Dev:Updating extensions for iOS 7

This is an informal collection of advice; feel free to add to it and rearrange. A lot of this is from #theos on irc.saurik.com - if you're working on updating your tweaks and you use Theos, join in and share what you've learned (see IRC).

How to compile for ARM64
Tweak binaries must contain an ARM64 slice in order for it to be loaded into 64-bit processes. If you don't need to support iOS 4.2.1 or older, ensure Xcode 5 is installed and set  in your Makefile:

You will also need updated versions of any libraries that you link against which contain an arm64 slice. To get the updated Substrate dylib, see saurik's instructions below, starting from the  of the Substrate deb.

How to compile for ARMv6 and ARM64
These instructions only use first-party components from Apple, DHowett, and saurik (and were written by saurik).

The idea is that we are going to use parts of Xcode 4 (which you don't have to install: you might just have it sitting in /Volumes) to "fix" parts of Xcode 5 so that it can target armv6 (need Xcode 4.4.1).

Then, we download Theos directly from DHowett's code repository, and add in the parts it needs from the various packages provided by saurik.

Finally, in our Theos Makefile, we specify that we want to target iOS 2.0 using the 7.0 SDK, and that we want both ARMv6 and ARM64 slices.

Alternative method
This is slightly more complicated. You need to compile an armv6 slice using the 5.1 SDK and another arm64 slice using the 7.0 SDK. You then stitch both together with lipo. This blog post describes how to do that manually, but rpetrich has created a theos fork, which does that automatically for you.

Setup rpetrich’s theos:

(note from rpetrich: theos should be as a submodule for my fork, not installed in a system path. system paths are dangerous)

Install headers:

Setup the Makefile

rpetrich's theos is using objc's hooking method instead of MobileSubstrate therefore it doesn't link with MS by default. This is OK if you are only hooking objc messages, but if you need to use MSHookFunction, you have to tell theos to link to lib substrate:

(note from saurik: I highly disrecommend not using Substrate's MSHookMessage implementation; I never understood why rpetrich doesn't use it, but on multiple occasions the way we hook messages has had to change, and centralizing it in Substrate means that I can fix it once for everyone's compiled extensions... this happened last as recently as iOS 5, and all of rpetrich's extensions had to be recompiled and redeployed, which is reasonably fine for him as he's insanely productive and around constantly, but for most people you should please just use the centralized implementation.)

To use Substrate for hooking, either add this add the top of your Logos source file (e.g., Tweak.xm)

Or add it to your target's Logos flags:

Example Projects: Take a look at the Makefiles of these projects:


 * https://dl.dropboxusercontent.com/u/15373/Other/iPhone/ilogit-tweak-ios7-example.tar
 * https://github.com/joedj/ExchangePolicyCleaner/blob/master/Makefile#L3
 * https://github.com/a3tweaks/Flipswitch

ARM64 on Linux
Using Darling, Apple's official toolchain is able to be used on Linux. Once Darling is installed, eswick's theos fork can be used to build for ARM64.

XcodeDefault.xctoolchain (obtain from a Mac, or download Xcode from Apple's website) needs to be placed in $THEOS/toolchain, and $THEOS/sdk needs to point to the iOS 7 SDK, like so:

See the full blog post here for step-by-step instructions.

Updating code for ARM64
Read Apple's documentation on ARM64: "Converting Your App to a 64-Bit Binary"

If you need to specifically test for 64-bit:

Detecting iOS 7
Detecting whether code is being compiled for iOS 7.0 or higher:

Note that this is a compile time check. To check for iOS 7 at runtime, compare against the CoreFoundation version:

Apple often forgets to add new version number constants to their headers, so you may need to define the version numbers yourself:

See CoreFoundation.framework for a full list.

Updating Cydia Depictions
It's best to make the background transparent to make it match Cydia's background. Just add the following to your depiction's header:

And in your CSS:

Cydia's table cell styling hasn't currently been changed to reflect the iOS 7 UI, so no other CSS needs updating.

