CORUNA

Next-Gen Jailbreak

System Ready
[*] Coruna Neon Environment Initialized
[*] Awaiting manual jailbreak initiation...
Exploit Chain
Entry Point
index.html
Fingerprints device & iOS, selects Stage payloads
Stage 1 — Browser Primitive
terrorbird / cassowary
JIT/speculation bug → JSC heap corruption → addrof / fakeobj → arb read64/write64 via WASM-backed views
Stage 2 — PAC Bypass
seedbell
JS r/w → arm64e PAC sign/auth/call via BreakIterator abuse. 16.x & 17.x branches.
Stage 3 — Native Loader
Stage3_VariantB
Rebuild 0xF00DBEEF record, map bootstrap.dylib, jump to _process
Post-Exploit
bootstrap.dylib
→ orchestrator (0x80000) → driver (0x90000) → TweakLoader (0xF0000) → extract Mach-O → patch dyld lib-valid → dlopen → next_stage_main
Coverage Split
iOS 16 terrorbird Stage1 on 16.2–16.5.1, then older seedbell on 16.3–16.5.1
iOS 17 cassowary Stage1 on 16.6–17.2.1, plus seedbell_pre and newer seedbell on 17.0–17.2.1
Shared Stage3_VariantB, bootstrap.dylib, records 0x80000, 0x90000, 0x90001, TweakLoader
Gap Per-version native 0x90000 logic incomplete, especially on newer firmware
Clean-Room Build Order
1
Re-implement stage1_primitive.js — unified addrof / fakeobj / read64 / write64 surface for both terrorbird & cassowary
2
Re-implement stage2_pac.js consuming only Stage1 output; return pacia / pacda / autia / autda / callSigned
3
Rebuild stage3_loader.js around manifest / container / shared-buffer semantics
4
Recreate bootstrap_loader.c — record registry, environment gating, selector resolution, shared-buffer bridge, 0x80000 activation
5
Recreate 0x50000 and 0x90001 as auxiliary helper path for inherited/executable mapping
6
Recreate 0x80000 (orchestrator), 0x90000 (driver), and 0xF0000 (TweakLoader slot) as separate projects
7
Keep sbtweak.m payload benign & explicit so end state stays demonstrable
Documentation
Payload Inspect Tool
Located at tools/coruna_payload_tool.py
python3 tools/coruna_payload_tool.py build-container \ --manifest payloads/manifest.json \ --payload-root payloads \ --hash-name <hash> \ --emulate-live-stage3 \ --has-pac \ --output /tmp/out.container
python3 tools/coruna_payload_tool.py inspect-record \ payloads/<hash>/entry6_type0x07.bin
⚠ Requires the live payloads directory. Catches syntax drift only — does not validate offsets or behavior against original binaries.

SpringBoard Tweaks

Choose which modifications apply after a successful jailbreak. Changes take effect on the next exploit run.

📡 Status Bar Date REAL Shows current date below the clock on status bar
🔒 Lock Screen Overlay REAL Injects glowing "PWNED 🔓" label on lock screen
🔔 Jailbreak Notification REAL Sends "Jailbreak Successful" system notification
🖼️ Wallpaper Replace REAL Sets a neon PWNED wallpaper on lock + home screen
⚠️ Important: These tweaks are real native code injected into SpringBoard. They only fire when the full kernel exploit chain completes successfully. The PWNED button on the home tab is a demo overlay only.

Utilities

Credits

Coruna Exploit Toolkit

34306 Duy Tran Nick Chan
00:00
Sunday, January 1
Pwned iPhone
LOCKSCREEN COMPROMISED
Coruna · sbtweak · arm64e
🔓
SpringBoard · now
Sandbox escape successful — root access granted
🔑
TweakLoader · now
dyld lib-validation bypassed · next_stage_main called
Coruna Neon · exploit chain
Stage3_VariantB → bootstrap.dylib → 0x80000 active
swipe up to close
Respringing…
Jailbreak Successful
🎉 Choose Package Manager
Select which package manager to install on your device.
⚠ NOTE: Coruna exploit is only fully compatible with iOS 15 – iOS 17.2.1.
🚧