Cyanide

By @zeroxjf — an iOS tweak runner built on top of the DarkSword kernel r/w primitive.

Cyanide is a fork of wh1te4ever/darksword-kexploit-fun for iOS kernel research. It wraps the native DarkSword kernel stages in an Objective-C iOS app, restructures the UI as an Installer/Settings split, and adds a few reliability fixes for repeated local testing. It does not ship the browser-delivered WebKit/dyld parts of the original DarkSword chain.

Install

Open this page on your iPhone/iPad and tap one of the buttons below.

Tweaks

These tweaks have been tested on iOS 18.x and 26.x. Expect version drift in SpringBoard and related daemons to break things on other releases.

Status Bar

• StatBar: battery temperature and free-RAM overlay anchored to the SpringBoard status bar, with optional C/F and network-speed display.

Home Screen Layout

• SBCustomizer: dock icon count, home-screen columns/rows, and hidden icon labels. Native port of the lightsaber sbcustomizer payload.
• Home Layout Extras: extra padding around the home grid and dock, plus per-icon scale for home and dock icons. Stacks on top of SBCustomizer.

Performance

• Powercuff: CPU/GPU underclocking through simulated thermalmonitord pressure levels (off, nominal, light, moderate, heavy). Lasts until reboot. Port of rpetrich/Powercuff.

SpringBoard Tweaks

Ported from kolbicz/DarkSword-Tweaks:

• Disable App Library: removes the App Library page past the last home screen.
• Disable Icon Fly-In: skips the spring-in animation when icons appear.
• Zero Wake Animation: snaps the display on instantly when waking.
• Zero Backlight Fade: instant lock/unlock backlight.
• Double-Tap to Lock: lock the device with a wallpaper double-tap.

System Updates

• Disable OTA Updates: toggles the launchd OTA disabled.plist to block or unblock update prompts. Persists across reboots.

Beta

⚠︎ Work in progress — these work but may change or need re-applying between builds.

• Axon Lite: groups Notification Center requests by app with a SpringBoard overlay and dedups duplicates while the RemoteCall session is alive.
• Cyanide Themer: per-bundle icon theme engine. Walks SpringBoard's SBIconView hierarchy and swaps each icon's image with a PNG matched on bundle ID. Ships with iOS 6 Theme; also accepts a custom folder of <bundleID>.png files or a binary plist. Pick a theme in Settings before running.
• Watch Pairing Override: edits the watchOS pairing range stored on the iPhone so you can pair a newer Apple Watch or revive an older one. Persists across reboots; respring before pairing.

Experimental

⚠︎ Unstable or in-development — require Experimental Tweaks to be enabled in Settings.

• Signal Readouts: replaces the signal-strength glyphs with live numeric readouts — RSRP dBm on cellular, bar count on WiFi.
• TypeBanner: shows a pill banner below the Dynamic Island when the active Messages conversation shows a typing indicator. Detection fires only while Messages.app is running.

Supported Targets

Tested target range:

• iOS/iPadOS 17.0 through 18.7.1
• iOS/iPadOS 26.0 through 26.0.1
• A19/M5 devices are not supported

The kernel bugs used here, CVE-2025-43510 and CVE-2025-43520, were fixed in iOS/iPadOS 18.7.2 and 26.1. Later builds are outside this kernel exploit window.

What This Fork Changes

• Cleans shared exploit state before each attempt.
• Matches the target process with an explicit marker.
• Validates sockets before using the spray path.
• Treats missed races as retryable failures instead of hard failures.
• Tightens the A18/M4 pe_v2 path with initialized target-file contents, stable local remap addresses, bounded page freeing, socket-spray preflight checks, and controlled zone-trim retries.

Kernel Research Features

• Escape the app sandbox.
• Control or crash userspace processes from the app.
• Change UID, GID, and sticky bits on target files.
• Disable ASLR by setting P_DISABLE_ASLR in launchd's proc->p_flag.

Credits

• opa334: original darksword-kexploit, ChOma, and XPF — the kernel r/w primitive Cyanide is built on.
• wh1te4ever: kfun / darksword-kexploit-fun — the RemoteCall implementation that lets a sideloaded app apply tweaks inside SpringBoard. Cyanide is a fork of this project.
• rooootdev: working kexploit behavior used to stabilize this fork.
• neonmodder123: Web Respring method.
• kolbicz: OTA Disabler and SpringBoard tweaks.
• rpetrich: Powercuff.
• tomt000: Dynamic Stage — the original Stage Manager-for-iPhone tweak whose split-view + scene-hosting design Dynamic Stage Lite re-implements over RemoteCall.

UI inspiration

• The classic Installer.app (Ripdev & Nullriver Software, now maintained by AppTapp and the Legacy Jailbreak community) — the iPhoneOS 1 package-manager look that the Cyanide Installer tab is modeled after.
• The Sileo Project (the Sileo Team) — the queue → review → confirm install flow and the bottom queue-popup pattern.

Build

./scripts/build.sh

The build script uses the Cyanide scheme, disables code signing, and writes an unsigned IPA to:

build/Cyanide.ipa

Equivalent manual build:

xcodebuild \
  -project Cyanide.xcodeproj \
  -scheme Cyanide \
  -sdk iphoneos \
  -configuration Debug \
  CODE_SIGNING_ALLOWED=NO \
  build

License

The open-source portion of this repository — everything outside the Cyanide/tweaks/private/ submodule — is licensed under AGPL-3.0. See LICENSE.

The Cyanide/tweaks/private/ submodule points at a separate private repository containing the closed-source experimental tweak implementations (Signal Readouts, TypeBanner). Those files are All Rights Reserved, distributed in compiled form only inside official Cyanide releases, and gated to active Patreon supporters at the Member tier or above. Public clones won't be able to fetch the submodule, and the experimental tweaks will be absent from local builds unless you re-implement them.