# Patch Comparison: Regular / Development / Jailbreak ## Boot Chain Patches ### AVPBooter | # | Patch | Purpose | Regular | Dev | JB | | --- | ------------ | -------------------------------- | :-----: | :-: | :-: | | 1 | `mov x0, #0` | DGST signature validation bypass | Y | Y | Y | ### iBSS | # | Patch | Purpose | Regular | Dev | JB | | --- | ----------------------------------- | ------------------------------------------------------------- | :-----: | :-: | :-: | | 1 | Serial labels (2x) | "Loaded iBSS" in serial log | Y | Y | Y | | 2 | `image4_validate_property_callback` | Signature bypass (`b.ne` -> NOP, `mov x0,x22` -> `mov x0,#0`) | Y | Y | Y | | 3 | Skip `generate_nonce` | Keep apnonce stable for SHSH (`tbz` -> unconditional `b`) | - | - | Y | ### iBEC | # | Patch | Purpose | Regular | Dev | JB | | --- | ----------------------------------- | ------------------------------------------ | :-----: | :-: | :-: | | 1 | Serial labels (2x) | "Loaded iBEC" in serial log | Y | Y | Y | | 2 | `image4_validate_property_callback` | Signature bypass | Y | Y | Y | | 3 | Boot-args redirect | ADRP+ADD -> `serial=3 -v debug=0x2014e %s` | Y | Y | Y | ### LLB | # | Patch | Purpose | Regular | Dev | JB | | --- | ----------------------------------- | ------------------------------------------ | :-----: | :-: | :-: | | 1 | Serial labels (2x) | "Loaded LLB" in serial log | Y | Y | Y | | 2 | `image4_validate_property_callback` | Signature bypass | Y | Y | Y | | 3 | Boot-args redirect | ADRP+ADD -> `serial=3 -v debug=0x2014e %s` | Y | Y | Y | | 4 | Rootfs bypass (5 patches) | Allow edited rootfs loading | Y | Y | Y | | 5 | Panic bypass | NOP `cbnz` after `mov w8,#0x328` check | Y | Y | Y | ### TXM | # | Patch | Purpose | Regular | Dev | JB | | --- | ------------------------------------------------- | ----------------------------------------- | :-----: | :-: | :-: | | 1 | Trustcache binary-search bypass | `bl hash_cmp` -> `mov x0, #0` | Y | Y | Y | | 2 | Selector24 bypass: `mov w0, #0xa1` | Return PASS (byte 1 = 0) after prologue | - | Y | Y | | 3 | Selector24 bypass: `b ` | Skip validation, jump to register restore | - | Y | Y | | 4 | get-task-allow (selector 41\|29) | `bl` -> `mov x0, #1` | - | Y | Y | | 5 | Selector42\|29 shellcode: branch to cave | Redirect dispatch stub to shellcode | - | Y | Y | | 6 | Selector42\|29 shellcode: NOP pad | UDF -> NOP in code cave | - | Y | Y | | 7 | Selector42\|29 shellcode: `mov x0, #1` | Set return value to true | - | Y | Y | | 8 | Selector42\|29 shellcode: `strb w0, [x20, #0x30]` | Set manifest flag | - | Y | Y | | 9 | Selector42\|29 shellcode: `mov x0, x20` | Restore context pointer | - | Y | Y | | 10 | Selector42\|29 shellcode: branch back | Return from shellcode to stub+4 | - | Y | Y | | 11 | Debugger entitlement (selector 42\|37) | `bl` -> `mov w0, #1` | - | Y | Y | | 12 | Developer mode bypass | NOP conditional guard before deny path | - | Y | Y | ## Kernelcache ### Base Patches (All Variants) | # | Patch | Function | Purpose | Regular | Dev | JB | | ----- | -------------------------- | -------------------------------- | -------------------------------------------------- | :-----: | :-: | :-: | | 1 | NOP `tbnz w8,#5` | `_apfs_vfsop_mount` | Skip root snapshot sealed-volume check | Y | Y | Y | | 2 | NOP conditional | `_authapfs_seal_is_broken` | Skip root volume seal panic | Y | Y | Y | | 3 | NOP conditional | `_bsd_init` | Skip rootvp not-authenticated panic | Y | Y | Y | | 4-5 | `mov w0,#0; ret` | `_proc_check_launch_constraints` | Bypass launch constraints | Y | Y | Y | | 6-7 | `mov x0,#1` (2x) | `PE_i_can_has_debugger` | Enable kernel debugger | Y | Y | Y | | 8 | NOP | `_postValidation` | Skip AMFI post-validation | Y | Y | Y | | 9 | `cmp w0,w0` | `_postValidation` | Force comparison true | Y | Y | Y | | 10-11 | `mov w0,#1` (2x) | `_check_dyld_policy_internal` | Allow dyld loading | Y | Y | Y | | 12 | `mov w0,#0` | `_apfs_graft` | Allow APFS graft | Y | Y | Y | | 13 | `cmp x0,x0` | `_apfs_vfsop_mount` | Skip mount check | Y | Y | Y | | 14 | `mov w0,#0` | `_apfs_mount_upgrade_checks` | Allow mount upgrade | Y | Y | Y | | 15 | `mov w0,#0` | `_handle_fsioc_graft` | Allow fsioc graft | Y | Y | Y | | 16 | NOP (3x) | `handle_get_dev_by_role` | Bypass APFS role-lookup deny gates for boot mounts | Y | Y | Y | | 17-26 | `mov x0,#0; ret` (5 hooks) | Sandbox MACF ops table | Stub 5 sandbox hooks | Y | Y | Y | ### JB-Only Kernel Methods (Reference List) | # | Group | Method | Function | Purpose | JB Enabled | | ----- | ----- | ------------------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :--------: | | JB-01 | A | `patch_amfi_cdhash_in_trustcache` | `AMFIIsCDHashInTrustCache` | Always return true + store hash | Y | | JB-02 | A | `patch_amfi_execve_kill_path` | AMFI execve kill return site | Convert shared kill return from deny to allow (superseded by C21; standalone only) | N | | JB-03 | C | `patch_cred_label_update_execve` | `_cred_label_update_execve` | Reworked C21-v3: C21-v1 already boots; v3 keeps split late exits and additionally ORs success-only helper bits `0xC` after clearing `0x3F00`; still disabled pending boot validation | N | | JB-04 | C | `patch_hook_cred_label_update_execve` | sandbox `mpo_cred_label_update_execve` wrapper (`ops[18]` -> `sub_FFFFFE00093BDB64`) | Faithful upstream C23 trampoline: copy `VSUID`/`VSGID` owner state into pending cred, set `P_SUGID`, then branch back to wrapper | Y | | JB-05 | C | `patch_kcall10` | `sysent[439]` (`SYS_kas_info` replacement) | Rebuilt ABI-correct kcall cave: `target + 7 args -> uint64 x0`; re-enabled after focused dry-run validation | Y | | JB-06 | B | `patch_post_validation_additional` | `_postValidation` (additional) | Disable SHA256-only hash-type reject | Y | | JB-07 | C | `patch_syscallmask_apply_to_proc` | syscallmask apply wrapper (`_proc_apply_syscall_masks` path) | Faithful upstream C22: mutate installed Unix/Mach/KOBJ masks to all-ones via structural cave, then continue into setter; distinct from `NULL`-mask alternative | Y | | JB-08 | A | `patch_task_conversion_eval_internal` | `_task_conversion_eval_internal` | Allow task conversion | Y | | JB-09 | A | `patch_sandbox_hooks_extended` | Sandbox MACF ops (extended) | Stub remaining 30+ sandbox hooks (incl. IOKit 201..210) | Y | | JB-10 | A | `patch_iouc_failed_macf` | IOUC MACF shared gate | A5-v2: patch only the post-`mac_iokit_check_open` deny gate (`CBZ W0, allow` -> `B allow`) and keep the rest of the IOUserClient open path intact | Y | | JB-11 | B | `patch_proc_security_policy` | `_proc_security_policy` | Bypass security policy | Y | | JB-12 | B | `patch_proc_pidinfo` | `_proc_pidinfo` | Allow pid 0 info | Y | | JB-13 | B | `patch_convert_port_to_map` | `_convert_port_to_map_with_flavor` | Skip kernel map panic | Y | | JB-14 | B | `patch_bsd_init_auth` | `_bsd_init` rootauth-failure branch | Ignore `FSIOC_KERNEL_ROOTAUTH` failure in `bsd_init`; same gate as base patch #3 when layered | Y | | JB-15 | B | `patch_dounmount` | `_dounmount` | Allow unmount via upstream coveredvp cleanup-call NOP | Y | | JB-16 | B | `patch_io_secure_bsd_root` | `AppleARMPE::callPlatformFunction` (`"SecureRootName"` return select), called from `IOSecureBSDRoot` | Force `"SecureRootName"` policy return to success without altering callback