Theos bootstrap.sh patch for ARM64
01:03:36 [theos] rpetrich pushed 1 new commit to master: http://git.io/ankV8g 01:03:36 theos/master f6ebd79 Ryan Petrich: Workaround bootstrap problems on Xcode 5.x (temporary fix for now)

Dealing with 32-bit and 64-bit
12:38:15 <%joedj> sbingner: i did find this question (and the response 2 posts down) interesting, i'm not sure what they're talking about: https://www.mikeash.com/pyblog/friday-qa-2013-09-27-arm64-and-you.html#comment-7436311d02c5a55738d1baefa03b0d34 09:55:43 <@rpetrich> joedj: it's a bug with the components that communicate with the App Store

Theos and ldid errors
19:02:14 I've been off the jailbreak train for awhile now. Trying to reinstall theos, getting some build failures when trying to install ldid, anybody know if there's a quick fix? 19:02:52 like, error: unknown type name '__darwin_intptr_t' 19:02:59 and, error: unknown type name '__uint32_t'; did you mean 'uint32_t'? 19:05:27 < Alcatraz> are you trying to compile ldid on mac? 19:05:55 following step 4 of http://iphonedevwiki.net/index.php/Theos/Getting_Started 19:06:10 < Alcatraz> yeah compiling it has been broken for some time 19:06:27 < Alcatraz> has to do with xcode 5 19:06:32 < Alcatraz> pretty sure anyway 19:06:50 ldid is a dependency of theos though right? 19:07:01 < Alcatraz> yeah. you can ask someone on here for a copy 19:08:05 yoshbu, wget http://ac3xx.com/ldid -O $THEOS/bin/ldid && chmod +x $THEOS/bin/ldid

Accessing the device's UDID
UDID access is blocked by default on iOS7 and iOS will substitute a generated ID in UIDevice's uniqueIdentifier property. Use  and link against libMobileGestalt.dylib  to get access to the device ID from system processes or apps installed to /Applications. Device ID is completely inaccessible from app store processes and some daemons.

For App Store apps, it appears you can still retrieve the UDID from MobileGestalt with a private entitlement:

Debugging on iOS 7
To get remote debugging working on iOS 7 and 64-bit devices, see the instructions at debugserver.

You may also be interested in this explanation of "how to run lldb if you are familiar with the gdb command set".

You can follow these instructions http://www.peterfillmore.com/2013/01/disabling-aslr-on-individual-ios.html to disable ASLR for a process. This means methods will be at the same addresses as what IDA or Hopper are showing.

State of debuggers on iOS 7
saurik commented on JailbreakQA : The build of GDB from Xcode 4.4 (Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/libexec/gdb/gdb-arm-apple-darwin) can be pseudosigned with ldid and run on a 32-bit device with reasonable success. Apple no longer maintains gdb (as it being GPL would have required them to release source code for it) nor have they released any source code for anything in Xcode 5 (including lldb, and it sounds like for LLVM they are only semi-interested in contributing their ARM64 backend... so we'll have to see on that one...); in essence, we are currently "out of luck" with regards to debugging on 64-bit devices unless someone burns a bunch of time porting or writing a debugger themselves. It sounds like you got close doing remote debugging from Xcode, though: maybe someone (you?) could work on a Substrate extension to whatever is checking process ownership on the device (probably the lldb moral equivalent of gdb-server) and publish instructions on the dev wiki? (edit:) On the remote debugging front, crash-x indicates there might be useful instructions for getting a remote lldb to connect through debugserver in the following presentation: https://speakerd.s3.amazonaws.com/presentations/43ca7dd05d120131795d129291fe58eb/Taking_Advantage_of_the_Runtime.pdf

The information at debugserver is partially based on that presentation.

For details on running gdb and pseudo-signing it with ldid for running on 32-bit devices, see pod2g's instructions, but you'll probably want to use lldb instead.

