Page 1 of 1

Is it possible to use iOS11 dyld shared cache on iOS10

PostPosted: Tue Oct 24, 2017 3:35 am
by Wingzero
I have a wild guess and idea that is using iOS 11 dyld shared cache along with other apple apps (like itunesd, AppStore, etc) to replace their counterparts on a iOS 10 JB device. However I only have one JB device, and don't dare to do that - if it becomes brick I am dead then.

So does anyone tried that before, or it's not possible because it has some security check? Since we can get both signed + unsigned dyld shared cache and other binaries, it seems possible, but I'm not sure if there are any other security checks.

Re: Is it possible to use iOS11 dyld shared cache on iOS10

PostPosted: Fri Dec 29, 2017 10:20 am
by stek29
I believe iOS 11 cache has a slightly different format.

Re: Is it possible to use iOS11 dyld shared cache on iOS10

PostPosted: Sun Dec 31, 2017 8:52 pm
by Siguza
If you replace the cache on disk, your OS is toast - trust cache signature checks will fail and your device will boot loop. Putting the cache somewhere else and loading it over the other one might be possible, but sounds extremely tedious. In order to avoid a horrible ending, you'd at least have to tear down userland (in a "launchctl reboot userspace"-style way), inject yourself into launchd (to continue running at that point), stop all threads except your own, write your injected code to not depend on any library whatsoever, patch the shared cache out of XNU memory, patch the new one in, and then do an actual userspace reboot. If you manage to bypass shared cache checks, you might also be able to just call the API (syscall 438 "shared_region_map_and_slide_np()"), and if you manage to bypass KPP you could actually do it all the dual-boot-way, but nevertheless this remains an extremely ambitious goal.