To prevent being spammed and nagged by application updates that you do not want:

1. SSH to your device, as in open a Terminal and type: ssh root@IP_OF_IDEVICE and enter your password. If you have not set a password yet, the default password will be alpine.
2. Perform the following commands to find the application directory for which you want to remove update notifications:

cd /var/mobile/Applications && find . -name Cool*

where Cool would be the first few letters of the application (the search is case-sensitive). Then, change to the application directory and move the iTunesMetadata.plist out of the way. As an example:

cd /var/mobile/Applications/08392C1B-656F-46E1-9F7F-C685F9D001C0/
mv iTunesMetadata.plist iTunesMetadata.plist.null

Done. You will not receive any more updates from AppStore for that application. To start receiving update notifications, move the file back:

cd /var/mobile/Applications/08392C1B-656F-46E1-9F7F-C685F9D001C0/
mv iTunesMetadata.plist.null iTunesMetadata.plist

If Apple trapped you on an iPad1, so that upgrading to their newest operating system 5.x makes you run out of RAM and you are also aware that you will be unable to update to iOS6, then you may want to consider turning off multitasking on iOS4 in order to speed it up to something useful. This will also get rid of crashes when switching applications on iOS 4.2.1.

Even if you leave the multitasking turned on, your applications are not running concurrently (perhaps for a few seconds before the scheduler considers them stale) and that is probably one of the reasons why applications such as Backgrounder were created in order to add multitasking. From that point of view, except the quick-switch on the bottom bar, which you could replace if you gather your applications tidily in folders, there is no reason for having the redundant switchboard. All applications that are meant to notify you of events are sending you push notifications regardless whether they are "on" or "suspended".

Multitasking in iOS is not really what you would expect. If you look at your switchboard (the one under the dock which you bring up by double pressing the home button, or with gestures in iO4.3), those applications are NOT really running. Apple introduced something called "Nitro" in iOS versions starting iOS4 (3?) which is really a loading time optimizer. When you press the home button (or use gestures) to "background" an application, the operating system set the application in a suspended state. If you ever owned a laptop, you may remember the "suspend" and "hibernate" features that set your laptop to sleep. Apple has implemented the same thing at the level of applications - for example, let us say that you could suspend a game. The game will not be running actively, but all the memory will be cached to a state-file so that when you resume the game it will start-up immediately. The same idea can be observed on Virtual Machines as snapshots.

In practice however, Nitro does not offer performance, contrary to the misleading name - it just decreases the loading time when you have started an application, switched to a different one and then you switch back to the previous application. In fact, given low memory, Nitro chokes the memory to bits by caching state in RAM - something that you can (and should) avoid altogether.

• You need to OpenSSH installed and nano from Cydia in order to log on to your device and edit files.
• cd to /System/Library/CoreServices/SpringBoard.app and locate your device-specific file using:

find . -regextype egrep -regex './[A-Z1-9]+\.plist'

it should show you a file that would look like:

./K59CP.plist

but with different letters. Open that file using nano, by typing:

nano /System/Library/CoreServices/SpringBoard.app/K59CP.plist

and change the lines:

		<key>multitasking</key>
		<true/>

to

		<key>multitasking</key>
		<false/>

in order to disable multitasking. After that, restart your device and your switchboard will be gone.

You can access your iDevice using the OSX ScreenSharing client by:

• Setting a Veency password.
• Configuring the ScreenSharing client:

Other settings are possible as well. The most important point is to set a password for Veency in order to be able to connect.

All camera photos are available at:

/private/var/mobile/Media/DCIM/100APPLE/

If you have Samba installed from Cydia, you can create a share that points directly to that folder. However they will not show up immediately in the Photos applications. You will need to wipe the cache using:

rm -rf /private/var/mobile/Media/PhotoData/{Photos.sqlite,PhotosAux.sqlite,MISC,Caches,Thumbnails}

after which Photos.app should reload all the photos stored in the camera roll.

