it just immediately logs me back out again :/

@filipef101
Copy link

How'd you manage to log into the AppStore using a Sandbox ID? I created one in AppstoreConnect but every time I try to use it to login to the AppStore, it just immediately logs me back out again :/

I do it via the settings, note that with sandbox apple id you cannot make purchases or signup for trials (will reject adding any payment mechanism to the account). I only used because I already had it

@filipef101
Copy link

If anyone has an issue where space bar doesn't add a space while mirroring, disable full keyboard access on accessibility

@filipef101
Copy link

filipef101 commented Jun 26, 2024

Ways I believe people are doing the region bypass on iOS:

  • Load custom/modified ipsw (security researchers), which means they can do anything they want.
  • Some trick with backups, ie this edit of the backup supposed to bypass region lock for the new siri: /usr/libexec/PlistBuddy -c "Set :bypassDeviceSupportsSAE true" ~/Library/Preferences/com.apple.assistant.plist so something like this is possible to exist for bypassing region lock of the ScreenContinuity
  • Undisclosed exploit, which the main reason it is not shared is nda's and bug bounties

@trinityhades
Copy link

Do you guys know whether or not changing your App Store account to an EU based account is enough to allow the use and download of third party browsers? I really want a chromium based browser on my iPhone even though I'm in the US

@EmptyEnergy
Copy link

Has @JJTech0130 still not released the exploit? I see all these people on twitter enabling features but they won’t tell us how. If it’s a private exploit why is @JJTech0130 sharing it with people then?

@feyli
Copy link

feyli commented Jun 29, 2024

Has @JJTech0130 still not released the exploit? I see all these people on twitter enabling features but they won’t tell us how. If it’s a private exploit why is @JJTech0130 sharing it with people then?

@EmptyEnergy when you say « all these people on twitter », do you just mean luna? Cause I haven’t seen anyone else who was able to get it to work in the EU.

@EmptyEnergy
Copy link

Has @JJTech0130 still not released the exploit? I see all these people on twitter enabling features but they won’t tell us how. If it’s a private exploit why is @JJTech0130 sharing it with people then?

@EmptyEnergy when you say « all these people on twitter », do you just mean luna? Cause I haven’t seen anyone else who was able to get it to work in the EU.

https://x.com/little_34306/status/1806943300387246224?s=46

@koubafire
Copy link

koubafire commented Jul 5, 2024

Use an US Appstore account (not Apple-ID) on both iPhone and Mc. That works for the EU!

how I can change region without using US Apple ID account? I have three active subscriptions.

@ghofur27
Copy link

IMG_0901

working 100%

@vlbosch
Copy link

vlbosch commented Jul 25, 2024

IMG_0901

working 100%

Will you share this project?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment