I've been working on iOS shortcuts for a long time now, and over time have found many, many weird things that definitely aren't supposed to happen. As far as I know I'm the only person that knows about some of these so I thought I'd create a list and explanation of all the exploits I can remember.
Most of these I've found entirely by myself. If I didn't find something entirely by myself, that will be clearly stated in the explanation, and a link will be given to the source. If I found it myself, but am not the first person to find it, the first person who found it will not be linked here because of how hard it can be to track down.
Note: For a version of this with much more information (95% of which being bloat) check previous commits.
- Wallpaper Switching/Memory Overloading
- Dark/Light Mode Transition Abuse
- Audiogram Abuse
- Check if device is locked
- Accessible Related
- Shortcuts Bug Fixes
- Random
Wallpaper Switching/Memory Overloading - Shortcut
Using the "Switch Between Wallpapers" action repeatedly on loop causes many, many problems with iOS. Since there's so many different ways this can be used, I've listed most of them below.
Memory Overloading - Video
This exploit causes iOS to attempt to use more ram than it has availabe, causing things such as ignoring touch input (See iOS Crashing Below), resprings, unloading your wallpaper, individual wallpaper layers being visible, TV static wallpapers (Can't see because video compression), UI Flickering, and even broken side buttons that accidentally called 911 for me.
iOS Crashing - Video
iOS can also be crashed when using this on older versions. This got patched in iOS 17. When this happens, touch input and side buttons are completely ignored, and the display goes black. The only way to fix this is to either wait until the battery dies, or force reboot the device. This can be abused if you set up an automation to run this whenever the phone is unlocked.
Live Wallpaper PoC - Shortcut
I've created a proof of concept using this wallpaper switching exploit to allow for true live wallpaper functionality in stock iOS. I stopped development on this for a couple reasons. For one, there's only a very very small amount of people that would find this useful - That being people on iOS 16.7.x, with a high end device, who don't care about battery life, lag, occasional iOS crashes, and are willing to go through about 20 minutes of manual setup. Here's a comparison of how much slower live wallpapers are on iOS 17+ compared to iOS 16
Update: Use Nugget
Crash Any App - Shortcut
There's a very easy and kind of funny way to crash any app, including Springboard, using memory overloading. Simply copy around 2,400,840 emojis (5MBs) to your clipboard, and paste them in any text box you can find. Note that this uses a very similar method as BrickIt.
Pasting this text into a conversation in the messages app will make it nearly impossible to access that conversation. Every time you open the messages app, it by default opens the last conversation you had open, and when opening a conversation it by default loads the last text you had typed, but didn't send, to that person, thus causing the app to crash. Restarting your phone and then opening the messages app works as normal, but the app will crash again any time you try and access that conversation. The only way to fix this is to 1. Get the other person to send you a message 2. Hold down on the notification you get 3. Type anything in the text box that shows up in the window without sending the message 4. Tap on the conversation, which will open the messages app with the text you started typing now replacing the text that was previously crashing the app.
Dark/Light Mode Transition Abuse - Shortcut
When switching between light and dark mode, previous frames are sampled and blended together to create a fade effect. This can be abused to make the entire screen unreadable and blurred by using a Shortcut to switch between light and dark mode really fast, while causing a bit of lag. In my example Shortcut, it repeatedly toggles light/dark mode along with low power mode and do not disturb to cause lag. If it's too laggy for you, remove the toggle do not disturb action. This works best inside of stock iOS apps, but can also work in any apps or Springboard if enough lag is created and you get a bit lucky. To stop this, either restart your phone, trigger a respring, or if possible use the Dynamic Island.
Audiogram Abuse - Shortcut
Deep within the iOS settings app is an accessibility feature called 'Headphone Accommodations'. You may have seen this before in a guide on how to make AirPods volume louder than intended. Typically, after pressing custom audio setup you select an image of an audiogram chart generated after taking a hearing test. Then, any frequencies you can't hear as well will be boosted.
Instead, by picking any random image it will give you an error, along with the option to enter values manually. Now, you can choose any of the frequencies listed and the amount of decibels to boost their volume by - Very similar to a traditional equalizer. The reaosn this is important is because it works system-wide, instead specific apps having their own equalizer settings.
One problem is that the way decibels are calculated from audiograms (dB HL) are very different from typical decibels (dB) you'd find on a normal eq. There's not a direct conversion calculation, so finding what works for you will mostly be trial and error. I've made a shortcut called Equagram to assist with the conversions and the setup process, but it's getting old now and the conversions are pretty heavily skewed towards louder basses and lower mids.
Screentime Bypass - Shortcut
Screentime can be bypassed for websites only using .webloc files.
These files contain some generic .plist code along with a url to any website, that can then be opened without being blocked by screentime. These can be opened through the files app, or if the files app is blocked by screentime, through the quick look action.
The 'Send Message' action can also be used to bypass communication limits
Note: If you have a computer you can use Cowabunga Lite to supervise your device and something like Lithium to disable screen time entirely.
Check if device is locked - Shortcut (No AOD Support), Shortcut (AOD Support)
The 'Get Device Details' Action set to 'Screen Brightness' can be used to automatically detect if your phone is locked or not. If the output of the action is 0, then either the device is locked, or the screen brightness is set to 0.
As a workaround for the screen brightness being 0 saying that the device is locked, you can temporarily set the brightness to 0.03, then check the brightness again. If it still outputs 0 then the device is locked. If it outputs 0.05 then the device is not locked, and you can set the brightness back to 0.
On device with an Always on Display, if you get the screen brightness it will not say 0 when the device is locked since the display is still on. Quickly disabling the Always on Display (AOD) before getting the screen brightness is a good workaround for this.