Suppose we have the following start of a plist xml file called preferences.plist:

<dict>
  <key>CurrentSet</key>
	<string>/Sets/045489D0-E273-11E1-9D1F-63E47A24B5DC</string>
	<key>NetworkServices</key>
	<dict>
		<key>0D1E9088-E273-11E1-91DB-7BC308E606D8</key>
		<dict>
			<key>DNS</key>
			<dict/>
			<key>IPSec</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>SharedSecret</string>

And we want to obtain the AuthenticationMethod value:

plutil -key NetworkServices -key 0D1E9088-E273-11E1-91DB-7BC308E606D8 -key IPSec -key AuthenticationMethod preferences.plist

Output:

SharedSecret

We can also set the key value by adding the -value keyword:

plutil -key NetworkServices -key 0D1E9088-E273-11E1-91DB-7BC308E606D8 -key IPSec -key AuthenticationMethod -value NoMethod preferences.plist

Status bar icons are composed of two images, a small and a large image. The @2x must be appended to the file name indicating a larger icon:

Icon.png:

PNG image, 14 x 20, 8-bit/color RGBA, non-interlaced

Icon@2x.png:

PNG image, 27 x 40, 8-bit/color RGBA, non-interlaced

The usual way to install Samba on iOS is to get both the Samba Core and the Samba package. The latter offers a way to switch samba on and off but this can be done using launchd's inetd features. The advantage is that the smbd and nmbd processes will not be loaded permanently into memory but rather on-demand whenever the TCP 139 respectively UDP 137 port is hit. For that, we create two plist files in /Library/LaunchDaemons for smbd and nmbd.

org.samba.smbd.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
 
<dict>
    <key>Label</key>
    <string>org.samba.smbd</string>
 
    <key>Program</key>
    <string>/usr/sbin/smbd</string>
 
    <key>Sockets</key>
    <dict>
        <key>Listeners</key>
        <dict>
            <key>SockProtocol</key>
            <string>TCP</string>
            <key>SockFamily</key>
            <string>IPv4</string>
            <key>SockType</key>
            <string>stream</string>
            <key>SockServiceName</key>
            <string>netbios-ssn</string>
        </dict>
    </dict>
    <key>inetdCompatibility</key>
    <dict>
      <key>Wait</key>
      <false/>
    </dict>
</dict>
 
</plist>

org.samba.nmbd.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
 
<dict>
    <key>Label</key>
    <string>org.samba.nmbd</string>
 
    <key>Program</key>
    <string>/usr/sbin/nmbd</string>
 
    <key>Sockets</key>
    <dict>
        <key>Listeners</key>
        <dict>
            <key>SockProtocol</key>
            <string>UDP</string>
            <key>SockFamily</key>
            <string>IPv4</string>
            <key>SockType</key>
            <string>dgram</string>
            <key>SockServiceName</key>
            <string>netbios-ns</string>
        </dict>
    </dict>
    <key>inetdCompatibility</key>
    <dict>
      <key>Wait</key>
      <true/>
    </dict>
</dict>
 
</plist>

Services such as ssh, http, smb can be registered so that they appear in local network browse lists. In order to do that the dns-sd command can be used to register services.

For example, if we want to register samba so that the device shows up in the local browse lists, we add a plist at /System/Library/LaunchDaemons/org.grimore.smb.dns-sd.plist with the following contents:

org.grimore.smb.dns-sd.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>org.grimore.smb.dns-sd</string>
 
    <key>ProgramArguments</key>
    <array>
        <string>/usr/bin/dns-sd</string>
        <string>-R</string>
        <string></string>
        <string>_smb._tcp</string>
        <string>local.</string>
        <string>139</string>
    </array>
 
    <key>OnDemand</key>
    <false/>
</dict>
</plist>

Error 9 is a code-signing error that you may get if the binaries for a certain package have not been signed. The common symptom is that the binary just bails out with Error 9. In order to fix this one can use saurik's ldid tool:

ldid -S /path/to/binary

The following tool can be used to recursively sign binaries and turn the exec bit on bash scripts:

iosign

#!/bin/bash
###########################################################################
##  Copyright (C) Wizardry and Steamworks 2013 - License: GNU GPLv3      ##
##  Please see: http://www.gnu.org/licenses/gpl.html for legal details,  ##
##  rights of fair usage, the disclaimer and warranty conditions.        ##
###########################################################################
 
