Launch iPhone Mirroring.app on macOS 15 Beta 1

iPhone Mirroring.md

Inspired by https://infosec.exchange/@jjtech/112612685494089718

Method 1: LLDB

Step 0

Reboot into Recovery OS + Disable SIP

csrutil disable

Step 1

Launch the binary via lldb. It will exit immedicately.

lldb /System/Applications/iPhone\ Mirroring.app/Contents/MacOS/iPhone\ Mirroring
(lldb) run
Process 3819 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 3819 exited with status = 0 (0x00000000)

Add a breakpoint to the SwiftUI App main entry to investigate. It still exits.

b 0x10000c840
(lldb) run
Process 5078 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 5078 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x000000010000c840 iPhone Mirroring`static SwiftUI.App.main() -> ()
iPhone Mirroring`static SwiftUI.App.main() -> ():
->  0x10000c840 <+0>:  adrp   x17, 4
    0x10000c844 <+4>:  add    x17, x17, #0x200 ; (void *)0x500f0001b5aa00fc
    0x10000c848 <+8>:  ldr    x16, [x17]
    0x10000c84c <+12>: braa   x16, x17
Target 0: (iPhone Mirroring) stopped.

(lldb) c
Process 5078 resuming
Process 5078 exited with status = 0 (0x00000000)

Step 2

Add a breakpoint to exit stub (0x10000c9c0) and get the backtrace.

lldb /System/Applications/iPhone\ Mirroring.app/Contents/MacOS/iPhone\ Mirroring
b 0x10000c840
b 0x10000c9c0

(lldb) run
Process 5113 launched: '/System/Applications/iPhone Mirroring.app/Contents/MacOS/iPhone Mirroring' (arm64e)
Process 5113 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
    frame #0: 0x000000010000c840 iPhone Mirroring`static SwiftUI.App.main() -> ()
iPhone Mirroring`static SwiftUI.App.main() -> ():
->  0x10000c840 <+0>:  adrp   x17, 4
    0x10000c844 <+4>:  add    x17, x17, #0x200 ; (void *)0x500f0001b5aa00fc
    0x10000c848 <+8>:  ldr    x16, [x17]
    0x10000c84c <+12>: braa   x16, x17
Target 0: (iPhone Mirroring) stopped.

(lldb) c
Process 5113 resuming
Process 5113 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
    frame #0: 0x000000010000c9c0 iPhone Mirroring`exit
iPhone Mirroring`exit:
->  0x10000c9c0 <+0>:  adrp   x17, 4
    0x10000c9c4 <+4>:  add    x17, x17, #0x2c0 ; (void *)0x0c568001865c9730
    0x10000c9c8 <+8>:  ldr    x16, [x17]
    0x10000c9cc <+12>: braa   x16, x17
Target 0: (iPhone Mirroring) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 2.1
  * frame #0: 0x000000010000c9c0 iPhone Mirroring`exit
    frame #1: 0x000000010000aa78 iPhone Mirroring`___lldb_unnamed_symbol473 + 116
    frame #2: 0x00000001b6304148 SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 948
    frame #3: 0x00000001b630470c SwiftUI`merged @objc SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 140
    frame #4: 0x00000001867eb504 CoreFoundation`__CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 148
    frame #5: 0x000000018687bf04 CoreFoundation`___CFXRegistrationPost_block_invoke + 88
    frame #6: 0x000000018687be4c CoreFoundation`_CFXRegistrationPost + 436
    frame #7: 0x00000001867b9a24 CoreFoundation`_CFXNotificationPost + 732
    frame #8: 0x000000018793c954 Foundation`-[NSNotificationCenter postNotificationName:object:userInfo:] + 88
    frame #9: 0x000000018a2e11b8 AppKit`-[NSApplication finishLaunching] + 248
    frame #10: 0x000000018a2e0e84 AppKit`-[NSApplication run] + 252
    frame #11: 0x000000018a2b74a8 AppKit`NSApplicationMain + 888
    frame #12: 0x00000001b541bea0 SwiftUI`merged generic specialization <SwiftUI.TestingAppDelegate> of function signature specialization <Arg[0] = Existential To Protocol Constrained Generic> of SwiftUI.runApp(__C.NSResponder & __C.NSApplicationDelegate) -> Swift.Never + 160
    frame #13: 0x00000001b57d05d0 SwiftUI`SwiftUI.runApp<τ_0_0 where τ_0_0: SwiftUI.App>(τ_0_0) -> Swift.Never + 84
    frame #14: 0x00000001b5aa01dc SwiftUI`static SwiftUI.App.main() -> () + 224
    frame #15: 0x0000000100008a20 iPhone Mirroring`___lldb_unnamed_symbol437 + 92
    frame #16: 0x000000018638d298 dyld`start + 2876

Step 3

We have almost got there. The problem is it will call exit(0) on -[iPhone_Mirroring.AppDelegate applicationWillFinishLaunching:]

So we can just add a breakpoint and return the thread here.

