LiveContainer

Run unsigned iOS app without actually installing it!

• Allows you to install unlimited apps (10 apps limit of free developer account do not apply here!)
• Codesigning is entirely bypassed (requires JIT), no need to sign your apps before installing.

Compatibility

Unfortunately, not all apps work in LiveContainer, so we have a compatibility list to tell if there is apps that have issues. If they aren't on this list, then it's likely going run. However, if it doesn't work, please make an issue about it.

Building

export THEOS=/path/to/theos
git submodule init
git submodule update
make package

Usage

Requires SideStore; AltStore does not work because it expects the app opened before enabling JIT.

• Build from source or get prebuilt ipa in the Actions tab
• Open LiveContainer, tap the plus icon in the upper right hand corner and select IPA files to install.
• Choose the app you want to open in the next launch.
• Tap the play icon, it will jump to SideStore and exit.
• In SideStore, hold down LiveContainer and tap Enable JIT. If you have SideStore build supporting JIT URL scheme, it jumps back to LiveContainer with JIT enabled and the guest app is ready to use.

Installing external tweaks

This feature is currently incomplete so you'll have to do the following manually.

• Create your tweak folder at LiveContainer/Tweaks/<YourTweakBundleName>.
• Download CydiaSubstrate.framework (you can get it from tweaked apps, this will be bundled into LiveContainer later) and place it into the tweak folder.
• For each tweak, you need to fix the CydiaSubstrate rpath to point to @loader_path/CydiaSubstrate.framework/CydiaSubstrate using install_name_tool.
• Put your patched tweaks into the tweak folder.
• In the app picker screen, hold the app entry to change the tweak folder.

How does it work?

Patching guest executable

• Patch __PAGEZERO segment:
  • Change vmaddr to 0xFFFFC000 (0x100000000 - 0x4000)
  • Change vmsize to 0x4000
• Change MH_EXECUTE to MH_DYLIB.
• Inject a load command to load TweakLoader.dylib

Patching @executable_path

• Call _NSGetExecutablePath with an invalid buffer pointer input -> SIGSEGV
• Do some magic stuff to overwrite the contents of executable_path.

Patching NSBundle.mainBundle

• This property is overwritten with the guest app's bundle.

Bypassing Library Validation

• Derived from Restoring Dyld Memory Loading
• JIT is required to bypass codesigning.

dlopening the executable

• Call dlopen with the guest app's executable
• TweakLoader loads all tweaks in the selected folder
• Find the entry point
• Jump to the entry point
• The guest app's entry point calls UIApplicationMain and start up like any other iOS apps.

Limitations

• Entitlements from the guest app are not applied to the host app. This isn't a big deal since sideloaded apps requires only basic entitlements.
• App Permissions are globally applied.
• Guest app containers are not sandboxed. This means one guest app can access other guest apps' data.
• arm64e executable is untested. It is recommended to use arm64 binary.
• Only one guest app can run at a time. This is much more like 3 apps limit where you have to disable an app to run another (switching between app in LiveContainer is instant).
• Remote push notification might not work. If you have a paid developer account then you don't even have to use LiveContainer
• Querying custom URL schemes might not work(?)

TODO

• Auto lock orientation
• Simulate App Group(?)
• More(?)

License

Apache License 2.0

Credits

• xpn's blogpost: Restoring Dyld Memory Loading
• LinusHenze's CFastFind: MIT license
• fishhook: BSD 3-Clause license
• MBRoundProgressView
• @haxi0 for icon