Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Dev:Updating extensions for iOS 7

From The Apple Wiki
(Redirected from Dev:Debugging on iOS 7)

This is an informal collection of advice; feel free to add to it and rearrange. A lot of this is from #theos on - if you're working on updating your tweaks and you use Theos, join in and share what you've learned (see IRC).

How to compile for ARM64

Tweak binaries must contain an ARM64 slice in order for it to be loaded into 64-bit processes. If you don't need to support iOS 4.2.1 or older, ensure Xcode 5 is installed and set ARCHS in your Makefile:

ARCHS = armv7 arm64

You will also need updated versions of any libraries that you link against which contain an arm64 slice. To get the updated Substrate dylib, see saurik's instructions below, starting from the wget of the Substrate deb.

How to compile for ARMv6 and ARM64

These instructions only use first-party components from Apple, DHowett, and saurik (and were written by saurik).

The idea is that we are going to use parts of Xcode 4 (which you don't have to install: you might just have it sitting in /Volumes) to "fix" parts of Xcode 5 so that it can target armv6 (need Xcode 4.4.1).

cd $Xcode5/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/5.0/lib/darwin/
mv libclang_rt.ios.a libclang_rt.ios-7.0.a
lipo -thin armv6 -output libclang_rt.ios-5.1.a $Xcode4/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/4.0/lib/darwin/libclang_rt.ios.a
lipo -create -output libclang_rt.ios.a libclang_rt.ios-5.1.a libclang_rt.ios-7.0.a
cd $Xcode5/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.0.sdk/usr/lib/
mv dylib1.o dylib1-7.0.o
lipo -thin armv6 -output dylib1-5.1.o $Xcode4/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.1.sdk/usr/lib/dylib1.o
lipo -create -output dylib1.o dylib1-5.1.o dylib1-7.0.o

Then, we download Theos directly from DHowett's code repository, and add in the parts it needs from the various packages provided by saurik.

sudo mkdir -p /opt/theos
sudo chown "$(id -u):$(id -g)" /opt/theos
cd /opt/theos
git clone .
ar p ldid_1:1.1.2_iphoneos-arm.deb data.tar.gz | tar -zxvf- --strip-components 2 ./usr/bin/ldid
ar p mobilesubstrate_0.9.5001_iphoneos-arm.deb data.tar.lzma >substrate.tar.lzma
# ... extract the lama file; OS X doesn't come with an lzma utility :( ...
tar -xvf substrate.tar --strip-components 3 ./Library/Frameworks/CydiaSubstrate.framework/
ln -s ../CydiaSubstrate.framework/Headers/CydiaSubstrate.h include/substrate.h
ln -s ../CydiaSubstrate.framework/CydiaSubstrate lib/libsubstrate.dylib

Finally, in our Theos Makefile, we specify that we want to target iOS 2.0 using the 7.0 SDK, and that we want both ARMv6 and ARM64 slices.

TARGET := iphone:7.0:2.0
ARCHS := armv6 arm64

Alternative method

This is slightly more complicated. You need to compile an armv6 slice using the 5.1 SDK and another arm64 slice using the 7.0 SDK. You then stitch both together with lipo. This blog post [Archived 2013-12-27 at the Wayback Machine] describes how to do that manually, but rpetrich has created a theos fork, which does that automatically for you.

Setup rpetrich’s theos:

export THEOS=/opt/theos-rpetrich
sudo mkdir -p $THEOS
sudo chown "$(id -u):$(id -g)" $THEOS
git clone .
wget -O bin/ldid
chmod +x bin/ldid
wget -O lib/libsubstrate.dylib

(note from rpetrich: theos should be as a submodule for my fork, not installed in a system path. system paths are dangerous)

Install headers:

./ init
git submodule update --recursive

Setup the Makefile

TARGET := iphone:clang
THEOS_PLATFORM_SDK_ROOT_armv6 = /Applications/
SDKVERSION_armv6 = 5.1
ARCHS = armv6 arm64

iLogIt_FILES = Tweak.xm

include theos/makefiles/
include $(THEOS_MAKE_PATH)/

rpetrich's theos is using objc's hooking method instead of MobileSubstrate therefore it doesn't link with MS by default. This is OK if you are only hooking objc messages, but if you need to use MSHookFunction, you have to tell theos to link to lib substrate:

iLogIt_LIBRARIES = substrate

(note from saurik: I highly disrecommend not using Substrate's MSHookMessage implementation; I never understood why rpetrich doesn't use it, but on multiple occasions the way we hook messages has had to change, and centralizing it in Substrate means that I can fix it once for everyone's compiled extensions... this happened last as recently as iOS 5, and all of rpetrich's extensions had to be recompiled and redeployed, which is reasonably fine for him as he's insanely productive and around constantly, but for most people you should please just use the centralized implementation.)

To use Substrate for hooking, either add this add the top of your Logos source file (e.g., Tweak.xm)


Or add it to your target's Logos flags:

iLogIt_LOGOSFLAGS = -c generator=MobileSubstrate

Example Projects: Take a look at the Makefiles of these projects:

ARM64 on Linux

Using Darling, Apple's official toolchain is able to be used on Linux. Once Darling is installed, eswick's theos fork can be used to build for ARM64.

