Add iOS 16.7.2(arm64e) sandbox escape support#264
Draft
hxhlb wants to merge 3 commits into
Draft
Conversation
hxhlb
changed the title
hxhlb
changed the title
Contributor
Author
|
Here’s a demo recording of the current implementation. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds iOS 16 support, including:
K_ios16()for iOS 16 kernel pointer validationDetails
Sandbox escape
iOS 16 uses a different sandbox extension table layout from the older path. This PR adds a dedicated iOS 16 implementation that:
sandbox + 0x08/The existing sandbox escape flow remains the default path for non-iOS 16 systems. On iOS 16,
sbx_escape()dispatches into the new iOS 16 implementation.iOS 16 validation
This PR adds
K_ios16(), backed byds_isvalid(), for pointer validation in the iOS 16-specific sandbox path.File operations and MobileGestalt
This PR updates file operation helpers and MobileGestalt overwrite handling so they work with the iOS 16 sandbox escape flow.
The MobileGestalt path now uses the updated sandbox/VFS handling so overwrite operations can run after the iOS 16 escape path is ready.
Xcode project and packaging changes
This PR also includes Xcode project updates required for the tested iOS 16 build path.
These changes are needed because some devices can fail installation with an
arm64ecapability error, for example:"lara" requires the "arm64e" capability which is not supportedThe project changes adjust the build configuration so the app can be installed and tested on the affected iOS 16 device path. The packaging script is updated alongside the project configuration to match that build flow.
Remote call
Remote Call support is still under development and is not available in this PR.
Testing
Tested locally on:
Verified:
/private/var/mobile/Library/Preferenceswrite test passesI only have one iOS 16 device available for testing, so the current validation may be incomplete. More iOS 16 devices should be tested before marking this PR ready for review.