Dopamine

opa334dev

Dopamine is a continuation of the Fugu15 project and aims to bring a traditional end user jailbreak environment to it, including:

  • Automatic trust cache handling
  • Tweak injection (via ElleKit)
  • libkrw (including the ability to write to PPL protected memory and kcalling primitives)

It is currently IN DEVELOPMENT and not recommended to be used by ANYONE SANE. Because some people do not care about this, there is a development build now available under Releases.

The wifi and deep sleep bugs mentioned below have already been fixed in upstream commits, although the solution for the deep sleep is to just kill oobPCI after we have spawned jailbreakd and handed off the primitives to it and the solution for the wifi bug still requires disabling wifi during the jailbreak (can be reenabled afterwards).

Fugu15

Fugu15 is a semi-untethered permasigned jailbreak for iOS 15.
It contains a code-signing bypass, kernel exploit, kernel PAC bypass and PPL bypass.
Additionally, it can be installed via Safari, i.e. a computer is not required, except for a Web Server that hosts Fugu15.
Please note that Fugu15 does not support tweaks (no tweak injection library).

Tested Devices and iOS Versions

  • iPhone Xs Max: iOS 15.4.1
  • iPhone 11 (SRD): iOS 15.4.1
  • iPhone 12 (SRD): iOS 15.4.1
  • iPhone 12 Pro Max: iOS 15.4.1
  • iPhone 13: iOS 15.1 (offline edition – see bugs below [WiFi bug])

Other devices are probably supported as well.

*A12 and later devices are not supported on iOS 16.6 – 16.6.1, and A15-A16/M2 devices are not supported on iOS 16.5.1 – 16.6.1.

Information

Version

2.0.8

Last updated

11/21/2023

Tags


2.0.8
– Fix VPN not working on arm64 (2.0.7 regression)
– Fix iCloud settings being partially greyed out on arm64 (2.0.7 regression)
– Fix apps not showing up in settings on arm64 (2.0.7 regression)
– Fix support for iOS 15.0b1 – 15.0b3

1.1.11
– Fix “Invalid kernel stack pointer” random panic
Apply forkfix for forks coming out of the daemon() and forkpty() functions
– Fix a bug in the codesign bypass where the wrong slice could get trustcached in some rare circumstances, causing the binary to fail to spawn
– Fix a minor inaccuracy in the execve systemwide hook

1.1.8
– Fix issues with trustcaching machos that have both old and new ABI arm64e slices
– Fix several bugs in system wide exec(cve/cle/lp/v/vp/vP) hooks, which could cause arguments and environment variables to become malformed
– Fix a path finding bug in execvP hook
– Add missing execl hook
All the changes of this update been contributed by @RootHide

1.1.5
– Minor PPLRW improvements (better address translation, prevent process crashes when passing an invalid physical address)
– Remove some leftover debug logs in launchdhook from during the 1.1.3 development phase

1.1.4
– Fix unreliability when jailbreaking on A14 (1.1.3 regression)
– Make forkfix only load when absolutely neccessary rather than inside every single process that is able to fork (This should decrease spinlock panic frequency back to how it was on pre-1.1, but tweaks with C function hooks will obviously still cause it, also the effectiveness of this change has not been confirmed yet, but at least it shouldn’t make anything worse)

1.1.3
NOTE: When OTA updating to this release your device will reboot, unlike other releases where it would do a userspace reboot, this is expected, you will have to rejailbreak manually afterwards

– Transition away from old PPLRW method to a new PPLRW method that works by mapping in the entire kernel physical address space into the userland process, this fixes all remaining issues with PPLRW such as multithreading support and TLB issues (unfortunately this is also what breaks jbupdate’ing with just a userspace reboot, as the primitives from earlier versions cannot easily be transferred to this one)
– Reenable launchd crash reporter in a way that cannot be detected by apps
– Hide uninstall jailbreak button when jailbroken as it didn’t work properly in this state, only appears in unjailbroken mode now
– Fix iDownload option not working (probably hasn’t worked since 1.1, because there was a dumb issue with codesigning the idownloadd binary, sorry)