(lldb) run
(lldb) b 0x000000010000aa04
Breakpoint 3: where = iPhone Mirroring`___lldb_unnamed_symbol473, address = 0x000000010000aa04
(lldb) c
Process 6907 resuming
Process 6907 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
    frame #0: 0x000000010000aa04 iPhone Mirroring`___lldb_unnamed_symbol473
iPhone Mirroring`___lldb_unnamed_symbol473:
->  0x10000aa04 <+0>:  pacibsp
    0x10000aa08 <+4>:  stp    x20, x19, [sp, #-0x20]!
    0x10000aa0c <+8>:  stp    x29, x30, [sp, #0x10]
    0x10000aa10 <+12>: add    x29, sp, #0x10
Target 0: (iPhone Mirroring) stopped.
(lldb) thread return
* thread #1, queue = 'com.apple.main-thread', stop reason = breakpoint 3.1
    frame #0: 0x00000001b6304148 SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> () + 948
SwiftUI`SwiftUI.AppDelegate.applicationWillFinishLaunching(Foundation.Notification) -> ():
->  0x1b6304148 <+948>: mov    x0, x21
    0x1b630414c <+952>: bl     0x1b665cae8    ; symbol stub for: swift_unknownObjectRelease
    0x1b6304150 <+956>: mov    x0, x19
    0x1b6304154 <+960>: bl     0x1b665c388    ; symbol stub for: objc_release
(lldb) continue

That's all. Done.

Method 2: DYLD_INSERT_LIBRARY

git clone https://github.com/Kyle-Ye/iPhoneMirroringInject.git
cd iPhoneMirroringInject
./build.sh

See detail on iPhoneMirroringInject repo

Are there any solutions to bypass regional restrictions?

only on macos side, there are none (publicly) known for the ios side

What country are you located?

Germany.

only on macos side, there are none (publicly) known for the ios side

Thanks for the information. I hope there will be a solution for iOS as well.

Use an US Appstore account (not Apple-ID) on both iPhone and Mc. That works for the EU!

ust to clarify this :)
you just need to set on both device a US account for the App Store (not for iCloud).
Then you can open the app, connect. Once connected, you can disconnect both App Store account to your usual EU one, you won't be disconnected.
However, when you leave the app / put Mac on sleep, when you open it, you have to do it again.
So, it's kinda annoying, but..I could make it work until it's officially available on my side

Nah, iCloud account hopping isn’t an option for me 😅

Maybe adding some breakpoints in the code and jumping to the right program addresses to bypass the restriction could work. I’m not very familiar with Apple’s instruction set, though.

Nah, iCloud account hopping isn’t an option for me 😅

Maybe adding some breakpoints in the code and jumping to the right program addresses to bypass the restriction could work. I’m not very familiar with Apple’s instruction set, though.

@RobinRauber this doesn't seem to be an option. The iPhone acts as a server and the iPhone refuses the connection itself if its App Store account is an EU one. It means we have to tweak the iPhone to bypass the check.

I’m not very familiar with Apple’s instruction set, though.

afaik it is just arm assembly.

https://github.com/libimobiledevice/libimobiledevice You need to enable encrypted backup on the iOS device, then find and decrypt the backup file you want to modify from the backup data manifest.db, and finally encrypt the file back and modify the hash of the corresponding file in manifest.db, and then restore the modified backup to the phone

is there not a easier tool for this?

On MacOS you can edit the 'eligibility.plist' under '/private/var/db/os_elibil' OS_ELIGIBILITY_DOMAIN_IRON (which controls the restrictions for the iPhone Mirroring app) https://forum.betaprofiles.com/t/bypass-region-lock-to-use-iphone-mirroring-in-eu/14204

Note that there is no need to disable csrutil at all. Just copy the file from its original location to the downloads folder, edit it there, copy it back and replace the old file.

Note that the original file will be recreated when you restart your Mac. It will restore the data based on your location, Apple ID, etc. See here for more information: https://theapplewiki.com/wiki/Eligibility

A Sandbox Apple ID also works, as said above only needs to login to app store not device icloud, not sure if easier but I already had a sandbox apple id for dev purposes.
I created a copy of the eligibility.plist, and just sudo cp modified.plist /private/var/db/os_eligibility/eligibility.plist when needed.
I wonder how the check is done on the device, would be cool to have a feature flag that disables geo restriction.