There's a Shortcut made by LungInspector called Accessible that utilizes an exploit within the Shortcuts app to gain read access to files you don't normally have access to. It can also be used to open any hidden iOS app. While Accessible is definitely a cool tool, being honest it's almost completely useless. Below are the things it can do.
Hidden Apps
Within iOS, there are many hidden apps that can't normally be accessed. Opening these apps by giving their full file path from root as a URL, and then opening them as a file allows you to open them anyway. Most of these hidden apps either crash on open or show a blank screen, but there are a few interesting ones.
The most useful hidden app I've seen is PreBoard.app, which on open locks your phone, shows a blank white screen with the apple logo, and waits until either FaceID or the password is given before continuing. It can in theory be used as a way to get a 'Check FaceID before continuing' action, but is pretty impractical. Here is a Shortcut to open PreBoard.app.
The core feature of Accessible is reading files you don't normally have access to. However it's extremely limited, only giving access to /Applications, /Developer, /Private, and /System - All of which are almost completely useless.
The Shortcuts app itself has many bugs, but luckily due to the apps nature, a lot of them can be fixed using workarounds.
Articles Shortcut Input Fix - Example
The 'Articles' and 'Safari web pages' Shortcut inputs are completely broken. Instead, using the 'URLs' Shortcut input, followed by the actions 'Get Body from (Shortcut Input)', and 'Get text from (Details of Articles)' fixes this.
Rarely, the 'Get Details from Article' action will give some error about not having permissions, but putting a 'Comment' action before it sometimes fixes this.
The 'Create Note' action is broken when run from the Apple Watch (Probably broken on only WatchOS 11+). Using the 'Append to Note' action instead is a good workaround. Pretty simple.
The Shortcuts app displays links associated with isl.mzstatic.com/image differently than most links, as they're used for App Icons, among many other things. When trying to display these links (such as for the Stop and Output action, or for any Shortcuts output), it outputs an error instead of the link.
On the screen requesting for permissions (Ex. Do you want to allow 'New Shortcut' to append the following images to a note?), instead of asking to append a link, it will ask to append an image. However, the Shortcuts app only has problems displaying these links, not processing them. So, if you check the actual note, it will append the link as normal instead of inputting an image.
The 'Time Between Dates' Action requires dates to be formatted in a specific way and have specific meta data attached to them. Otherwise it will occasionally (Around 0.5% of the time), throw an error saying that the provided date was invalid. This was an absolute nightmare to track down especially because of how rare it happens, so now I officially know my least favorite action is Time Between Dates.
A bunch of other little things that don't deserve their own section.
Lithium is another Shortcut created by LungInspector that creates Mobile Device Management (MDM) profiles, allowing you to change settings you don't normally have access to (Such as disabling Screen Time). However, it requires device supervision, which requires a computer for initial setup. It's best used alongside Cowabunga Lite or Nugget.
On modern versions, when creating an automation you can choose between either directly running a Shortcut when triggered, or adding actions to run like a typical Shortcut. When setting the automation to directly run a Shortcut when triggered (outside of the 'Run Shortcut' action), and deleting that automation, it will rarely also delete the Shortcut it's set to run.
If you set a Shortcut to open an app with nothing else inside of it, and add that Shortcut to your homescreen, when running it will show a quick popup alert at the top of your screen once the app is opened. Adding the 'Nothing' action before the 'Open App' action, and then adding it to your homescreen removes this popup alert. I found this from Skyboard, which relies on this pretty heavily.
Some automations don't have the option to turn off 'Notify when run', clogging your lock screen with a bunch of useless Shortcuts notifications. A workaround for this is to enable Screen Time, select See all App & Website Activity, scroll to notifications and find Shortcuts in the list (if it's not already there use the 'Show notification' action to make it show up).
From there, you can disable notifications like any other app. Keep in mind this also breaks the 'Show notification' action. I found this from here, but who knows who found it first.
When the device is locked, running the 'Open Tab' Clock action wakes the screen and shows your lockscreen. When unlocking your phone, it then shows the clock app. This happens because the Clock app is one of the few apps (Like the calculator app) that can be opened without unlocking your phone. Opening the app through the 'Open Tab' action confuses it, and doesn't show the Clock app itself until you leave your lockscreen. If run from an automation (including an automation that runs a Shortcut with this action), it will work as intended and show the Clock app above the lockscreen.
I used this in a Shortcut called wake on song change. I worked around the automation limitation by immediately running the 'Lock Screen' action after.
While creating my Lockdown Mode shortcut which runs a very simple automation every time an app is opened, it was very important to make sure the global variable action I was using took as little time to run as possible. So, I tested many different apps and came to the conclusion that VBox was the fastest for setting global variables by far. As for reading global variables, VBox was tied in speed with Toolbox Pro.
Only partially shortcut related, but still very interesting. A while ago, I installed an app from a Shortcut named BrickIt (recreation), which had an extremely long name (2,400,840 Emojis). This overloads iOS and freezes your phone until either you force reboot your device, or it resprings automatically after ~60 seconds. Everytime you try to open or uninstall the app, or even see the apps name, it freezes your phone again. The only way to remove the app is to either factory reset your device and restore a backup, or to overwrite it using a signed app with the same bundle ID. If you don't know what app signing or bundle ID's are then I wouldn't recommend reading this next part.
When unsigned, the BrickIt app installs and shows an error message when opening it that contains the apps name, crashing iOS. Attempting to install another unsigned app over it with the same bundle ID does effectively nothing. The only way to overwrite the app is to install a signed app with the same bundle id over it. However, this isn't as easy as it seems since most signing methods have PPQ Protection, adding a random string of characters to the end of the bundle id before installing. I ended up fixing the problem by using a developer certificate and disabling PPQ Check protection using Feather. This could probably fixed without a developer certificate though using any other sideloader other than SideStore, AltStore, or Sideloadly.