XcodeDefault.xctoolchain (obtain from a Mac, or download Xcode from Apple's website) needs to be placed in $THEOS/toolchain, and $THEOS/sdk needs to point to the iOS 7 SDK, like so:

git clone /opt/theos
mv ~/XcodeDefault.xctoolchain /opt/theos/toolchain/
ln -s /var/sdks/iPhoneOS7.0.sdk /opt/theos/sdk

See the full blog post here for step-by-step instructions.

Updating code for ARM64

Read Apple's documentation on ARM64: "Converting Your App to a 64-Bit Binary"

If you need to specifically test for 64-bit:

#ifdef __LP64__

Detecting iOS 7

Detecting whether code is being compiled for iOS 7.0 or higher:

[[UIApplication sharedApplication] setStatusBarStyle: UIStatusBarStyleLightContent animated: YES];

Note that this is a compile time check. To check for iOS 7 at runtime, compare against the CoreFoundation version:

if (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_7_0) {
	// do >= iOS 7 stuff
} else {
	// do <= iOS 6 stuff

Apple often forgets to add new version number constants to their headers, so you may need to define the version numbers yourself:

#ifndef kCFCoreFoundationVersionNumber_iOS_7_0
#define kCFCoreFoundationVersionNumber_iOS_7_0 847.20

See CoreFoundation.framework for a full list.

Updating Cydia Depictions

It's best to make the background transparent to make it match Cydia's background. Just add the following to your depiction's header:

if ( != -1) {

And in your CSS:

body.cydia {
	background: none !important;

Cydia's table cell styling hasn't currently been changed to reflect the iOS 7 UI, so no other CSS needs updating.

Theos patch for ARM64

01:03:36 < therpgitbot> [theos] rpetrich pushed 1 new commit to master:
01:03:36 < therpgitbot> theos/master f6ebd79 Ryan Petrich: Workaround bootstrap problems on Xcode 5.x (temporary fix for now)

Dealing with 32-bit and 64-bit

12:38:15 <%joedj> sbingner: i did find this question (and the response 2 posts down) interesting, i'm not sure what they're talking about:
09:55:43 <@rpetrich> joedj: it's a bug with the components that communicate with the App Store

Theos and ldid errors

19:02:14 < yoshbu> I've been off the jailbreak train for awhile now. Trying to reinstall theos, getting some build failures when trying to install ldid, anybody know if there's a quick fix?
19:02:52 < yoshbu> like, error: unknown type name '__darwin_intptr_t'
19:02:59 < yoshbu> and, error: unknown type name '__uint32_t'; did you mean 'uint32_t'?
19:05:27 < Alcatraz> are you trying to compile ldid on mac?
19:05:55 < yoshbu> following step 4 of
19:06:10 < Alcatraz> yeah compiling it has been broken for some time
19:06:27 < Alcatraz> has to do with xcode 5
19:06:32 < Alcatraz> pretty sure anyway
19:06:50 < yoshbu> ldid is a dependency of theos though right?
19:07:01 < Alcatraz> yeah. you can ask someone on here for a copy
19:08:05 < ac3xx> yoshbu, wget -O $THEOS/bin/ldid && chmod +x $THEOS/bin/ldid

Accessing the device's UDID

UDID access is blocked by default on iOS7 and iOS will substitute a generated ID in UIDevice's uniqueIdentifier property. Use MGCopyAnswer(CFSTR("UniqueDeviceID")) and link against libMobileGestalt.dylib (ProjectName_LIBRARIES = MobileGestalt) to get access to the device ID from system processes or apps installed to /Applications. Device ID is completely inaccessible from app store processes and some daemons.

For App Store apps, it appears you can still retrieve the UDID from MobileGestalt with a private entitlement:


Debugging on iOS 7

To get remote debugging working on iOS 7 and 64-bit devices, see the instructions at debugserver.

You may also be interested in this explanation of "how to run lldb if you are familiar with the gdb command set".

You can follow these instructions to disable ASLR for a process. This means methods will be at the same addresses as what IDA or Hopper are showing.

State of debuggers on iOS 7

saurik commented on JailbreakQA [Archived 2014-03-21 at the Wayback Machine]:

The build of GDB from Xcode 4.4 ( can be pseudosigned with ldid and run on a 32-bit device with reasonable success. Apple no longer maintains gdb (as it being GPL would have required them to release source code for it) nor have they released any source code for anything in Xcode 5 (including lldb, and it sounds like for LLVM they are only semi-interested in contributing their ARM64 backend... so we'll have to see on that one...); in essence, we are currently "out of luck" with regards to debugging on 64-bit devices unless someone burns a bunch of time porting or writing a debugger themselves. It sounds like you got close doing remote debugging from Xcode, though: maybe someone (you?) could work on a Substrate extension to whatever is checking process ownership on the device (probably the lldb moral equivalent of gdb-server) and publish instructions on the dev wiki?