P.S. You can use blacktop's ipsw tool to decrypt iOS 18 IPSWs, as well as split the dyld shared cache to get the binary for Sharing.framework

Assume the above doesn't mean we could sideload an app that uses that framework to start the continuity shell 🤔

Good luck anyone involved/trying to bypass region lock 👋

Someone figured it out but cannot find how: https://x.com/void16_/status/1805626301492973955

A Sandbox Apple ID also works, as said above only needs to login to app store not device icloud, not sure if easier but I already had a sandbox apple id for dev purposes. I created a copy of the eligibility.plist, and just sudo cp modified.plist /private/var/db/os_eligibility/eligibility.plist when needed. I wonder how the check is done on the device, would be cool to have a feature flag that disables geo restriction.

P.S. You can use blacktop's ipsw tool to decrypt iOS 18 IPSWs, as well as split the dyld shared cache to get the binary for Sharing.framework

Assume the above doesn't mean we could sideload an app that uses that framework to start the continuity shell 🤔

Good luck anyone involved/trying to bypass region lock 👋

@filipef101 someone managed to bypass the region lock with a bit of help from JJTech, but didn't share the method unfortunately.

@filipef101 someone managed to bypass the region lock with a bit of help from JJTech, but didn't share the method unfortunately.

Of course they did but looking at the past weeks they never gonna disclose how....

Someone figured it out but cannot find how: https://x.com/void16_/status/1805626301492973955

Somehow she enabled Dynamic Island on iPhone 12 iOS 18, my theory is somehow she’s changing ipws. Top left: 😳 rdar: 45025538
https://x.com/void16_/status/1805712302013845703?s=46

Someone figured it out but cannot find how: https://x.com/void16_/status/1805626301492973955

Somehow she enabled Dynamic Island on iPhone 12 iOS 18, my theory is somehow she’s changing ipws. Top left: 😳 rdar: 45025538 https://x.com/void16_/status/1805712302013845703?s=46

i remember during MacDirtyCow days you had to edit mobilegestalt to enable that, wonder if theres a MDC type exploit in ios 18

I get this when I open it, but there is no option on the settings??

Probably same as this https://x.com/mrcreator1/status/1802858396133032218?s=46

Someone figured it out but cannot find how: https://x.com/void16_/status/1805626301492973955

Somehow she enabled Dynamic Island on iPhone 12 iOS 18, my theory is somehow she’s changing ipws. Top left: 😳 rdar: 45025538 https://x.com/void16_/status/1805712302013845703?s=46

Apparently theres a private bug in ios 18 that's being spread to certain users which is how they are enabling this. It being a private bug these people shouldn't be flexing them enabling features just for some clout.

@filipef101 someone managed to bypass the region lock with a bit of help from JJTech, but didn't share the method unfortunately.

Of course they did but looking at the past weeks they never gonna disclose how....

I know right, a lot of people know about the bug/exploit even though it's private, how does that make sense?

A Sandbox Apple ID also works, as said above only needs to login to app store not device icloud, not sure if easier but I already had a sandbox apple id for dev purposes. I created a copy of the eligibility.plist, and just sudo cp modified.plist /private/var/db/os_eligibility/eligibility.plist when needed. I wonder how the check is done on the device, would be cool to have a feature flag that disables geo restriction.

P.S. You can use blacktop's ipsw tool to decrypt iOS 18 IPSWs, as well as split the dyld shared cache to get the binary for Sharing.framework

Assume the above doesn't mean we could sideload an app that uses that framework to start the continuity shell 🤔

Good luck anyone involved/trying to bypass region lock 👋

How'd you manage to log into the AppStore using a Sandbox ID? I created one in AppstoreConnect but every time I try to use it to login to the AppStore, it just immediately logs me back out again :/

How'd you manage to log into the AppStore using a Sandbox ID? I created one in AppstoreConnect but every time I try to use it to login to the AppStore, it just immediately logs me back out again :/

I do it via the settings, note that with sandbox apple id you cannot make purchases or signup for trials (will reject adding any payment mechanism to the account). I only used because I already had it

If anyone has an issue where space bar doesn't add a space while mirroring, disable full keyboard access on accessibility

Ways I believe people are doing the region bypass on iOS:

• Load custom/modified ipsw (security researchers), which means they can do anything they want.
• Some trick with backups, ie this edit of the backup supposed to bypass region lock for the new siri: /usr/libexec/PlistBuddy -c "Set :bypassDeviceSupportsSAE true" ~/Library/Preferences/com.apple.assistant.plist so something like this is possible to exist for bypassing region lock of the ScreenContinuity
• Undisclosed exploit, which the main reason it is not shared is nda's and bug bounties

Do you guys know whether or not changing your App Store account to an EU based account is enough to allow the use and download of third party browsers? I really want a chromium based browser on my iPhone even though I'm in the US