Launch iPhone Mirroring.app on macOS 15 Beta 1

iPhone Mirroring.md

Inspired by https://infosec.exchange/@jjtech/112612685494089718

Method 1: LLDB

Step 0

Reboot into Recovery OS + Disable SIP

csrutil disable

Step 1

Launch the binary via lldb. It will exit immedicately.

lldb /System/Applications/iPhone\ Mirroring.app/Contents/MacOS/iPhone\ Mirroring
(lldb) run
Process 3819 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 3819 exited with status = 0 (0x00000000)

Add a breakpoint to the SwiftUI App main entry to investigate. It still exits.

b 0x10000c840
(lldb) run
Process 5078 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 5078 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x000000010000c840 iPhone Mirroring`static SwiftUI.App.main() -> ()
iPhone Mirroring`static SwiftUI.App.main() -> ():
->  0x10000c840 <+0>:  adrp   x17, 4
    0x10000c844 <+4>:  add    x17, x17, #0x200 ; (void *)0x500f0001b5aa00fc
    0x10000c848 <+8>:  ldr    x16, [x17]
    0x10000c84c <+12>: braa   x16, x17
Target 0: (iPhone Mirroring) stopped.

(lldb) c
Process 5078 resuming
Process 5078 exited with status = 0 (0x00000000)

Step 2

Add a breakpoint to exit stub (0x10000c9c0) and get the backtrace.

lldb /System/Applications/iPhone\ Mirroring.app/Contents/MacOS/iPhone\ Mirroring
b 0x10000c840
b 0x10000c9c0

(lldb) run
Process 5113 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 5113 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x000000010000c840 iPhone Mirroring`static SwiftUI.App.main() -> ()
iPhone Mirroring`static SwiftUI.App.main() -> ():
->  0x10000c840 <+0>:  adrp   x17, 4
    0x10000c844 <+4>:  add    x17, x17, #0x200 ; (void *)0x500f0001b5aa00fc
    0x10000c848 <+8>:  ldr    x16, [x17]
    0x10000c84c <+12>: braa   x16, x17
Target 0: (iPhone Mirroring) stopped.

(lldb) c
Process 5113 resuming
Process 5113 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
    frame #0: 0x000000010000c9c0 iPhone Mirroring`exit
iPhone Mirroring`exit:
->  0x10000c9c0 <+0>:  adrp   x17, 4
    0x10000c9c4 <+4>:  add    x17, x17, #0x2c0 ; (void *)0x0c568001865c9730
    0x10000c9c8 <+8>:  ldr    x16, [x17]
    0x10000c9cc <+12>: braa   x16, x17
Target 0: (iPhone Mirroring) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
  * frame #0: 0x000000010000c9c0 iPhone Mirroring`exit
    frame #1: 0x000000010000aa78 iPhone Mirroring`___lldb_unnamed_symbol473 + 116
    frame #2: 0x00000001b6304148 SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 948
    frame #3: 0x00000001b630470c SwiftUI`merged @objc SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 140
    frame #4: 0x00000001867eb504 CoreFoundation`__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 148
    frame #5: 0x000000018687bf04 CoreFoundation`___CFXRegistrationPost_block_invoke + 88
    frame #6: 0x000000018687be4c CoreFoundation`_CFXRegistrationPost + 436
    frame #7: 0x00000001867b9a24 CoreFoundation`_CFXNotificationPost + 732
    frame #8: 0x000000018793c954 Foundation`-[NSNotificationCenter postNotificationName:object:userInfo:] + 88
    frame #9: 0x000000018a2e11b8 AppKit`-[NSApplication finishLaunching] + 248
    frame #10: 0x000000018a2e0e84 AppKit`-[NSApplication run] + 252
    frame #11: 0x000000018a2b74a8 AppKit`NSApplicationMain + 888
    frame #12: 0x00000001b541bea0 SwiftUI`merged generic specialization <SwiftUI.TestingAppDelegate> of function signature specialization <Arg[0] = Existential To Protocol Constrained Generic> of SwiftUI.runApp(__C.NSResponder & __C.NSApplicationDelegate) -> Swift.Never + 160
    frame #13: 0x00000001b57d05d0 SwiftUI`SwiftUI.runApp<τ_0_0 where τ_0_0: SwiftUI.App>(τ_0_0) -> Swift.Never + 84
    frame #14: 0x00000001b5aa01dc SwiftUI`static SwiftUI.App.main() -> () + 224
    frame #15: 0x0000000100008a20 iPhone Mirroring`___lldb_unnamed_symbol437 + 92
    frame #16: 0x000000018638d298 dyld`start + 2876

Step 3

We have almost got there. The problem is it will call exit(0) on -[iPhone_Mirroring.AppDelegate applicationWillFinishLaunching:]

So we can just add a breakpoint and return the thread here.

