Hey everyone,
I’m trying to build a Unity game mod using Theos for a non-jailbroken (jailed) setup. Most of the guides and templates I’ve found are either outdated or targeted at jailbroken environments.
Here’s where I’m stuck:
What I’ve tried
Used SilentPwn template by @10738750-batch. The project builds and injects fine, but the actual patch doesn’t work.
Using offsets found via dnSpy:
If I use them directly, the game crashes.
If I add the UnityFramework base address, nothing happens.
If I use the SilentPwn as base, still no effect.
The H5GG method works. It generates a patched UnityFramework file on first run, which I can replace, re-sign, and sideload successfully.
I found the GitHub repo itsPow45/iOS-Jailed-Runtime-Offset-Patching-and-Hooking, which claims to be a Theos alternative to H5GG, but I can’t figure out how to integrate or use it.
What I want to know
How should I correctly calculate runtime patch offsets for Unity games on jailed setups?
How does Theos handle image slides and base address adjustments in this context?
Is there any working example or minimal setup using itsPow45 (or similar) that performs runtime offset patching or creates a patched binary like H5GG does?
Any known pitfalls when patching UnityFramework specifically for jailed devices?
Setup
Device: iPhone 16 Pro
iOS: 26.0.1
Game: Subway Surf
Binary of interest: UnityFramework
Toolchain: Theos (latest build)
If anyone can point me toward a current workflow or working example for jailed runtime patching with Theos, that’d be great.
Hey everyone, I’m trying to build a Unity game mod using Theos for a non-jailbroken (jailed) setup. Most of the guides and templates I’ve found are either outdated or targeted at jailbroken environments. Here’s where I’m stuck: What I’ve tried Used SilentPwn template by @10738750-batch. The project builds and injects fine, but the actual patch doesn’t work. Using offsets found via dnSpy: If I use them directly, the game crashes. If I add the UnityFramework base address, nothing happens. If I use the SilentPwn as base, still no effect. The H5GG method works. It generates a patched UnityFramework file on first run, which I can replace, re-sign, and sideload successfully. I found the GitHub repo itsPow45/iOS-Jailed-Runtime-Offset-Patching-and-Hooking, which claims to be a Theos alternative to H5GG, but I can’t figure out how to integrate or use it. What I want to know How should I correctly calculate runtime patch offsets for Unity games on jailed setups? How does Theos handle image slides and base address adjustments in this context? Is there any working example or minimal setup using itsPow45 (or similar) that performs runtime offset patching or creates a patched binary like H5GG does? Any known pitfalls when patching UnityFramework specifically for jailed devices? Setup Device: iPhone 16 Pro iOS: 26.0.1 Game: Subway Surf Binary of interest: UnityFramework Toolchain: Theos (latest build) If anyone can point me toward a current workflow or working example for jailed runtime patching with Theos, that’d be great.