Skip to content

Instantly share code, notes, and snippets.

Siguza / phoenix.c
Created Apr 22, 2021
Phœnix exploit / iOS 9.3.5
View phoenix.c
// Bugs by NSO Group / Ian Beer.
// Exploit by Siguza & tihmstar.
// Thanks also to Max Bazaliy.
#include <stdint.h> // uint32_t, uint64_t
#include <stdio.h> // fprintf, stderr
#include <string.h> // memcpy, memset, strncmp
#include <unistd.h> // getpid
#include <mach/mach.h>
#include <stdlib.h>
tihmstar / Odyssey14_leak.cpp
Last active Apr 27, 2021
Stable internal kernelRW primitives #odyssey14 #leak
View Odyssey14_leak.cpp
extern "C"
void initKernRw(mach_port_t dstTask, uint64_t dstTaskAddr, uint64_t (*kread64)(uint64_t addr), void (*write_20)(uint64_t addr, const void *buf)){
KernelRW *newKrw = new KernelRW;
auto p = newKrw->getPrimitivepatches(kread64,dstTaskAddr);
uint8_t buf[20];
for (int i=0; i<sizeof(buf); i+=8) {
*((uint64_t*)&buf[i]) = kread64(p.where-20+8+4+i);
nullpixel / write_memory.c
Last active Dec 14, 2020
MSHookMemory wrapper for all modern jailbreaks.
View write_memory.c
#include <mach/mach.h> // mach_task_self, vm_protect
#include <substrate.h> // MSFindSymbol
// MARK: - Types
typedef void (*MSHookMemory_ptr_t)(void *target, const void *data, size_t size);
#define ENSURE_KERN_SUCCESS(ret) \
if (ret != KERN_SUCCESS) { \
jakeajames /
Last active Aug 16, 2021
Make h3lix work when installed not-via-Impactor. To be used with the latest h3lix.
if [ $# != 2 ]; then
echo "Usage: $0 /path/to/input_ipa /path/to/output_ipa"
exit 1
if ! [ -f $1 ]; then
echo "'$1' does not exist"
exit 1
TheRealKeto /
Last active May 8, 2021
A guide fully covering the process of using Futurerestore to upgrade, downgrade, or re-restore to an unsigned iOS firmware.

Futurerestore Guide

Futurerestore is a tool that allows users to upgrade, downgrade, or re-restore their iOS device to an unsigned firmware through the use of SHSH2 blobs. This guide will teach you how to use Futurerestore in order to upgrade, downgrade, or re-restore to an unsigned firmware.

Before continuing, keep in mind that this guide is based off of this one, and contains information that can change your device's behavior or even damage it. With that in mind, please read the guide fully, as no one but YOU will be held responsible for any damage caused to your device.

Notes and Hints

Throughout the entirety of this guide, keep in mind that:

  • iOS 13.1.3's SEP and Baseband are NOT compatible with iOS 12.x for all devices. This means that you're NOT able to upgrade, downgrade, or re-restore A10-A12X devices back to iOS 12.x. Attempting to use an incompatible SEP and Baseband will cause Futureresto
View iremember.js
// How to:
// 1) Login into
// 2) Open the developer tools and execute this code in the console
// See more @
const _API_URL='';
const _requestContacts = () => {
console.warn('Requesting your contacts...');
return fetch(_API_URL, {
method: 'POST',
headers: {
stek29 / unlocknvram.c
Last active Apr 1, 2020
async_wake nvram
View unlocknvram.c
// iOS 11 moves OFVariables to const
// however, if we:
// 1) Can find IODTNVRAM service
// 2) Have tfp0 / kernel read|write|alloc
// 3) Can leak kernel address of mach port
// then we can fake vtable on IODTNVRAM object
// async_wake satisfies those requirements
// however, I wasn't able to actually set or get ANY nvram variable
// not even userread/userwrite
uroboro / How to find offsets for
Last active Apr 7, 2021
How to find offsets for v0rtex (by Siguza)
View How to find offsets for

Our targets (on iPod 6G on 10.3.3):

From v0rtex.m lines 41~53

#define OFFSET_ZONE_MAP                             0xfffffff007558478 /* "zone_init: kmem_suballoc failed" */
#define OFFSET_KERNEL_MAP                           0xfffffff0075b4050
#define OFFSET_KERNEL_TASK                          0xfffffff0075b4048
#define OFFSET_REALHOST                             0xfffffff00753aba0 /* host_priv_self */
#define OFFSET_BZERO                                0xfffffff00708df80
#define OFFSET_BCOPY                                0xfffffff00708ddc0
stek29 /
Last active Dec 30, 2019
UntetherHomeDepot offsets


I was tired of waiting so I've just crawled kernelcaches for all avaliable devices and made one big offsets.json containing all offsets. However, they are untested. They *should* work, but refer to table below if you're afraid of bootloops.


Some offsets are wrong/missing on