Cyanide is no longer actively maintained by zeroxjf.
Patreon integration has been removed, all installable Cyanide tweaks are free, and previously unreleased work-in-progress tweak code has been opened under AGPL-3.0. Anyone can fork it, study it, continue it, or reuse it under the license terms.
This was originally an AI vibe-coded project, so the codebase should be approachable for someone who wants to pick it up, clean it up, or continue experimenting.
The old README is preserved below for historical context and build details, but parts of it may become stale now that this repository is no longer actively maintained.
Archived project README
By @zeroxjf — an iOS tweak runner built on top of the DarkSword kernel r/w primitive.
Cyanide is a fork of wh1te4ever/darksword-kexploit-fun
for iOS kernel research. It wraps the native DarkSword kernel stages in an
Objective-C iOS app, restructures the UI as an Installer/Settings split, and
adds a few reliability fixes for repeated local testing. It does not ship
the browser-delivered WebKit/dyld parts of the original DarkSword chain.
As of v1.3.6, Patreon integration has been removed. All installable Cyanide tweaks are free and no tweak access depends on account linking.
Previously unreleased work-in-progress tweak code has been opened under the same AGPL-3.0 license as the rest of the project. Some unfinished entries remain visible in the app so contributors can find them, but installation stays disabled until someone finishes and verifies them.
zeroxjf is stepping away from active Cyanide development. The code is now
open under AGPL-3.0 so anyone can fork it, study it, reuse it, or continue it
under the license terms.
Open this page on your iPhone/iPad and tap one of the buttons below.
- Report a bug
- Request a feature
- Join the Signal group for setup help, support, test notes, and rough ideas before they become issues.
Beta tweaks are free and visible without account linking. They are unstable and intended for testers who are comfortable with SpringBoard glitches, crashes, or partial behavior.
These tweaks have been tested on iOS 18.x and 26.x. Expect version drift in SpringBoard and related daemons to break things on other releases.
- StatBar: battery temperature and free-RAM overlay anchored to the SpringBoard status bar, with optional C/F and network-speed display.
- NSBar: compact live download/upload speed overlay for the status bar,
with selectable corner/center positions. Ported from
d1y/cyanide-ios. - NiceBar Lite: configurable status-bar-adjacent labels for custom text,
date/time formats, battery, memory, traffic, uptime, IP address, disk,
thermal state, and other live readouts. Ported from
d1y/cyanide-ios.
- SBCustomizer: dock icon count, home-screen columns/rows, and hidden icon labels.
- Home Layout Extras: extra padding around the home grid and dock, plus per-icon scale for home and dock icons. Stacks on top of SBCustomizer.
- Powercuff: CPU/GPU underclocking through simulated
thermalmonitordpressure levels (off, nominal, light, moderate, heavy). Lasts until reboot. Port ofrpetrich/Powercuff.
Ported from kolbicz/DarkSword-Tweaks:
- Disable App Library: removes the App Library page past the last home screen.
- Disable Icon Fly-In: skips the spring-in animation when icons appear.
- Zero Wake Animation: snaps the display on instantly when waking.
- Zero Backlight Fade: instant lock/unlock backlight.
- Double-Tap to Lock: lock the device with a wallpaper double-tap.
- Disable OTA Updates: toggles the launchd OTA
disabled.plistto block or unblock update prompts. Persists across reboots.
⚠︎ Work in progress — these may crash SpringBoard, glitch layout, work only partially, or need re-applying between builds.
- Gravity Lite: core port of Julio Verne's classic Gravity tweak. Applies UIDynamicAnimator physics to home-screen and dock icons — gravity, collisions, bounce, friction, accelerometer steering, shake pulses, and an explosion button. Use Restore Icon Layout if icons stay displaced after deactivating.
- Axon Lite: groups Notification Center requests by app with a SpringBoard overlay and dedups duplicates while the RemoteCall session is alive.
- Dynamic Stage Lite: brings Stage Manager-style split-view to iPhone over
RemoteCall — no jailbreak required. Hosts a second app's scene alongside
SpringBoard using the same scene-hosting design as
tomt000's Dynamic Stage. - FastLockX Lite: keeps Face ID retry/unlock requests armed through SpringBoard timers so pickup-to-unlock can work after Cyanide closes.
- Cyanide Themer: per-bundle icon theme engine. Walks SpringBoard's
SBIconView hierarchy and swaps each icon's image with a PNG matched on bundle
ID. Ships with iOS 6 Theme; also accepts a custom folder of
<bundleID>.pngfiles or a binary plist. Pick a theme in Settings before running. - SnowBoard Lite: imports SnowBoard/IconBundles-style theme folders or
archives into Cyanide's local theme library, then applies the selected theme
through the existing icon replacement pipeline. Ported from
d1y/cyanide-ios. - LiveWP: copies a selected MP4/MOV/M4V into Cyanide's app container and
plays it behind SpringBoard's home and lock screen windows while the live
RemoteCall session is active. Ported from
d1y/cyanide-ios. - Watch Pairing Override: edits the watchOS pairing range stored on the iPhone so you can pair a newer Apple Watch or revive an older one. Persists across reboots; respring before pairing.
