Hacking Question Payload loader for iOS?

[Lil_SpazJoekp]

In the Xcode project, scroll all the way down to Products in the navigator (the file/group tree on the left). Listed under Products are the different things you can build. Right click on libusb-1.0.0.dylib and select "Show in Finder". Then you can copy and paste the file wherever you need.

Yeah I was doing that but it would take me to the project root and not the derived folder. Could you post your dylib file please?

--------------------- MERGED ---------------------------

It's hilarious to me to see the posts at the beginning of the thread that basically say - no: impossible - then argue about stock vs jailbroken iOS while still claiming it will never happen.. to skipping to the last page, within seven pages, and seeing that there is a functional payload being run from iOS. This is why people who don't know what they're talking about should probably stop commenting in the first place. Fantastic work @JustBrandonT.

Never really worked with Xcode, wtf?? I'm simply trying to move some headers etc to be included in the project and am having issues, lots of stuff missing from IOKit that I find elsewhere on my mac.

Did you run the commands on page 5 or 6 I posted?

 

[JustBrandonT]

I was able to successfully build the latest copy of the project, but it seems the app can't detect the Switch is in APX mode. Taping "Reload" does nothing.

I have a breakpoint in NXLauncher.mm line 41 and the devices array is empty.

Maybe I have a bad build. @JustBrandonT can you post your ipa?

https://github.com/Brandon-T/iOUSB/releases/tag/v1.0


Compiled for iOS 10+.. I can compile it for lower as well if necessary. Basically to get everything to compile:

1. Get IOKit registered into your iOS SDK
2. Copy libkern/OSTypes.h to your iOS SDK
3. Change OSTypes.h to define UInt32 and SInt32 based on __LP64__ because of ARM 64 devices (THIS step is optional and only required if creating archives):

#if __LP64__
typedef unsigned int UInt32;
#else
typedef unsigned long UInt32;
#endif


#if __LP64__
typedef signed int SInt32;
#else
typedef signed long SInt32;
#endif

4. Download libUSB source code and open the Xcode folder + the libusb project. Change the "Build-Settings->BaseSDK" to: "Latest iOS (iOS ##.#)".
5. Change "BuildSettings->SkipInstall" to "YES".
6. Compile libUSB. It will generate a libusb-1.0.0.dylib
7. Copy that into NXLauncher and copy the libusb.h there as well.
8. Hit compile or archive product to generate an ipa and voila.
9. Get Nintendo switch into RCM (will show up on non-jailbroken AND jailbroken as APX).
10. Run the app (or the ipa via cydia-impactor).
11. It says "Ready whenever you are".
12. Press "Reload". It will print ALL the debug info such as your device ID/serial number, USB port information, device corporation (Nintendo Corp), device name (APX), etc..
13. Watch Fusee Reswitched splash screen on the switch..


I do not know the license of libusb or how it works with MIT license.. I mean I can change my project's license to use the same thing I guess and then distribute all the source? IANAL so.. but if that's the case, I can easily do that and everyone can run stuff themselves.


In any case, I uploaded an archive/ipa above and you just need to load it with cydia impactor. I just tested the same IPA myself on iOS 10.3 jailbroken.

Edit: Seems on non-jailbroken, it shows "0 devices" connected via libusb but via IOKit, it shows the switch (read only though so can't upload payload.. It can read your device info, but not upload the payload on non-jailbroken devices) :S

 

[Lil_SpazJoekp]

https://github.com/Brandon-T/iOUSB/releases/tag/v1.0


Compiled for iOS 10+.. I can compile it for lower as well if necessary. Basically to get everything to compile:

1. Get IOKit registered into your iOS SDK
2. Copy libkern/OSTypes.h to your iOS SDK
3. Change OSTypes.h to define UInt32 and SInt32 based on __LP64__ because of ARM 64 devices (THIS step is optional and only required if creating archives):

#if __LP64__
typedef unsigned int UInt32;
#else
typedef unsigned long UInt32;
#endif


#if __LP64__
typedef signed int SInt32;
#else
typedef signed long SInt32;
#endif

4. Download libUSB source code and open the Xcode folder + the libusb project. Change the "Build-Settings->BaseSDK" to: "Latest iOS (iOS ##.#)".
5. Change "BuildSettings->SkipInstall" to "YES".
6. Compile libUSB. It will generate a libusb-1.0.0.dylib
7. Copy that into NXLauncher and copy the libusb.h there as well.
8. Hit compile or archive product to generate an ipa and voila.
9. Get Nintendo switch into RCM (will show up on non-jailbroken AND jailbroken as APX).
10. Run the app (or the ipa via cydia-impactor).
11. It says "Ready whenever you are".
12. Press "Reload". It will print ALL the debug info such as your device ID/serial number, USB port information, device corporation (Nintendo Corp), device name (APX), etc..
13. Watch Fusee Reswitched splash screen on the switch..


I do not know the license of libusb or how it works with MIT license.. I mean I can change my project's license to use the same thing I guess and then distribute all the source? IANAL so.. but if that's the case, I can easily do that and everyone can run stuff themselves.


In any case, I uploaded an archive/ipa above and you just need to load it with cydia impactor. I just tested the same IPA myself on iOS 10.3 jailbroken.

Thank you!!!!! and do you have paypal?

 

[foreveralive]

Great work！ thanks.
expecting for a 9.3.3 version injector~

 

[Dread_Pirate_PJ]

https://github.com/Brandon-T/iOUSB/releases/tag/v1.0

-- snip --

I do not know the license of libusb or how it works with MIT license.. I mean I can change my project's license to use the same thing I guess and then distribute all the source? IANAL so.. but if that's the case, I can easily do that and everyone can run stuff themselves.