1.1.2
Disable launchd crash reporter again, as this triggered a lot of jailbreak detections (No idea how they detect this or what specifically they check for :/)
Disable jailbreak button when the device / version combination is unsupported

1.1
– Improve PPLRW performance by a factor of ~1000x
– Fix all remaining forkfix issues, now works completely reliably, fork is also way faster now thanks to the PPLRW improvements mentioned above
– Fix some race conditions with kcall and PPLRW
– Add a watchdogd hook that intercepts userspace panics due to watchdog timeouts and instead disables tweak injection and triggers a userspace reboot (demo video: https://twitter.com/opa334dev/status/1669067846008143872)
– Add a ptrace hook that unconditionally allows debugging processes (via debugserver or other tools), even when tweak injection has been disabled
– Refactor iDownload and put it in it’s own daemon, this now works through userspace reboots and the daemon can be enabled / disabled in real time in the Dopamine app, also fixes deep sleep panic when iDownload is enabled
– Fix “opainject not found” error that could happen under rare circumstances when rejailbreaking
– Refactor systemhook to make it more maintainable in the future
– Deprecate /usr/lib/sandbox.plist in favor of storing sandbox extensions in the environment of spawned processes, improves security
– Add JB_ROOT_PATH environment variable that gets injected into all processes that have tweaks enabled, there have been some talks in making the /var/jb symlink optional in the future to better protect against jailbreak detections. If that actually materializes, this environment variable will be the way to know where the rootless jailbreak root directory is.
– Fix jbctl not setting debugged flags correctly (Thanks to @XsF1re)
– Disable tweak injection into the Dopamine app itself as some jailbreak detection tweaks were blocking it’s ability to check whether the device is jailbroken
– Stop using installed ellekit dylib for launchd hook, should prevent the jailbreak from fully breaking when a broken ellekit build is installed
– Fix libKRW kalloc / kfree not working correctly due to mismatching signatures
– Enable several compiler optimizations for base binaries
– Add a mechanism where xina symlinks (e.g. /var/LIY) will not be automatically removed on rejailbreak if the file /var/.keep_symlinks exists
– Improve Wi-Fi disabling code to make a better effort at preserving the Wi-Fi state before the jailbreak attempt (Thanks to @singlekeycap for the suggestion)
– Several localizations have been updated

1.0.5
– Fix an issue with forkfix where it would break reinstalling dpkg
– Automatically fix the permissions of /private/preboot/ when jailbreaking in case they are wrong (Wrong permissions can cause SSH / NewTerm to not work)

1.0.4
– Fix forkfix leaking file descriptors under certain conditions
– Adapt forkfix to be more similar to regular fork
– Work around issue with dpkg-deb just randomly failing if forkfix is used, this issue does not make any sense (issue triggers with a fork implementation 1:1 identical to the system one, but not on the system one itself, there really is some voodoo going on here), so I solved it by blocking tweak injection into dpkg-deb
– Add IPC hook, supporting system wide access to mach services prefixed with cy: or lh:
– Update fallback ellekit to 0.6.3
– Some UI improvements (#87, #131, #120), thanks to @sourcelocation

1.0.3
– Make jailbreakd more memory efficient and fix some small memory leaks
– Remove hacky way to disable Jetsam for jailbreakd, maybe this fixes the spinlock panics (EDIT: Spoiler, it did not), but it’s a really far stretch so I doubt it
– The update option inside the Dopamine app should now also work when the device is not jailbroken
– (15.0 -15.3.1) Increase delay after disabling wifi because some people claimed it would improve the success rate

1.0.2
– Fix system instability caused by forkfix regression (Fixes system freezes when connected to a WPA Enterprise endpoint)
– Rename iDownload option to clarify it’s a Developer shell

You might also like