flow; implementation retargeted 2026-03-06 | Y | | JB-17 | B | `patch_load_dylinker` | `_load_dylinker` | Skip strict `LC_LOAD_DYLINKER == "/usr/lib/dyld"` gate | Y | | JB-18 | B | `patch_mac_mount` | `___mac_mount` | Upstream mount-role wrapper bypass (`tbnz` NOP + role-byte zeroing) | Y | | JB-19 | B | `patch_nvram_verify_permission` | `_verifyPermission` (NVRAM) | Allow NVRAM writes | Y | | JB-20 | B | `patch_shared_region_map` | `_shared_region_map_and_slide_setup` | Force root-vs-process-root mount compare to succeed before Cryptex fallback | Y | | JB-21 | B | `patch_spawn_validate_persona` | `_spawn_validate_persona` | Upstream dual-`cbz` persona helper bypass | Y | | JB-22 | B | `patch_task_for_pid` | `_task_for_pid` | Allow task_for_pid via upstream early `pid == 0` gate NOP | Y | | JB-23 | B | `patch_thid_should_crash` | `_thid_should_crash` | Prevent GUARD_TYPE_MACH_PORT crash | Y | | JB-24 | B | `patch_vm_fault_enter_prepare` | `_vm_fault_enter_prepare` | Force `cs_bypass` fast path in runtime fault validation | Y | | JB-25 | B | `patch_vm_map_protect` | `_vm_map_protect` | Skip upstream write-downgrade gate in `vm_map_protect` | Y | ## CFW Installation Patches ### Binary Patches Applied Over SSH Ramdisk | # | Patch | Binary | Purpose | Regular | Dev | JB | | --- | ------------------------- | ---------------------- | ------------------------------------------------------------- | :-----: | :-: | :-: | | 1 | `/%s.gl` -> `/AA.gl` | `seputil` | Gigalocker UUID fix | Y | Y | Y | | 2 | NOP cache validation | `launchd_cache_loader` | Allow modified `launchd.plist` | Y | Y | Y | | 3 | `mov x0,#1; ret` | `mobileactivationd` | Activation bypass | Y | Y | Y | | 4 | Plist injection | `launchd.plist` | bash/dropbear/trollvnc/vphoned daemons | Y | Y | Y | | 5 | `b` (skip jetsam guard) | `launchd` | Prevent jetsam panic on boot | - | Y | Y | | 6 | `LC_LOAD_DYLIB` injection | `launchd` | Load short alias `/b` (copy of `launchdhook.dylib`) at launch | - | - | Y | ### Installed Components | # | Component | Description | Regular | Dev | JB | | --- | -------------------------- | ------------------------------------------------------------------------------------------------------------------ | :-----: | :-: | :-: | | 1 | Cryptex SystemOS + AppOS | Decrypt AEA + mount + copy to device | Y | Y | Y | | 2 | GPU driver | AppleParavirtGPUMetalIOGPUFamily bundle | Y | Y | Y | | 3 | `iosbinpack64` | Jailbreak tools (base set) | Y | Y | Y | | 4 | `iosbinpack64` dev overlay | Replace `rpcserver_ios` with dev build | - | Y | - | | 5 | `vphoned` | vsock HID/control daemon (built + signed) | Y | Y | Y | | 6 | LaunchDaemons | bash/dropbear/trollvnc/rpcserver_ios/vphoned plists | Y | Y | Y | | 7 | Procursus bootstrap | Bootstrap filesystem + optional Sileo deb | - | - | Y | | 8 | BaseBin hooks | `systemhook.dylib` / `launchdhook.dylib` / `libellekit.dylib` -> `/cores/` plus `/b` alias for `launchdhook.dylib` | - | - | Y | ### CFW Installer Flow Matrix (Script-Level) | Flow Item | Regular (`cfw_install.sh`) | Dev (`cfw_install_dev.sh`) | JB (`cfw_install_jb.sh`) | | --------------------------------------------- | ------------------------------- | -------------------------- | --------------------------------------------- | | Base CFW phases (1/7 -> 7/7) | Runs directly | Runs directly | Runs via `CFW_SKIP_HALT=1 zsh cfw_install.sh` | | Dev overlay (`rpcserver_ios` replacement) | - | Y (`apply_dev_overlay`) | - | | SSH readiness wait before install | Y (`wait_for_device_ssh_ready`) | - | Y (inherited from base run) | | launchd jetsam patch (`patch-launchd-jetsam`) | - | Y (base-flow injection) | Y (JB-1) | | launchd