As far as I know, since libusb is LGPL and you are using it only by linking to it, you don't have to change your license.

See https://softwareengineering.stackex...a-lgpl-gem-affect-my-mit-licensed-application

 

[JustBrandonT]

Great work！ thanks.
expecting for a 9.3.3 version injector~

Uploaded 9.0+ ipa. Supports iOS 9, 10, 11, 12.

 

[saneatsu]

Holy crap this is amazing. I go on vacation and saw this thread before I left. Forgot about it and come back to this.

Good work and kudos to all y’all.

 

[Draxzelex]

Its just fascinating watching how this thread evolved from a simple suggestion towards an actual working program, despite the initial negativity. Its projects like these that represent the tenacity, ingenuity, and cooperation of GBATemp. I may not have an iPhone, but it was at least a privilege to see something positive created from scratch.

 

[Riky_Xerez]

Can you put an option to select a bin file manually from the app like NXLoader for Android? Of corse, it only works with jailbreak

 

[foreveralive]

Uploaded 9.0+ ipa. Supports iOS 9, 10, 11, 12.

Thank you but is there a guide shows how to inject payload on a 9.3.3 jailbroken iphone?
Sorry to bother

 

[z10m]

Direct connection lightning to usb c doesn’t seem to work and lightning to usb a with usb a to c adapter doesn’t seem to work either.
External power is really necessary it appears.

 

[JustBrandonT]

Thank you but is there a guide shows how to inject payload on a 9.3.3 jailbroken iphone?
Sorry to bother

- Download Cydia Impactor.
- Download the ipa.
- Launch Cydia impactor.
- Connect the switch to the phone with the camera adaptor or on the go adapter (the lightning cable will plug into the USB charging power, and the other end into the phone - you can also ignore the power part and just spam the reload button later. You’ll see what I mean.).
- You should get a pop up twice saying that APX device is not supported.
- Both times close it.
- Drag the ipa onto Cydia impactor.
- It will ask you to login to any AppleId.
- Do that and the ipa will install (sometimes you’ll get an error, ignore it and check to see if it’s installed on your device)
- Run the app and voila.

 

[Riky_Xerez]

Direct connection lightning to usb c doesn’t seem to work and lightning to usb a with usb a to c adapter doesn’t seem to work either.
External power is really necessary it appears.

It does not work with direct lightning usb c cable?

 

[z10m]

It does not work with direct lightning usb c cable?

Nope. Nothing is detected.

 

[Lil_SpazJoekp]

- Download Cydia Impactor.
- Download the ipa.
- Launch Cydia impactor.
- Connect the switch to the phone with the camera adaptor or on the go adapter (the lightning cable will plug into the USB charging power, and the other end into the phone - you can also ignore the power part and just spam the reload button later. You’ll see what I mean.).
- You should get a pop up twice saying that APX device is not supported.
- Both times close it.
- Drag the ipa onto Cydia impactor.
- It will ask you to login to any AppleId.
- Do that and the ipa will install (sometimes you’ll get an error, ignore it and check to see if it’s installed on your device)
- Run the app and voila.

So, where does it get the payload from? I have a interface to grab a bin file from iCloud Drive and load it into the inbox.

 

[z10m]

So, where does it get the payload from? I have a interface to grab a bin file from iCloud Drive and load it into the inbox.

I think it’s included in the .ipa file.

 

[Lil_SpazJoekp]

I think it’s included in the .ipa file.

I’m looking at the source code and I’m not finding it. I’m wanting to see how it’s loaded so that I can write an interface for choosing your own payload.

 

[Zonark]

You would have to be jailbroke and have a file manager on iOS in order to implement this. It is possible to do this but the system lacks the software to do this as well as having to have the expensive lighting to type c cable

 

[Lil_SpazJoekp]

You would have to be jailbroke and have a file manager on iOS in order to implement this. It is possible to do this but the system lacks the software to do this as well as having to have the expensive lighting to type c cable

iOS 11 introduced a file manager. I already have a ui built for loading a file into the app’s inbox.

 

[JustBrandonT]

iOS 10-11 introduced a file manager. I already have a ui built for loading a file into the app’s inbox.

I just updated the code and uploaded lib-usb as well.. Now we can all compile it out of the box straight from the git. Also updated the readme for those that don't know about IOKit.framework.

Added ability to load your own payload and intermezzo: https://github.com/Brandon-T/iOUSB/blob/master/iOSNXLauncher/iOSNXLauncher/NXLauncher.mm#L20

It is C++ and I used `[[NSBundle mainBundle] pathForResource:ofType:]` to find the payload and intermezzo. You can use Objective-C or Swift.. doesn't matter.

You can always modify it to use iOS 11's stuff but if you do, don't forget to wrap it into `if @available(iOS, 11*)` blocks and fallback to default for iOS-9+.


Notes:
I also had a chance to test it WITHOUT the USB-3 OTG adapter that I have (IE: Without charging cable).. It works. I tested it with a cheap OTG adapter that just has the one port (I used USB-A to Lightning adapter).
All I had to do was keep spamming the "Reload" button until the exploit uploaded (about 5 seconds of spamming after plugging into my phone).
With the extra charging port, you never have to spam that's the only difference. Why? Because of the intermittent disconnecting I described when I first started the project (lack of power from phone to switch). It doesn't make a difference as long as the exploit gets uploaded