BrokenBladeBeta
Beta testing the LightSaber userland exploit chain for iPhone on iOS 18.0–18.3
@zeroxjf
Open source on GitHub
Built with Codex and Claude Code
Join Enfilade Discord — #brokenblade-beta

Beta testing the LightSaber chain — iPhone · iOS 18.0–18.3

How testing works
Right now we are only debugging the WebKit / JavaScript phase of the chain. The full exploit chain (sandbox escape, kernel R/W, SpringBoard injection) does not kick off yet — so don’t expect a long page freeze, a Safari crash, or anything visible on the home screen. What I’m looking for is where in the WebKit setup the chain stops, which the auto-uploaded log captures.
  • Each tap of Run is one attempt. The chain is non-deterministic; sometimes a retry progresses further than the previous attempt.
  • Expected outcome for now: the WebContent log scrolls a handful of lines, then stops — usually before Starting check_attempt. That’s exactly the data I need. Please run a few times in a row so I get multiple traces.
  • If you get the same stop point on many tries, try clearing Safari cache (Settings → Apps → Safari → Clear History and Website Data) and running again. Reboot for a fully fresh state if that doesn’t help.
  • If anything does freeze the page for a long time or crash Safari, that’s a signal — please mention it. Otherwise assume the run was useful even when nothing dramatic happens.
Privacy — auto-upload
When you run the chain, your WebContent log auto-uploads to a private Cloudflare R2 bucket I control so I can debug failures. Stored fields: build, iOS, user-agent, country, chain trace. No IP addresses or personal identifiers are kept. Logs auto-delete after 30 days. See exact sample · Worker source.
WebContent Log
Waiting to start
Phases 3–5 run while WebKit is frozen — no live log updates here.
Expected
WebContent log lines will appear here when a run starts.
Not tweak injection — runtime JS modification only
This is JavaScript injection during the exploit chain that modifies processes at runtime. While changes persist until respring or reboot, this is not a standard dylib injection found with a full jailbreak — it is limited in nature and only some things can be done with it.
Compatibility warning — may conflict with Nugget
This may cause compatibility issues with modifications made by Nugget and other similar tools. While I will work on resolving this, keep this in mind in the interim.
Use caution — unstable, not for daily drivers
Derived from the DarkSword exploit chain with all malware communication stripped and fully open source, but this is an inherently unstable chain and is not recommended for deployment on a daily driver unless you are willing to accept the risk. The chain may take several tries to succeed, SpringBoard may crash, the kernel may panic. Use at your own risk — I am not liable for any damage or data loss.
Credits
iVerify & Google GTIG — DarkSword chain documentation
leminlimez — Nugget (MobileGestalt + BookRestore)
khanhduytran0 — SparseBox (3-app limit bypass)
rpetrich — Powercuff tweak
34306 & khanhduytran0site design reference
@cro4js — UI suggestions

v0.0.130

Before you continue

Please read the following before using BrokenBlade.

This is not tweak injection. This is JavaScript injection during the exploit chain that modifies processes at runtime. While changes persist until respring or reboot, this is not a standard dylib injection found with a full jailbreak — it is limited in nature and only some things can be done with it.
Compatibility warning. This may cause compatibility issues with modifications made by Nugget and other similar tools. While I will work on resolving this, keep this in mind in the interim.
Use caution. Derived from the DarkSword exploit chain with all malware communication stripped and fully open source, but this is an inherently unstable chain and is not recommended for deployment on a daily driver unless you are willing to accept the risk. The chain may take several tries to succeed, SpringBoard may crash, the kernel may panic. Use at your own risk — I am not liable for any damage or data loss.
Privacy — diagnostic upload When you run the chain, your WebContent log auto-uploads to a private Cloudflare R2 bucket I control so I can debug failures. Stored fields: build, iOS, user-agent, country, chain trace. No IP addresses or other personal identifiers are stored. Logs auto-delete after 30 days. See an exact sample · Worker source.

Before it runs

After you press Proceed, keep Safari open and do not lock the phone. The full run usually takes about 1 minute, approximately.

Page freezes for ~45–60s: WebKit handoff — no UI updates after that.
Safari crashes to home screen: good signal — tweaks about to install.
Wait 10–20 seconds: then check the home screen.

Force-close Safari

Safari is in a dirty state from a previous run. From the app switcher, swipe up on Safari to kill it, then reopen this page and try again.

If this keeps happening, clear Safari's cache (Settings → Apps → Safari → Clear History and Website Data) and/or reboot your device before retrying. A reboot gives you a fresh kernel state and the cleanest chance of success.