Dyld Patching - falchion10/macOS-Jailbreak GitHub Wiki

The sources for dyld patches are:

Dopamine's Patch

palera1n's DYLD_IN_CACHE Patch (for macOS 15.3.2 and below)

palera1n's DYLD_IN_CACHE Patch (for macOS 15.4 - 15.6, and macOS 26)

We will now begin patching dyld. I'm going to stay organized and keep these files in a different directory:

mkdir -p ~/Jailbreak/DPatch && cd ~/Jailbreak/DPatch

Copy dyld into our workspace and create a backup:

cp -v /usr/lib/dyld ./dyld && cp -v dyld dyld.backup

Dopamine's dyld Patch

You'll need a reverse engineering tool for these next patches. I personally use Binary Ninja but you can use something like IDA Pro as well. I know you need the paid version of Binary Ninja to open arm64e slices, not sure about IDA Pro. Get it however you like, you can pay for it, or aquire through other means I won't get into here.

Open dyld in Binary Ninja, make sure to select the arm64e slice, then go to the symbol for the Dopamine patch, and set it to (if you can't find the symbol, try searching for the demangled one):

Dopamine Symbol:

__ZN5dyld413ProcessConfig8Security7getAMFIERKNS0_7ProcessERNS_15SyscallDelegateE

Demangled Symbol:

dyld4::ProcessConfig::Security::getAMFI(dyld4::ProcessConfig::Process const&, dyld4::SyscallDelegate&)

After finding the symbol right click it, select Patch, then Assemble and then paste in this code and press return:

mov x0, 0xdf; ret

palera1n's dyld Patches

There are different patches ranging from different macOS versions. Skip to the section for your macOS version using the sidebar.

15.3.2 and below

Search DYLD_IN_CACHE Find Type: Text (Disassembly)

Then go to the xref (Cross references, should be located at the bottom left of Binja)

Find this pattern:

00005ee4  e00316aa   mov     x0, x22
00005ee8  7a0c0094   bl      dyld4::KernelArgs::findEnvp
00005eec  610300d0   adrp    x1, 0x73000
00005ef0  212c0091   add     x1, x1, #0xb  {data_7300b, "DYLD_IN_CACHE"}
00005ef4  a1fbff97   bl      __simple_getenv
00005ef8  a00000b4   cbz     x0, 0x5f0c

00005efc  610300d0   adrp    x1, 0x73000
00005f00  21640091   add     x1, x1, #0x19  {data_73019}
00005f04  a3f2ff97   bl      __platform_strcmp
00005f08  a0010034   cbz     w0, 0x5f3c

Replace the pattern with:

stream[5] = 0xd503201f; /* nop */
stream[8] = 0x52800000; /* mov w0, #0 */

What this is doing is changing the 6th and 9th line in that sequence of assembly to nop and mov w0, #0 respectively.

This will make it so it never gets called. Save changes with cmd+s

15.4 - 15.6

Search DYLD_IN_CACHE Find Type: Text (Disassembly)

Then go to the xref (Cross references, should be located at the bottom left of Binja)

Find this pattern:

00006488  e00400f0   adrp    x0, 0xa5000
0000648c  00203c91   add     x0, x0, #0xf08  {dyld4::sSyscallDelegate}
00006490  aea60094   bl      dyld4::SyscallDelegate::internalInstall <-- 🚩 keep note of 00006490 (0x6490)
00006494  e0000034   cbz     w0, 0x64b0

00006498  a0035bf8   ldur    x0, [x29, #-0x50 {var_60}]
0000649c  a50b0094   bl      dyld4::KernelArgs::findEnvp
000064a0  21040090   adrp    x1, 0x8a000
000064a4  21182c91   add     x1, x1, #0xb06  {data_8ab06, "DYLD_IN_CACHE"}
000064a8  58f9ff97   bl      __simple_getenv
000064ac  c01500b5   cbnz    x0, 0x6764

000064b0  d61c0034   cbz     w22, 0x6848

Keep note of the cbz w22 address at the end of the pattern.

This address is where you will need to branch at where you see bl dyld4::SyscallDelegate::internalInstall.

Essentially what we'll be doing is replacing bl dyld4::SyscallDelegate::internalInstall with b 0x6848.

