Skip to content

Instantly share code, notes, and snippets.

This is WIP, may contain incomplete info.

Dualboot 13.2 InternalUI

You need to find 13.2_17B45a_InternalUI_D331pAP_DVT, sha256sum ffdc84e560e14cad79916aaa9f143b225348ebca47e8fdd096a7cd47bdd0983d on the internet. I can't include the link here.

Copy all IMG4 files from the dump /usr/standalone/firmware/* (and inside FUD too) to your working dir.

Setup

Make 2 volumes from ramdisk, I have my System and Data as disk0s1s11 and disk0s1s12, mounted to /mnt1 and /mnt2 respectively.

@mineek
mineek / guide.txt
Last active June 25, 2026 16:24
block revokes permanently on enterprise certs on iOS
This will permanently block revokes and some ppq stuff.
Use this together with the profile to block some domains "without" a DNS.
Even if you don't have the profile, after applying this your device just cannot register revokes anymore. So you'll just not be able to install the app, but you will not get permanently blacklisted.
note this may lead to side effects. I am not sure. However, it does work.
AS ALWAYS, USE AT YOUR OWN RISK.
Basically all u need to do is run these commands one by one in a terminal on a jailbroken device:
@WHW0x455
WHW0x455 / bypass_pac_in_jit_public.md
Last active April 23, 2026 06:12
Bypass PAC in JIT - CVE-2024-27834
From 01129d60439367d27d4dd55669465be4e66315f2 Mon Sep 17 00:00:00 2001
From: LOLgrep <meow>
Date: Fri, 21 Nov 2025 21:15:11 -0700
Subject: [PATCH] merp
blerb
---
common/FileManager.cpp | 1 +
configs/base.xcconfig | 7 ++++++-
configs/dsc_extractor.xcconfig | 1 +
@Siguza
Siguza / sandbox_spawn.c
Created August 28, 2025 05:15
sandbox-exec but for builtin profiles
#include <spawn.h>
#include <stdint.h>
#include <stdio.h>
extern char **environ;
typedef struct
{
uint32_t version;
uint32_t size;
@EthanArbuckle
EthanArbuckle / appstoredl.m
Created June 14, 2025 15:05
appstore bulk download
/*
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.appstored.jobmanager</key>
<true/>
<key>com.apple.accounts.appleaccount.fullaccess</key>
<true/>
<key>com.apple.appstored.private</key>
<true/>
@khanhduytran0
khanhduytran0 / LC research issue 524.md
Last active June 20, 2026 04:18
LiveContainer multitask external keyboard input research

Recap

As you may have known, we recently managed to bring multitask to LiveContainer. This originally came from FrontBoardAppLauncher which was reverse engineered of various Apple apps: ClarityBoard, SpringBoard, Xcode PreviewShell, etc. A quick recap of how we worked on it:

  • I began reverse engineering said apps to study how to use various Private API of FrontBoard, RunningBoardServices and UIKit, resulted in MySystemShell and FrontBoardAppLauncher
  • I found app could spawn multiple processes thanks to the writeup of NSExtension
  • We found we could extend memory limit by setting a hidden NSExtensionPointIdentifier

However, as more and more people get to try it, we were reported that physical keyboard input wouldn't work. (LiveContainer/LiveContainer#524)

If anyone could figure it out, we will forever owe you.

Params being sent to the server are: {
AssetAudience = "02d8e57e-dd1c-4090-aa50-b4ed2aef0062";
AssetType = "com.apple.MobileAsset.iOSSimulatorRuntime";
BaseUrl = "https://mesu.apple.com/assets/macos/";
BuildID = "DCC8573C-1754-11F0-A9CC-CAEE899DAE5C";
BuildVersion = 24E263;
CertIssuanceDay = "2024-12-05";
ClientData = {
AllowXmlFallback = false;
DeviceAccessClient = xcodebuild;
@ChiChou
ChiChou / ida.swift
Last active March 10, 2026 22:11
macOS cli shortcut to open file in IDA
#!/usr/bin/env swift
import AppKit
import Foundation
guard CommandLine.arguments.count > 1 else {
fputs("Usage: \(CommandLine.arguments[0]) <file1> <file2> ...\n", stderr)
exit(1)
}
@wh1te4ever
wh1te4ever / TrollDetector.m
Last active February 9, 2026 11:45
TrollStore Detector
//
// ViewController.m
// JBDetectTest
//
// Created by seo on 3/27/25.
//
#import "ViewController.h"
#import <dlfcn.h>