Miscellaneous

 * Printing a stack trace doesn't show symbols.
 * Wee apps' (Notification Center widgets) principal class must now be a view controller subclass instead of implementing a protocol.

Missing icons

 * After copying an app to /Applications and respringing, sometimes the icon doesn't appear. Also if it was there before, sometimes it can disappear.

backboardd[12261] : Launch Services: Registering unknown app identifier libactivator failed backboardd[12261] : Launch Services: Unable to find app identifier libactivator backboardd[12261] : Can't create application "libactivator" without a bundle path
 * Apps installed to /Applications stop launching after a while with this error:

Or their icons disappear after this happens: lsd[11724] : LaunchServices: Updating identifier store /usr/libexec/lsd[11724] : Need to synchronize with MobileInstallation /usr/libexec/lsd[11724] : LaunchServices: Adding com.malcolmhall.PhoneNumberTest to unregister list /usr/libexec/lsd[11724] : LaunchServices: Adding com.malcolmhall.AppWhere to unregister list /usr/libexec/lsd[11724] : LaunchServices: Adding libactivator to unregister list lsd[11724] : LaunchServies: No placeholder bundle to remove for com.malcolmhall.AppWhere.

ARM64-specific

 * Hooking a method that uses a struct gives wrong layout of fields on arm64. You may need to #pragma pack(push,4) before and then #pragma pack(pop) after the struct however you really need to use the debugger and view the memory to understand for sure what's happening.
 * Using MSHookMessage arm64 requires the original function pointer to declare the parameters or it seg faults at runtime.

Inter-process communication
Workaround:
 * CPDistributedMessagingCenter, XPC and other IPC methods built on top of bootstrap registered mach services don't work; you get deny lookup in the Xcode console.

rpetrich has built a workaround called RocketBootstrap.

Install this from Cydia or add a depends to your deb of com.rpetrich.rocketbootstrap. Download bootstrap.h and rocketbootstrap.h from https://github.com/rpetrich/RocketBootstrap/tree/master You will also need to copy `librocketbootstrap.dylib` from `/usr/lib` on your iDevice to `$THEOS/lib` and link against it in your Makefile:

Example usage (server inside a SpringBoard tweak):

Example usage (client from sandboxed app):

If you want to run a server inside a daemon, then you still need a simple SpringBoard tweak, that just has to call bootstrap_unlock with the service name (take the code from the rocket bootstrap header and include bootstrap.h). Then you can run a server with the same name inside your daemon. rocketbootstrap_distributedmessagingcenter_apply must still be called on both the server and on the clients. It even works for sendMessageAndReceiveReplyName.

Usage notes:

You shouldn't be registering Mach services in sandboxed apps; RocketBootstrap allows exposing services to sandboxed apps, but can't allow exposing services from sandboxed apps without exposing a very large security flaw.

Assuming there aren't any security problems, actually calling a service that's running inside of an app from SpringBoard (which is usually what people want to do) is problematic. Backgrounding apps causes them to enter a frozen "SIGSTOP" state, which means any calls to the service running inside of the app will block indefinitely.

Even if that is suppressed, it could happen that the SpringBoard part attempts to call the service running in the app at the same time as the app is trying to call any of the usual SpringBoard services. When that happens, they deadlock. This might happen infrequently, but it's a really bad failure case in that the system just hangs. Real users will encounter it, if it's present.

You can call from a background thread (not good, it could stay alive for a long time), or use timeouts (not good, now you have to tune it and you get UI hitches) or use asynchronous code (not bad, but it's more work than you may be willing to go through).

Related projects:


 * libobjcipc by a1anyip: "An inter-process communication (between app and SpringBoard) solution for jailbroken iOS. Specifically written for iOS 7 (not tested on previous versions). It handles the socket connections between SpringBoard and app processes, the automatic set up of process assertions and the auto disconnection after timeout or the process terminates. You only need to call the static methods in the main class OBJCIPC. Messages and replies can be sent synchronously (blocking) or asynchronously."