- Location Simulator: drives Apple's CoreLocation simulation path from a
RemoteCall host process and sets a static target coordinate. Simulated
locations may violate app terms, platform rules, game rules, ride-share or
delivery policies, or local law depending on how they are used. Use only where
you have permission; you are responsible for your use and apply or restore it
at your own risk. It may also affect location-tied system behavior such as
time zone/date/time handling and can have unintended consequences; only use it
if you know what you're doing. Credits:
kolbiczprovided the RemoteCall/CLSimulationManager GPS spoofer prototype, andezzuldinSt's LSpoof provided the app-side spoofing, picker, bookmarks, and route-simulation reference. - Call Recording Sound: replaces the CallServices
StartDisclosureWithToneandStopDisclosureaudio files with Cyanide's bundled silent payloads, with separate Silence and Restore actions. Cyanide backs up the first originals into its app container before replacement, but this is still a persistent system-file edit under/var/mobile/Library/CallServices/Greetings/default. Disclosure sounds may be legally required where you live; you are responsible for your use and should restore the originals before removing Cyanide if you want Cyanide's backups written back. Credits:YangJiiii(@duongduong0908) for the EnsWilde and Disable Call Recording BookRestore reference tools, and@Little_34306as credited by the original projects for the Disable Call Recording concept.
These entries are visible but not installable because they do not work yet. Their app/source paths are left in place so someone can pick them up later.
- Signal Readouts: unfinished status-bar numeric signal readouts.
- TypeBanner: unfinished iMessage typing banner experiment.
- Notification Island: unfinished Dynamic Island notification mirror.
- IPA Decryptor: unfinished local IPA decryptor workflow.
Tested target range:
- iOS/iPadOS 17.0 through 18.7.1
- iOS/iPadOS 26.0 through 26.0.1
- A19/M5 devices are not supported
The kernel bugs used here, CVE-2025-43510 and CVE-2025-43520, were fixed in
iOS/iPadOS 18.7.2 and 26.1. Later builds are outside this kernel exploit window.
- Cleans shared exploit state before each attempt.
- Matches the target process with an explicit marker.
- Validates sockets before using the spray path.
- Treats missed races as retryable failures instead of hard failures.
- Tightens the A18/M4
pe_v2path with initialized target-file contents, stable local remap addresses, bounded page freeing, socket-spray preflight checks, and controlled zone-trim retries.
- Escape the app sandbox.
- Control or crash userspace processes from the app.
- Change UID, GID, and sticky bits on target files.
- Disable ASLR by setting
P_DISABLE_ASLRinlaunchd'sproc->p_flag.
opa334: originaldarksword-kexploit, ChOma, and XPF — the kernel r/w primitive Cyanide is built on.wh1te4ever:kfun/darksword-kexploit-fun— the RemoteCall implementation that lets a sideloaded app apply tweaks inside SpringBoard. Cyanide is a fork of this project.rooootdev: working kexploit behavior used to stabilize this fork.neonmodder123: Web Respring method.kolbicz: OTA Disabler, SpringBoard tweaks, and the RemoteCall/CLSimulationManager GPS spoofer prototype used as the starting point for Location Simulator.ezzuldinSt: LSpoof app-sideCLLocationManagerspoofing, picker, bookmarks, and route-simulation reference used while shaping Location Simulator.YangJiiii(@duongduong0908): EnsWilde and Disable Call Recording BookRestore reference tools used while shaping Call Recording Sound.@Little_34306: credited by the original call-recording projects for the Disable Call Recording concept.rpetrich: Powercuff.- Julio Verne: the original Gravity tweak that Gravity Lite is a core port of.
d1y:cyanide-iosAGPL-3.0 sources used for the NSBar, NiceBar Lite, SnowBoard Lite, and LiveWP ports.tomt000: Dynamic Stage — the original Stage Manager-for-iPhone tweak whose split-view + scene-hosting design Dynamic Stage Lite re-implements over RemoteCall.
- The classic Installer.app (Ripdev & Nullriver Software, now maintained by AppTapp and the Legacy Jailbreak community) — the iPhoneOS 1 package-manager look that the Cyanide Installer tab is modeled after.
- The Sileo Project (the Sileo Team) — the queue → review → confirm install flow and the bottom queue-popup pattern.
./scripts/build.shThe build script uses the Cyanide scheme, disables code signing, and writes
an unsigned IPA to:
build/Cyanide.ipa
Equivalent manual build:
xcodebuild \
-project Cyanide.xcodeproj \
-scheme Cyanide \
-sdk iphoneos \
-configuration Debug \
CODE_SIGNING_ALLOWED=NO \
buildThis repository is licensed under AGPL-3.0. See LICENSE.
The NSBar, NiceBar Lite, SnowBoard Lite, and LiveWP ports adapt AGPL-3.0 code
from d1y/cyanide-ios and remain in the
AGPL-covered tree.
Cyanide includes two JavaScript tweak runners contributed by Iggy05:
- QuickLoader imports a local
.jsfile from Files and exposes declared@paramvalues as settings rows. - RepoTweaks Store imports HTTPS JSON repositories and downloads selected
JavaScript tweaks from those sources. Cyanide seeds the zeroxjf source at
https://zeroxjf.github.io/cyanide-repotweaks.jsonby default.
Only run scripts and repositories you trust; JavaScript tweaks can call Cyanide RemoteCall helpers and may destabilize SpringBoard if the script is buggy.