Add iOS 16.7.2 arm64e support to Lara

[hxhlb]

Summary

This PR adds iOS 16.7.2 support for Lara on the tested arm64e device path.

Included changes:

• Add an iOS 16-specific sandbox escape path
• Add iOS 16 sandbox extension table detection and patching
• Add K_ios16() for iOS 16 kernel pointer validation
• Update file operation helpers for the iOS 16 sandbox escape flow
• Add file sharing support in the file manager
• Add iOS 16-specific settings for manual KRW stashing and SpringBoard RemoteCall lifecycle handling
• Add iOS 16.7.2 adaptation for SpringBoard RemoteCall tweaks
• Update MobileGestalt overwrite handling for the iOS 16 sandbox/VFS flow
• Update packaging support for the tested installation flow

Details

Sandbox escape

iOS 16 uses a different sandbox extension table layout from the older path. This PR adds a dedicated iOS 16 implementation that:

• Reads the iOS 16 extension table from sandbox + 0x08
• Seeds a writable probe extension
• Finds the matching read-write extension in the extension table
• Copies metadata from the container extension
• Patches the probe extension path to /
• Verifies the result with real file-system access

The existing sandbox escape flow remains the default path for non-iOS 16 systems. On iOS 16, sbx_escape() dispatches into the new iOS 16 implementation.

File manager

This PR adds a share action to the file manager so files can be exported through the system share sheet.

iOS 16 settings

This PR adds iOS 16-only settings for:

• Manually stashing KRW to launchd
• Warning that iOS 16 KRW stashing may be unstable and may need to be retried manually
• Keeping the SpringBoard RemoteCall alive while Lara enters the background, with a warning that exiting Lara while RemoteCall is active may respring SpringBoard

RemoteCall tweaks

This PR includes iOS 16.7.2 adaptation work for SpringBoard RemoteCall tweaks.

The SpringBoard RemoteCall tweak path was tested only partially. The current validation does not cover every tweak action.

MobileGestalt

MobileGestalt overwrite handling was updated so it works with the iOS 16 sandbox/VFS readiness flow.

Installation note

On my iPhone XS Max running iOS 16.7.2, direct installation from Xcode did not work in my testing. The IPA should be installed with ios-deploy or a similar installation path instead.

This installation limitation is based only on my tested device.

Demo videos

• Sandbox escape demo: https://github.com/hxhlb/lara/releases/download/ios16.7.2-arm64e-test/1.sandbox.escape.MP4
• SpringBoard RemoteCall demo: https://github.com/hxhlb/lara/releases/download/ios16.7.2-arm64e-test/2.remote.call.MP4

Test IPA

A test IPA is available from my fork release:

• Release: https://github.com/hxhlb/lara/releases/tag/ios16.7.2-arm64e-test
• IPA: https://github.com/hxhlb/lara/releases/download/ios16.7.2-arm64e-test/lara.ipa

Testing

Tested locally on:

• iPhone XS Max, iOS 16.7.2

Verified:

• App starts on iOS 16.7.2 through the tested IPA installation flow
• Sandbox escape reports success
• File-system verification passes
• /private/var/mobile/Library/Preferences write test passes
• MobileGestalt overwrite flow runs after sandbox/VFS readiness
• File manager sharing is available
• Several SpringBoard RemoteCall tweak actions were tested, but not the full tweak matrix

I only have one iOS 16 device available for testing, so the current validation may be incomplete. More iOS 16 devices should be tested before marking this PR ready for review.