Dev:Updating extensions for iOS 9

Let's collect knowledge like we did with Updating extensions for iOS 8 and Updating extensions for iOS 7 - paste in your notes and share what you've learned, and somebody else will organize it later. :) If you want to ask questions and share tips over chat with other developers, see How to use IRC for how to connect to #theos and #iphonedev.

It's also helpful to double-check the statements here and add more info! These are notes and drafts from early research - feel free to update them.

= Compiling ldid on El Capitan =

ldid was recently added to the main Homebrew repo.

brew update brew install ldid

This is more convenient for ensuring ldid is kept up to date in future.

= What has changed in iOS 9? (Classes, frameworks, etc.) =

Compilation changes
32 bit binaries loaded on 64 bit devices fail to do so since the 32 bit pagesize has been changed from 4096 bytes to 16384 bytes.

Tweaks targeted at 32 bit binaries on iOS 9 must now be compiled with

This LDFLAG can be used to compile for older iOS versions as it had to be a multiple of 1000 and this new alignment is compatible.

If using Theos, add it like so to your makefile:

This fix is integrated with kirb/theos. (Be sure to  regularly.)

If using Xcode, add a new entry to Other linker flags containing "-Wl,-segalign,4000" to the build settings of your project or target and make sure that the build option "Enable Bitcode" is disabled.

Source: saurik's tweet

One example of this are tweaks that modify Cydia, which is a 32 bit app.

Entitlements
Every dylib meant for injection has to be signed to work on iOS, even if no entitlements are required. Please make sure that your toolchain of choice is producing signed dylibs, if it is a fat binary, make sure that all slices are signed.

Use ldid to sign:

ldid -S Tweak.dylib

Failure to do this will invalidate the process and make it lose all entitlements. The standard symptom is the following, but frankly, it is confusing why any binaries are in the wild that haven't at least been passed through ldid, so please don't rely on this symptom and just fix your build environment.

When the process is invalid and thus entitlements are lost, this is output to console on launch:

And then this is shown when the required entitlement no longer exists, despite being included in the binary!

Granting them at runtime
To grant entitlements to a specific process in iOS 9, it seems that iOS 8's _BSAuditTokenTaskHasEntitlement function in assertiond no longer does the trick, the new _BSXPCConnectionHasEntitlement needs to be hooked instead.

Sandbox Restrictions
Tweaks that create or edit files from a sandbox application outside the app's container is no longer allowed See CPDistributedMessagingCenter for some example code.
 * Use an XPC method to communicate with SpringBoard from the sandbox application

This way you could communicate with a SpringBoard class to get it to save or create your files

You would need to add AppSupport framework in your makefile

You will get something like this:
 * After the v1.1 Pangu Untether update it is no longer possible to save/create/modify the preferences from Sandboxed applications in "atomically" mode.

As a workaround you can just replace "atomically:YES" with "atomically:NO":

trying to use these functions in a sandboxed app will throw an error like:
 * some sysctl calls and proc_* functions cannot be used in a sandbox now

UIScreen changes
UIScreen bounds on iPad no longer takes orientation into account. You must now use the bounds of the shared application's keyWindow property.

File protection after reboot
Some tweaks are still affected by file access being restricted after a reboot until the device is unlocked, e.g. a Springboard tweak cannot read some file it previously created causing undefined behaviour and most likely cause a Springboard crash. e.g. https://www.reddit.com/r/jailbreak/comments/458dl0/question_why_does_some_tweaks_stop_working_after/? This post discusses workarounds: http://stackoverflow.com/questions/15079765/dealing-with-background-location-updates-and-core-data-file-protection I was using Core Data and used the option key NSPersistentStoreFileProtectionKey with value NSFileProtectionNone to fix my crash. Other APIs that create files have similar ways to disable the protection.

Using iOS 9 SDK while supporting iOS 8
If you updated to build with the iOS 9.2 SDK (maybe others as well) and you are using `@[]` - you might get a crash on iOS 8 devices. To fix this, use `[[NSArray alloc] init]` instead.

Example crash:

iOS 9.3.3
Since this version is quite different from the previous, see Updating extensions for iOS 9.3.3.

= Which tools and other preexisting things are still working on iOS 9? Which ones don't work? =

No fixes for the following at the time of this writing. Note that these work on 32-bit devices, such as an iPhone 5.


 * Cycript works as of 28/10/2015 version 0.9.503

install all packages from, most things I tested worked. The Python packages built by ryley_angus are also available from his repo.
 * the official python from cydia may fail however due to the work of Linus Yang and reddit user ryley_angus we have a working binary that works on iOS 9 !


 * python fails with the following error (the one on cydia)


 * As of (unknown date) in version 1.4.18-7, lighttpd works on iOS 9.


 * ruby fails with the following error

This occurs due to the change in the 32-bit pagesize on 64-bit CPUs in iOS 9. The libraries noted above need to be rebuilt with "-Wl,-segalign,4000".

Killed: 9
Pangu9 causes many command-line tools to not work, with the error "Killed: 9"

This can be solved by running "ldid -S `which `"

Daemons
In iOS 9 the way daemons are loaded appears to have changed. Daemons prefixed with "com.apple" are loaded first with other daemons being loaded by launchd significantly later. This creates a bug for daemons that use XPC to communicate with SpringBoard. SpringBoard will be loaded before the daemon meaning a connection can never be established. Changing the daemon prefix to "com.apple" appears to make it load at the same time as SpringBoard allowing for the connection to succeed. More research is required into why other daemons are being loaded much later than in iOS 8.

Additionally, daemons are now outputting the error:

This can be fixed by adding the plist entry ExecuteAllowed with a boolean YES.

Daemons that use more than 5MB are killed via Jetsam with no crash report saved:

This can be fixed by using jetslammed and raising the memory limit, e.g.

Connecting to UNIX sockets
Tweaks built with a library injected into an app, communicating to a daemon using a UNIX a socket, might fail to connect to the UNIX socket, with error code EPERM, and the following syslog message:

kernel[0] : Sandbox: app-name deny(1) network-outbound /private/var/tmp/mysocket

Note that this worked with the original Pangu untether and has been failing to work (as described) with the latest (1.1.0) Pangu Fuxi Qin.

Update: This seems to be untrue. This doesn't work with the original Pangu untether as well. Maybe the Cydia update process has to do something with it? Maybe stashing?

A current workaround is to place the UNIX socket inside the app's sandbox.

Extension does not have filter
Starting on 0.9.6100 version of CydiaSubstrate, tweaks must specify a MobileLoader filter or Substrate will prevent the tweak from getting injected at all, with the following error:

canOpenURL restrictions
If you have a tweak that relies on canOpenURL it might not work because now the URLs that are allowed to be checked are required to be specified in the host app's Info.plist under LSApplicationQueriesSchemes. Unfortunately editing this list does not work because it appears to be checked at installation time, and also it can only be called with 50 URLs, once that limit is reached it fails regardless of any edits to the list. It's currently unknown where the database is stored on the device.

iOS 9 Launch scheme approval where it asks for permission to open an app: /private/var/preferences/com.apple.launchservices.schemeapproval.plist

For error-free access to this data query the canOpenURL: status in a daemon with the appropriate entitlements or inside SpringBoard using its entitlements and make the specific query accessible over IPC using RocketBootstrap, darwin_set_state or similar if necessary.

Update: It's now possible to bypass this restriction by hooking isApplicationAvailableToOpenURL in LSApplicationWorkspace. For example code, see this issue in a redundant project that was created before this hook was known: https://github.com/r-plus/libcanopenurl/issues/3