To do this we need to calculate an offset. We need to subtract the address of the bl dyld4::SyscallDelegate::internalInstall from our cbz w22 address.

We need to do 0x6848 - 0x6490 and then convert that value to the number of bytes away we will be.

If you do the subtraction, then convert to decimal you will get that 6848 - 6490 is 3B8, which is 952 in decimal.

Next, what you wanna do is right click bl dyld4::SyscallDelegate::internalInstall, then select Patch then Assemble.

Then you want to type b .+952, or whatever your decimal number is, it will be different depending on OS versions. This one was done with macOS 15.5.

Save changes with cmd+s

26.0 and above

Search DYLD_IN_CACHE Find Type: Text (Disassembly)

Then go to the xref (Cross references, should be located at the bottom left of Binja)

Find this pattern:

00008118  00050090   adrp    x0, 0xa8000
0000811c  00201191   add     x0, x0, #0x448  {dyld4::sSyscallDelegate}
00008120  0ba80094   bl      dyld4::SyscallDelegate::internalInstall <-- 🚩 keep note of 00008120 (0x8120)
00008124  e0000034   cbz     w0, 0x8140

00008128  a0035af8   ldur    x0, [x29, #-0x60 {var_70}]
0000812c  650c0094   bl      dyld4::KernelArgs::findEnvp
00008130  21040090   adrp    x1, 0x8c000
00008134  21d83291   add     x1, x1, #0xcb6  {data_8ccb6, "DYLD_IN_CACHE"}
00008138  a4f2ff97   bl      __simple_getenv
0000813c  600000b5   cbnz    x0, 0x8148

00008140  16030035   cbnz    w22, 0x81a0

00008144  f0000014   b       0x8504

00008148  08004039   ldrb    w8, [x0]
0000814c  1fc50071   cmp     w8, #0x31
00008150  e0010054   b.eq    0x818c

00008154  1fc10071   cmp     w8, #0x30
00008158  61000054   b.ne    0x8164

0000815c  08044039   ldrb    w8, [x0, #0x1]
00008160  281d0034   cbz     w8, 0x8504

Keep note of the cbz w8 address after the cmp, b.eq, cmp, b.ne, and ldrb.

This address is where you will need to branch at where you see bl dyld4::SyscallDelegate::internalInstall.

Essentially what we'll be doing is replacing bl dyld4::SyscallDelegate::internalInstall with b 0x8504.

To do this we need to calculate an offset. We need to subtract the address of the bl dyld4::SyscallDelegate::internalInstall from our cbz w8 address.

We need to do 0x8504 - 0x8120 and then convert that value to the number of bytes away we will be.

If you do the subtraction, then convert to decimal you will get that 8504 - 8120 is 3E4, which is 996 in decimal.

Next, what you wanna do is right click bl dyld4::SyscallDelegate::internalInstall, then select Patch then Assemble.

Then you want to type b .+996, or whatever your decimal number is, it will be different depending on OS versions. This one was done with macOS 26.0b3.

Save changes with cmd+s

Installing ldid

From Homebrew

brew install ldid-procursus

From Procursus

First install zstd from homebrew:

brew install zstd

Then download the procursus bootstrap:

curl -L https://apt.procurs.us/bootstraps/big_sur/bootstrap-darwin-arm64.tar.zst -o bootstrap.tar.zst

Run these commands to install procursus, along with ldid:

zstd -d bootstrap.tar.zst

sudo tar -xpkf bootstrap.tar -C /

echo 'PATH="/opt/procursus/bin:/opt/procursus/sbin:/opt/procursus/games:$PATH"
CPATH="$CPATH:/opt/procursus/include"
LIBRARY_PATH="$LIBRARY_PATH:/opt/procursus/lib"' >> ~/.zshrc

source ~/.zshrc

sudo apt update

sudo apt full-upgrade

sudo apt install ldid

Using ldid on dyld

First we need to mount / as r/w and make a backup of dyld:

sudo mount -uw /

sudo cp -v /usr/lib/dyld /usr/lib/dyld.backup

Now that you have ldid installed you will need to use it on dyld:

ldid -S dyld -Icom.apple.darwin.ignition

Type this command to replace dyld, this will cause every process on your system to be killed. Force restart by holding the power button:

sudo cp -v dyld /usr/lib/dyld