(edit:) On the remote debugging front, crash-x indicates there might be useful instructions for getting a remote lldb to connect through debugserver in the following presentation:

The information at debugserver is partially based on that presentation.

For details on running gdb and pseudo-signing it with ldid for running on 32-bit devices, see pod2g's instructions [Archived 2014-01-06 at the Wayback Machine], but you'll probably want to use lldb instead.

Ongoing issues


  • Printing a stack trace doesn't show symbols.
  • Wee apps' (Notification Center widgets) principal class must now be a view controller subclass instead of implementing a protocol.

Missing icons

  • After copying an app to /Applications and respringing, sometimes the icon doesn't appear. Also if it was there before, sometimes it can disappear.
  • Apps installed to /Applications stop launching after a while with this error:
backboardd[12261] <Warning>: Launch Services: Registering unknown app identifier libactivator failed
backboardd[12261] <Warning>: Launch Services: Unable to find app identifier libactivator
backboardd[12261] <Warning>: Can't create application "libactivator" without a bundle path

Or their icons disappear after this happens:

lsd[11724] <Warning>: LaunchServices: Updating identifier store
/usr/libexec/lsd[11724] <Error>: Need to synchronize with MobileInstallation
/usr/libexec/lsd[11724] <Notice>: LaunchServices: Adding com.malcolmhall.PhoneNumberTest to unregister list
/usr/libexec/lsd[11724] <Notice>: LaunchServices: Adding com.malcolmhall.AppWhere to unregister list
/usr/libexec/lsd[11724] <Notice>: LaunchServices: Adding libactivator to unregister list
lsd[11724] <Warning>: LaunchServies: No placeholder bundle to remove for com.malcolmhall.AppWhere.


  • Hooking a method that uses a struct gives wrong layout of fields on arm64. You may need to #pragma pack(push,4) before and then #pragma pack(pop) after the struct however you really need to use the debugger and view the memory to understand for sure what's happening.
  • Using MSHookMessage arm64 requires the original function pointer to declare the parameters or it seg faults at runtime.

Inter-process communication

  • CPDistributedMessagingCenter, XPC and other IPC methods built on top of bootstrap registered mach services don't work; you get deny lookup in the Xcode console.


rpetrich has built a workaround called RocketBootstrap.

Install this from Cydia or add a depends to your deb of com.rpetrich.rocketbootstrap. Download bootstrap.h and rocketbootstrap.h from You will also need to copy `librocketbootstrap.dylib` from `/usr/lib` on your iDevice to `$THEOS/lib` and link against it in your Makefile:

myTweak_LIBRARIES = rocketbootstrap

Example usage (server inside a SpringBoard tweak):

#import "rocketbootstrap.h"
CPDistributedMessagingCenter *c = [CPDistributedMessagingCenter centerNamed:@"com.mycompany.myCenter"];
// apply rocketbootstrap regardless of iOS version (via rpetrich)
[c runServerOnCurrentThread];
[c registerForMessageName:@"myMessageName" target:myTarget selector:@selector(handleMessageNamed:withUserInfo:)];

Example usage (client from sandboxed app):

#import "rocketbootstrap.h"
CPDistributedMessagingCenter *c = [%c(CPDistributedMessagingCenter) centerNamed:@"com.mycompany.myCenter"];
[c sendMessageName:@"myMessageName" userInfo:nil]; //send an NSDictionary here to pass data

If you want to run a server inside a daemon, then you still need a simple SpringBoard tweak, that just has to call bootstrap_unlock with the service name (take the code from the rocket bootstrap header and include bootstrap.h). Then you can run a server with the same name inside your daemon. rocketbootstrap_distributedmessagingcenter_apply must still be called on both the server and on the clients. It even works for sendMessageAndReceiveReplyName.

Usage notes:

You shouldn't be registering Mach services in sandboxed apps; RocketBootstrap allows exposing services to sandboxed apps, but can't allow exposing services from sandboxed apps without exposing a very large security flaw.

Assuming there aren't any security problems, actually calling a service that's running inside of an app from SpringBoard (which is usually what people want to do) is problematic. Backgrounding apps causes them to enter a frozen "SIGSTOP" state, which means any calls to the service running inside of the app will block indefinitely.

Even if that is suppressed, it could happen that the SpringBoard part attempts to call the service running in the app at the same time as the app is trying to call any of the usual SpringBoard services. When that happens, they deadlock. This might happen infrequently, but it's a really bad failure case in that the system just hangs. Real users will encounter it, if it's present.

You can call from a background thread (not good, it could stay alive for a long time), or use timeouts (not good, now you have to tune it and you get UI hitches) or use asynchronous code (not bad, but it's more work than you may be willing to go through).

Related projects:

  • libobjcipc by a1anyip: "An inter-process communication (between app and SpringBoard) solution for jailbroken iOS. Specifically written for iOS 7 (not tested on previous versions). It handles the socket connections between SpringBoard and app processes, the automatic set up of process assertions and the auto disconnection after timeout or the process terminates. You only need to call the static methods in the main class OBJCIPC. Messages and replies can be sent synchronously (blocking) or asynchronously."