@zhuowei the debugger is still allowed to modify, while app itself is not. Here is Apple's response

@zhuowei it would be more interesting to like make this JIT-less because of iOS 26 banning JIT (though there's still a loophole but also a flaw with it), but I think patching dyld to accept DYLD_SHARED_CACHE_DIR would still need JIT...

@zhuowei oh thank you I didn’t know about that, very interesting way to bypass memory limit. In LiveContainer we used NSExtensionPointIdentifier=com.apple.ar.viewer which sets both ActiveHardMemoryLimit and InactiveHardMemoryLimit to -1

@zhuowei it didn’t for me: `bad bind opcode 0xAF`; and using dylibify: `out of range bind ordinal 27748 (max 559)`. So I used another way that’s shifting `PAGEZERO` (check out https://github.com/LiveContainer/LiveContainer/blob/main/README.md?plain=1#L141-L144 )

@zhuowei sure, maybe I’ll try to finish my code and upload it today so you can check it out

@zhuowei thank you! about using NSExtension, I think it might be possible but it would probably need a lot of work… (though I managed to use NSExtension to run multiples iOS apps and run SpringBoard sandboxes just by patching out aborts😅). I don’t know how loading dyld shared cache would be done there?
Also, I think running newer iOS simulators might also be possible if this actually works (would be so cool to have like jailbroken iOS simulator on iDevice)

@zhuowei yeah, it’s iPhone XS Max, iOS 16.5

@zhuowei lol I’m kinda surprised it just worked seamlessly, I just had to patch out some simulator-unsupported checks in it and modify decompiled MTLSimDriverHost.xpc a bit. Here’s Boot Picker.app
To actually boot it up, you’ll also need to run launchservicesd. I had to convert it to a dylib by shifting PAGEZERO since dylibify or changing cpusubtype would cause bind opcode errors.