It was only last week that we shared the incredible news that ElleKit tweak injection developer @eveiynee had successfully achieved true SpringBoard tweak injection using the kernel file descriptor (kfd) exploit and the CoreTrust bug harnessed by TrollStore.
But this week, the same developer took to X (formerly Twitter) to share how they’ve nearly completed tweak injection support for iOS & iPadOS 17.0.
Citing the post, completing iOS & iPadOS 17.0 tweak injection will necessitate a userspace PAC bypass (which the developer claims will be easy), along with an anticipated kernel exploit that Google Project Zero is expected to publish a writeup about in the near future.
Thanks to recent advancements in bootstrap software, this tweak injection method doesn’t require a jailbreak to use and certain jailbreak tweaks can now be installed to run and affect both apps and SpringBoard using only a kernel exploit and the CoreTrust bug (supporting up to iOS & iPadOS 17.0).
SpringBoard support is particularly important, as up until only recently, it was only possible to inject tweaks into apps using the CoreTrust bug.
It’s worth noting that while a Secure Page Table Monitor (SPTM) bypass would be required to make a jailbreak for iOS & iPadOS 17, a SPTM bypass isn’t required to run tweak injection using @eveiyneee’s method via the CoreTrust 2 bug, but tweak support will be more limited than with a full-fledged jailbreak.
A word of caution, however, is that it remains unknown exactly how safe it is to deploy tweak injection on a non-jailbroken device. Some developers, including Dopamine and TrollStore developer Lars Fröder (@opa334dev) have suggested that users run the risk of boot-looping their device when using these bootstraps.
It remains to be seen what kind of boot loop-mitigating features that these bootstrap and tweak injection developers are building into their platforms, but given the risks associated with boot loops, it’s generally advisable to heed these warnings until these worries can be cast aside.
In any case, it’s still particularly fascinating to see the kinds of proof-of-concepts we’re witnessing, as it exposes just how powerful the CoreTrust bug truly is outside of traditional perma-signing uses.
Are you excited to see where this train takes us? Let us know in the comments section down below.