SILENT=0
if [[ $1 == "-s" ]]; then
  SILENT=1
fi
 
for i in `find . -type f`; do
 
  FT=`file -b $i | awk '{ print $1 }'`
  case $FT in
    Mach-O )
      EXE=`file -b $i | awk '{ print $2 }'`
      if [[ $EXE == "executable" ]]; then
        OP="Signed: "
        sed -i'' 's/\x00\x30\x93\xe4/\x00\x30\x93\xe5/g;s/\x00\x30\xd3\xe4/\x00\x30\xd3\xe5/g;' $i
        ldid -S $i
      fi
      ;;
    Korn ) 
      ;&
    Bourne )
      OP="Exec: "
      chmod +x $i
      ;;
    * )
      OP=""
      ;;
  esac
  if ( [[ $SILENT -eq 0 ]] && [[ ! -z $OP ]] ); then
    echo -n $OP
    echo $i
  fi
done

We can add a trigger to the /var/mobile/Library/Caches/Maps/MapTiles/MapTiles.sqlitedb maps database by opening the database and executing:

CREATE TRIGGER prevent_delete BEFORE DELETE ON images BEGIN SELECT raise(IGNORE); END

which will prevent the Maps application from deleting the map tiles.

echo -e "\n$(top -l 1 | awk '/PhysMem/';)\n"

Edit System/Library/CoreServices/SpringBoard.app/K48AP.plist or /System/Library/CoreServices/SpringBoard.app/N18AP.plist and make sure that the following option is set, if not, add it:

      <key>multitasking-gestures</key>
      <true />

Then copy the /var/mobile/Library/Preferences/com.apple.springboard.plist preference file to an OSX machine and convert it to XML:

plutil -convert xml1 com.apple.springboard.plist

Now edit com.apple.springboard.plist and add the following option:

  <key>SBUseSystemGestures</key>
  <true/>

after:

  <key>SBLanguageRestart</key>
  <false/>

and convert the plist back to binary format:

plutil -convert binary1 com.apple.springboard.plist

Now copy the plist to your device and replace it with the old one:

scp com.apple.springboard.plist root@DEVICE_IP:/var/mobile/Library/Preferences/

where DEVICE_IP is the IP of your iOS device.

After a respring your can open an app and try a four finger pinch. If the app closes, the gestures are enabled.

It seems that:

16fc33fee028cf71b7fd127d9fbc72b071358ab1  sn0wbreeze-v2-1.9.1.zip

is best suited for downgrades to 4.2.1. The hash should or may not perfectly match but sn0wbreeze v2 at 1.9.1 should do the trick.

The latest version seems to make iTunes attempt to upgrade the baseband, at which point the downgrade fails with error 1105.

Setting a SOCKS proxy for iOS can be done conveniently if the device is jailbroken. In the example screenshot below:

the Wifi connection will load the /etc/tor/proxy.pac file just as any Mac. For more information on PAC / WPAD files, please see the proxy auto-discovery for more ideas.

Some old ARM v6 binaries compiled with gcc will get "Illegal instruction: 4" when executed on newer devices such as iPhone 5 or iPad 4 using the CPUs A6 or A6X.

In order to avoid that, run the following command to patch the binaries before signing:

sed -i'' 's/\x00\x30\x93\xe4/\x00\x30\x93\xe5/g;s/\x00\x30\xd3\xe4/\x00\x30\xd3\xe5/g;' 

iOS at version 15.3.1 allows Siri to be activated from the lock screen without having to unlock the phone. Siri can then be leveraged in order to perform various actions. Whilst some actions will make Siri require the user to unlock their phone, some other actions are still allowed without having to unlock the phone.

In order to activate Siri from the lock screen, the side button can be held down for three seconds.

Here is a list of potential attack vectors that have been discovered to be working on iOS at version 15.3.1.

Siri can be told:

• turn wifi off
• turn mobile data off

or, for short:

• turn airplane mode on (which additionally disables any location services)

such that the "Find My Phone" iCloud application on Apple servers at https://www.icloud.com/find/ cannot find the phone anymore.

This would allow someone that intends to steal the phone, to effectively turn off any Internet location such that the phone cannot be tracked anymore.

Siri can be told to set an alarm for a certain point in time, ie:

• set alarm for 2pm

as well as changing the volume:

• set volume to maximum

directly from the lock screen without having to unlock the phone.

Conversely:

• mute volume

such that any calls or appointments will be missed.