dylib injection (`inject-dylib /b`) | - | - | Y (JB-1) | | Procursus bootstrap deployment | - | - | Y (JB-2) | | BaseBin hook deployment (`*.dylib` -> `/mnt1/cores`) | - | - | Y (JB-3) | | Additional input resources | `cfw_input` | `cfw_input` + `resources/cfw_dev/rpcserver_ios` | `cfw_input` + `cfw_jb_input` | | Extra tool requirement beyond base | - | - | `zstd` | | Halt behavior | Halts unless `CFW_SKIP_HALT=1` | Halts unless `CFW_SKIP_HALT=1` | Always halts after JB phases | ## Summary | Component | Regular | Dev | JB | | ------------------------ | ------: | --: | --: | | AVPBooter | 1 | 1 | 1 | | iBSS | 2 | 2 | 3 | | iBEC | 3 | 3 | 3 | | LLB | 6 | 6 | 6 | | TXM | 1 | 12 | 12 | | Kernel (base) | 28 | 28 | 28 | | Kernel (JB methods) | - | - | 59 | | Boot chain total | 41 | 52 | 112 | | CFW binary patches | 4 | 5 | 6 | | CFW installed components | 6 | 7 | 8 | | CFW total | 10 | 12 | 14 | | Grand total | 51 | 64 | 126 | ## Ramdisk Variant Matrix | Variant | Pre-step | `Ramdisk/txm.img4` | `Ramdisk/krnl.ramdisk.img4` | `Ramdisk/krnl.img4` | Effective kernel used by `ramdisk_send.sh` | | ------------- | ------------------- | -------------------------------- | -------------------------------------------------------------------------------- | ----------------------------------------- | --------------------------------------------------- | | `RAMDISK` | `make fw_patch` | release TXM + base TXM patch (1) | base kernel (28), legacy `*.ramdisk` preferred else derive from pristine CloudOS | restore kernel from `fw_patch` (28) | `krnl.ramdisk.img4` preferred, fallback `krnl.img4` | | `DEV+RAMDISK` | `make fw_patch_dev` | release TXM + base TXM patch (1) | base kernel (28), same derivation rule | restore kernel from `fw_patch_dev` (28) | `krnl.ramdisk.img4` preferred, fallback `krnl.img4` | | `JB+RAMDISK` | `make fw_patch_jb` | release TXM + base TXM patch (1) | base kernel (28), same derivation rule | restore kernel from `fw_patch_jb` (28+59) | `krnl.ramdisk.img4` preferred, fallback `krnl.img4` | ## Cross-Version Dynamic Snapshot | Case | TXM_JB_PATCHES | KERNEL_JB_PATCHES | | ------------------- | -------------: | ----------------: | | PCC 26.1 (`23B85`) | 14 | 59 | | PCC 26.3 (`23D128`) | 14 | 59 | | iOS 26.1 (`23B85`) | 14 | 59 | | iOS 26.3 (`23D127`) | 14 | 59 | ## Automation Notes (2026-03-06) - `scripts/setup_machine.sh` non-interactive flow fix: renamed local variable `status` to `boot_state` in first-boot log wait and boot-analysis wait helpers to avoid zsh `status` read-only special parameter collision. - `scripts/setup_machine.sh` non-interactive first-boot wait fix: replaced `(( waited++ ))` with `(( ++waited ))` in `monitor_boot_log_until` to avoid `set -e` abort when arithmetic expression evaluates to `0`. - `scripts/jb_patch_autotest.sh` loop fix for sweep stability under `set -e`: replaced `((idx++))` with `(( ++idx ))`. - `scripts/jb_patch_autotest.sh` zsh compatibility fix: renamed per-case result variable `status` to `case_status` to avoid `status` read-only special parameter collision. - `scripts/jb_patch_autotest.sh` selection logic update: - default run now excludes methods listed in `KernelJBPatcher._DEV_SINGLE_WORKING_METHODS` (pending-only sweep). - set `JB_AUTOTEST_INCLUDE_WORKING=1` to include already-working methods and run the full list. - Sweep run record: - `setup_logs/jb_patch_tests_20260306_114417` (2026-03-06): aborted at `[1/20]` with `read-only variable: status` in `jb_patch_autotest.sh`. - `setup_logs/jb_patch_tests_20260306_115027` (2026-03-06): rerun after `status` fix, pending-only mode (`Total methods: 19`). - Final run result from `jb_patch_tests_20260306_115027` at `2026-03-06 13:17`: - Finished: 19/19 (`PASS=15`, `FAIL=4`, all fails `rc=2`). - Failing methods at that time: `patch_bsd_init_auth`, `patch_io_secure_bsd_root`, `patch_vm_fault_enter_prepare`, `patch_cred_label_update_execve`. - 2026-03-06 follow-up: `patch_io_secure_bsd_root` failure is now attributed to a wrong-site patch in `AppleARMPE::callPlatformFunction` (`"SecureRoot"` gate at `0xFFFFFE000836E1F0`), not the intended `"SecureRootName"` deny-return path. The code was retargeted the same day to `0xFFFFFE000836E464` and re-enabled for the next restore/boot check. - 2026-03-06 follow-up: `patch_bsd_init_auth` was retargeted after confirming the old matcher was hitting unrelated code; keep disabled in default schedule until a fresh clean-baseline boot test passes. - Final case: `[19/19] patch_syscallmask_apply_to_proc` (`PASS`). - 2026-03-06 re-analysis: that historical `PASS` is now treated as a false positive for functionality, because the recorded bytes landed at `0xfffffe00093ae6e4`/`0xfffffe00093ae6e8` inside `_profile_syscallmask_destroy` underflow handling, not in `_proc_apply_syscall_masks`. - 2026-03-06 code update: `scripts/patchers/kernel_jb_patch_syscallmask.py` was rebuilt to target the real syscallmask apply wrapper structurally and now dry-runs on `PCC-CloudOS-26.1-23B85 kernelcache.research.vphone600` with 3 writes: `0x02395530`, `0x023955E8`, and cave `0x00AB1720`. User-side boot validation succeeded the same day. - 2026-03-06 follow-up: `patch_kcall10` was rebuilt from the old ABI-unsafe pseudo-10-arg design into an ABI-correct `sysent[439]` cave. Focused dry-run on `PCC-CloudOS-26.1-23B85 kernelcache.research.vphone600` now emits 4 writes: cave `0x00AB1720`, `sy_call` `0x0073E180`, `sy_arg_munge32` `0x0073E188`, and metadata `0x0073E190`; the method was re-enabled in `_GROUP_C_METHODS`. - Observed failure symptom in current failing set: first boot panic before command injection (or boot process early exit). - Post-run schedule change (per user request): - commented out failing methods from default `KernelJBPatcher._PATCH_METHODS` schedule in `scripts/patchers/kernel_jb.py`: - `patch_bsd_init_auth` - `patch_io_secure_bsd_root` - `patch_vm_fault_enter_prepare` - `patch_cred_label_update_execve` - 2026-03-06 re-research note for `patch_cred_label_update_execve`: - old entry-time early-return strategy was identified as boot-unsafe because it skipped AMFI exec-time `csflags` and entitlement propagation entirely. - implementation was reworked to a success-tail trampoline that preserves normal AMFI processing and only clears restrictive `csflags` bits on the success path. - default JB schedule still keeps the method disabled until the reworked strategy is boot-validated. - Manual DEV+single (`setup_machine` + `PATCH=`) working set now includes: - `patch_amfi_cdhash_in_trustcache` - `patch_amfi_execve_kill_path` - `patch_task_conversion_eval_internal` - `patch_sandbox_hooks_extended` - `patch_post_validation_additional` - 2026-03-07 host-side note: - reviewed private Virtualization.framework display APIs against the recorder pipeline in `sources/vphone-cli/VPhoneScreenRecorder.swift`. - replaced the old AppKit-first recorder path with a private-display-only implementation built around hidden `VZGraphicsDisplay._takeScreenshotWithCompletionHandler:` capture. - added still screenshot actions that can copy the captured image to the pasteboard or save a PNG to disk using the same private capture path. - `make build` is used as the sanity check path; live VM validation is still needed to confirm the exact screenshot object type returned on macOS 15.