khanhduy032Hello @zhuowei, it’s been 4 years since you tried running WindowServer on iPhone. Would you like to try it again, if I told you I made it work using iOS simulator’s Metal-over-XPC? (I don’t know whether Metal on simulator was a thing back then or not)
Zhuowei Zhang@khanhduy032 ... that's amazing
@zhuowei lol I’m kinda surprised it just worked seamlessly, I just had to patch out some simulator-unsupported checks in it and modify decompiled MTLSimDriverHost.xpc a bit. Here’s Boot Picker.app
To actually boot it up, you’ll also need to run launchservicesd. I had to convert it to a dylib by shifting PAGEZERO since dylibify or changing cpusubtype would cause bind opcode errors.
To actually boot it up, you’ll also need to run launchservicesd. I had to convert it to a dylib by shifting PAGEZERO since dylibify or changing cpusubtype would cause bind opcode errors.
@zhuowei yeah, it’s iPhone XS Max, iOS 16.5
@khanhduy032 Congratulations! This is really amazing work.
... really stupid question: can you do this on an unjailbroken device with JIT and NSExtension's XPC?
... really stupid question: can you do this on an unjailbroken device with JIT and NSExtension's XPC?
@zhuowei thank you! about using NSExtension, I think it might be possible but it would probably need a lot of work… (though I managed to use NSExtension to run multiples iOS apps and run SpringBoard sandboxes just by patching out aborts😅). I don’t know how loading dyld shared cache would be done there?
Also, I think running newer iOS simulators might also be possible if this actually works (would be so cool to have like jailbroken iOS simulator on iDevice)
Also, I think running newer iOS simulators might also be possible if this actually works (would be so cool to have like jailbroken iOS simulator on iDevice)
@khanhduy032 > I don’t know how loading dyld shared cache would be done there?
Last time I checked, codesign will re-sign an entire dyld cache if you asked it to.
You probably don't have to, though, since you can attach a debugger and JIT.
Last time I checked, codesign will re-sign an entire dyld cache if you asked it to.
You probably don't have to, though, since you can attach a debugger and JIT.
@zhuowei it would be more interesting to like make this JIT-less because of iOS 26 banning JIT (though there's still a loophole but also a flaw with it), but I think patching dyld to accept DYLD_SHARED_CACHE_DIR would still need JIT...
@khanhduy032 ... crap
... how do debuggers work on iOS 26, then; are they only allowed to do hardware breakpoints now or something?
... how do debuggers work on iOS 26, then; are they only allowed to do hardware breakpoints now or something?
@zhuowei the debugger is still allowed to modify, while app itself is not. Here is Apple's response
@khanhduy032 this says debugger can still map JIT memory: https://old.reddit.com/r/EmulationOniOS/comments/1lxbs6f/stephen_got_jit_working_in_ios_26/n2l2g01/