(lldb) run
(lldb) b 0x000000010000aa04
Breakpoint 3: where = iPhone Mirroring`___lldb_unnamed_symbol473, address = 0x000000010000aa04
(lldb) c
Process 6907 resuming
Process 6907 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
    frame #0: 0x000000010000aa04 iPhone Mirroring`___lldb_unnamed_symbol473
iPhone Mirroring`___lldb_unnamed_symbol473:
->  0x10000aa04 <+0>:  pacibsp
    0x10000aa08 <+4>:  stp    x20, x19, [sp, #-0x20]!
    0x10000aa0c <+8>:  stp    x29, x30, [sp, #0x10]
    0x10000aa10 <+12>: add    x29, sp, #0x10
Target 0: (iPhone Mirroring) stopped.
(lldb) thread return
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
    frame #0: 0x00000001b6304148 SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 948
SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> ():
->  0x1b6304148 <+948>: mov    x0, x21
    0x1b630414c <+952>: bl     0x1b665cae8    ; symbol stub for: swift_unknownObjectRelease
    0x1b6304150 <+956>: mov    x0, x19
    0x1b6304154 <+960>: bl     0x1b665c388    ; symbol stub for: objc_release
(lldb) continue

That's all. Done.

Method 2: DYLD_INSERT_LIBRARY

git clone https://github.com/Kyle-Ye/iPhoneMirroringInject.git
cd iPhoneMirroringInject
./build.sh

See detail on iPhoneMirroringInject repo

You can use blacktop's ipsw tool to decrypt iOS 18 IPSWs, as well as split the dyld shared cache to get the binary for Sharing.framework

@Mattribs91

You can use blacktop's ipsw tool to decrypt iOS 18 IPSWs, as well as split the dyld shared cache to get the binary for Sharing.framework

@Mattribs91

doesn't work too it says libusb not installed, but i installed it

I ask for your instagram to help you but you never answered me.

Well I did answer (see somewhere above) Insta: haltepeter I need help with Intel (iMac Pro 2017)

well i have send you a message but no answer

а где этот код писать

Did anyone got ScreenContinuityShell running on iOS?

so how do we enable FeatureFlags on ios? has anyone found out?

so how do we enable FeatureFlags on ios? has anyone found out?

People are still gatekeeping it even though we are going to get iPhone Mirroring officially through the beta 2 in just a week. So I don’t understand why they are.

Just wait till Monday
https://9to5mac.com/2024/06/21/ios-18-beta-2-release-date-news/

Just wait till Monday https://9to5mac.com/2024/06/21/ios-18-beta-2-release-date-news/

<3

Why @JJTech0130 did it almost 10 days ago, and don't said nothing!!!
Is He dead?

could this be how @JJTech0130 was able to flip FeatureFlags? using apple internal tools to edit the ipsw? This seems like it would make the most sense to me since @JJTech0130 said this "Unfortunately, this cannot be done without another method (hence why I cannot share how I accomplished it)."

No, as I commented earlier, I did not use Apple Internal tooling, simply undisclosed exploits.
My comment above should explain the minimum extent of an exploit you would need to find, though at this point I would advise just waiting til Monday for the public release.

(Note that SRDs [Security Research Devices] are also pre-jailbroken, and are given out to known security researchers. These can also accomplish the same thing, without any Apple Internal tooling or breaking an NDA)

No, as I commented earlier, I did not use Apple Internal tooling, simply undisclosed exploits. My comment above should explain the minimum extent of an exploit you would need to find, though at this point I would advise just waiting til Monday for the public release.

(Note that SRDs [Security Research Devices] are also pre-jailbroken, and are given out to known security researchers. These can also accomplish the same thing, without any illegal internal tooling or breaking an NDA)

The only other way I can think of is you modified something inside of DatabseDomain

No, as I commented earlier, I did not use Apple Internal tooling, simply undisclosed exploits. My comment above should explain the minimum extent of an exploit you would need to find, though at this point I would advise just waiting til Monday for the public release.
(Note that SRDs [Security Research Devices] are also pre-jailbroken, and are given out to known security researchers. These can also accomplish the same thing, without any illegal internal tooling or breaking an NDA)

The only other way I can think of is you modified something inside of DatabseDomain

I don't think so.
It looks like some sort of xpc exploitation (overflow or smth else) allows shm manipulation

Do you know how to bypass the region verification ? I live in france so i won't be able to use iPhone mirroring

Does anyone know how to restore a backup file thats in Application Groups/AppDomainGroup-?

https://github.com/libimobiledevice/libimobiledevice You need to enable encrypted backup on the iOS device, then find and decrypt the backup file you want to modify from the backup data manifest.db, and finally encrypt the file back and modify the hash of the corresponding file in manifest.db, and then restore the modified backup to the phone

doesn't matter now I guess since beta 2 came out a minute ago

Can confirm that it does work on beta 2!

edit:
Very choppy performance for me, wifi is strong so dont know why

Does someone know how to bypass region check in beta 2?

Can confirm that it does work on beta 2!

edit: Very choppy performance for me, wifi is strong so dont know why

That's odd because It's extremely smooth for me and my WiFi's been finicky these past few days

although my phone is plugged in

Any ideas on how to fix this? I can't update 😭

It's working on Beta 2, but is not possible to resize it, keyboard is not working on some part like library search

Any ideas on how to fix this? I can't update 😭

You tried to reboot your mac ?

Any ideas on how to fix this? I can't update 😭

You tried to reboot your mac ?

Yeah, I already fixed it, followed this guide of this guy in macrumors forum

It works nice!

Are there any solutions to bypass regional restrictions?

What country are you located?

Are there any solutions to bypass regional restrictions?

only on macos side, there are none (publicly) known for the ios side