-
Notifications
You must be signed in to change notification settings - Fork 2
CyberKit Injection
Beginning in CyberKit 0.0.9 nightly, CyberKit is a drop-in replacement for WebKit (as described in #30), so special builds of browsers are not necessary to use it.
This tutorial exists for portability to transform a browser built for WebKit (such as all browsers on the App Store before iOS 17.4) and injects CyberKit into it, and for informational purposes about how this works.
If you're on macOS, you can go look at Tools/Scripts/fakesign/script_fakesigner.sh which will automate this process. This code is self-documenting.
To use this tutorial, you will need the built-in macOS commands ar, otool, and install_name_tool, as well as the Homebrew package ldid. I believe the Arch Linux packages ar, llvm-otool, llvm-install-name-tool, and ldid will also work.
First, we need to get the CyberKit frameworks:
- You need to find the .app of MobileMiniBrowser for your iOS version.
- From a rootful .deb file, you can use
ar -xfollowed by the path to the DEB to get the archives (warning: extracts to current directory), and then extract the archive called data, usuallydata.tar.xz, and you can find the .app in Applications. - From a TrollStore IPA file, you can simply change the extension to zip and unzip it, and you can find the .app in Payload.
- From a rootful .deb file, you can use
- While this bundle may appear to be a file on macOS, it's really a directory. Right click and select Show Package Contents to open it.
- Open Frameworks, and copy everything except MobileMiniBrowser.framework.
Next, we need to correct the dependencies of the app's executable and existing frameworks:
- You'll need an IPA of the browser. See this tutorial if you don't know how to do this: https://www.reddit.com/r/LegacyJailbreak/wiki/guides/crackingapps#wiki_ios_11-15_instructions. In this case, I used Firefox 131.4, decrypted on iOS 16.2.
- Rename the extension of the IPA to zip, and open the .app directory inside Payload.
- Find the executable (same name as the .app directory but with no extension). From this point on, I will assume its path is stored in
$bin. You can set this variable by running, for instance,bin=./Client. - In Terminal, run
otool -l $bin | grep /System/Library. This will output all the paths of all system framework dependencies of this app. - In my case, we have one dependency (WebKit.framework) from the list in #30 that must be corrected. Run
install_name_tool -change /System/Library/Frameworks/WebKit.framework/WebKit @rpath/WebKit.framework/WebKit $bin. - Fakesign by running the following (replace
./script_fakesigner.entitlementswith a path to /Tools/Scripts/script_fakesigner.entitlements):
static_ents=$(<./script_fakesigner.entitlements)
static_ents=${static_ents%\<\/dict\>*}
existing_ents=$(ldid -e $bin)
existing_ents=${existing_ents#*\<dict\>}
existing_ents=${existing_ents%\<\/dict\>*}
new_ents=bin.entitlements
echo ${static_ents}${existing_ents}$'\n</dict>\n</plist>' > $new_ents
ldid -S$new_ents $bin
rm $new_ents
- In the Frameworks directory, repeat steps 3-6 for each framework, except the .framework directory is the equivalent of the .app directory. It may be the case that there are many frameworks without any dependencies to change. For Firefox 131.4, only Shared.framework needed to be changed.
- Finally, while in the Frameworks directory, paste all the copied frameworks here.
- Now, simply re-compress the .app directory into a DEB or TrollStore IPA file.
- For a TrollStore IPA, go out to the directory containing the Payload directory of the browser (this must be called Payload) and run
zip -r -y "IPA.tipa" Payload(you can replace IPA with the desired name of your IPA file)
- For a TrollStore IPA, go out to the directory containing the Payload directory of the browser (this must be called Payload) and run
Note: This tutorial does not change the bundle identifier of the app. Bundle identifiers must be unique, so you will need to uninstall the original app if you do not change it.