I've been working on iOS shortcuts for a long time now, and over time have found many, many weird things that definitely aren't supposed to happen. As far as I know I'm the only person that knows about some of these so I thought I'd create a list and explanation of all the exploits I can remember.
Most of these I've found entirely by myself. If I didn't find something entirely by myself, that will be clearly stated in the explanation, and a link will be given to the source. If I found it myself, but am not the first person to find it, the first person who found it will not be linked here because of how hard it can be to track down.
⭐❓
- Wallpaper switching
- Dynamic Epstein
- Dark/Light Mode Transition Abuse
- Respring Methods
- Audiogram Abuse
- Screentime Bypass
- URL Schemes
- Run Shortcut Action
- Check if device is locked
- Accessible Related
- Shortcuts Bug Fixes
- Random
Wallpaper switching - Shortcut
Using the "Switch Between Wallpapers" action repeatedly on loop causes many, many problems with iOS. Since there's so many different ways this can be used, I've listed most of them below.
Memory Overloading - Video
This exploit causes iOS to attempt to use more ram than it has availabe, causing things such as ignoring touch input (See iOS Crashing Below), resprings, unloading your wallpaper, individual wallpaper layers being visible, TV static wallpapers (Can't see because video compression), UI Flickering, and even broken side buttons that accidentally called 911 for me.
iOS Crashing - Video
iOS can also be crashed when using this on older versions. This got patched in iOS 17 (possibly also 16.7+). When this happens, touch input and side buttons are completely ignored, and the display goes black. The only way to fix this is to either wait until the battery dies, or force reboot the device. This can be abused if you set up an automation to run this whenever the phone is unlocked.
Big Red Circle - Video
Tying one of the wallpapers your switching into to a focus, and setting that focus to hide notification badges makes some notification badges you have on screen really big for a split second. This may not work depending on the app placement on the screen, or the amount of notifications you have.
Live Wallpaper PoC - Shortcut
I've created a proof of concept using this wallpaper switching exploit to allow for true live wallpaper functionality in stock iOS. I stopped development on this for a couple reasons. For one, there's only a very very small amount of people that would find this useful - That being people on iOS 16.7.x, with a high end device, who don't care about battery life, lag, occasional iOS crashes, and are willing to go through about 20 minutes of manual setup. Here's a comparison of how much slower live wallpapers are on iOS 17+ compared to iOS 16
In theory, if this got fully finished, all of those problems except for the manual setup and minor lag could be fixed. I won't get into specifics here because they get very complicated very quickly, hence why I stopped development.
The manual setup issue might be fixable with further reasearch on if automatically creating different wallpapers is possible. In theory this could be done using the 'Change Wallpaper' action on your first wallpaper, which typically can't be changed. Since it can't be changed using Shortcuts, it'll fallback to creating a new wallpaper. I've managed to do this a couple of times but haven't figured out yet how to consistently replicate it.
Crash Any App - Shortcut
The Shortcut linked in the title may take a while to, or even fail to download because of it's large size.
There's a very easy and kind of funny way to crash any app, including Springboard, using memory overloading. Simply copy around 2,400,840 emojis (5MBs) to your clipboard, and paste them in any text box you can find. Note that this uses the same method as BrickIt.
Dynamic Epstein - Video
Ignoring the name, this is a method that takes advantage of the Dynamic Island operating on a different part of the cpu than the rest of the device to semi-permenantly stop the process that runs actions. This can be triggered by using the Dynamic Island to stop a shortcut that's causing memory overloading (such as using the wallpaper switching exploit mentioned above).
This causes all actions to stop working, including things like the 'Nothing' action, and blocks of text. I haven't tried actions that come from external apps, though in theory they should work as normal because (I think) they use a different process. This exploit has a very low success rate, and will sometimes even persist after a respring. Everytime this has worked for me it's been with one of the wallpapers your switching between tied to a focus that triggers an automation.
Dark/Light Mode Transition Abuse - Shortcut
When switching between light and dark mode, previous frames are sampled and blended together to create a fade effect. This can be abused to make the entire screen unreadable and blurred by using Shortcut to switch between light and dark mode really fast, while causing a bit of lag. In my example Shortcut, it repeatedly toggles light/dark mode along with low power mode and do not disturb to cause lag. If it's too laggy for you, remove the toggle do not disturb action. This works best inside of stock iOS apps, but can also work in any apps or Springboard if enough lag is created and you get a bit lucky. To stop this, either restart your phone, trigger a respring, or if possible use the Dynamic Island.
I'm not gonna explain what a respring is here. Just know it's something mainly used for jailbreak related tools, however is also sometimes used in stock iOS either as a fallback for when something goes wrong, or to partially restart your phone. Resprings are generally hard to trigger, and being honest not very useful in stock iOS outside of showing that you confused iOS in some way. Below are different methods I've found to trigger a respring using shortcuts.
Talked about this earlier here.
While this method does respring your device 100% of the time automatically, it comes at the cost of having your phone completely frozen for about 30 seconds.
Update: Using Crash Any App and pasting the text into the name of an app folder is an easier and more consistent way to trigger this.
This isn't caused by Shortcuts but I thought I'd mention it anyway. In the settings app at General > Language & Region, by switching your preferred language to something else it will trigger a respring.
As far as I know this is the only time a respring is intended to be used by normal users. This is also likely the reason why changing the splash screen during resprings is possible, as switching languages will show the text "Setting Language" in the language your trying to switch to instead of the typical loading icon. This is also likely the reason why it's possible to keep the device unlocked and open apps after a respring, as this sends you back to the Language & Region page in the settings app after the respring is finished.
Update: This can be done easier at Display & Brightness > Display Zoom > Larger Text > Done
Once again, not Shortcuts related, but typing "":x into Spotlight triggers a respring on older iOS versions. The letter x at the end can be replaced with anything and it will have the same effect. On newer versions, it either crashes Spotlight or does nothing. I didn't find this and originally heard about it from BrocoDev, although I don't think he's the person who found it.
Audiogram Abuse - Shortcut
Deep within the iOS settings app is an accessibility feature called 'Headphone Accommodations'. You may have seen this before in a guide on how to make AirPods volume louder than intended. Typically, after pressing custom audio setup you select an image of an audiogram chart generated after taking a hearing test. Then, any frequencies you can't hear as well will be boosted.
Instead, by picking any random image it will give you an error, along with the option to enter values manually. Now, you can choose any of the frequencies listed and the amount of decibels to boost their volume by - Very similar to a traditional equalizer. The reaosn this is important is because it works system-wide, instead specific apps having their own equalizer settings.
One problem is that the way decibels are calculated from audiograms (dB HL) are very different from typical decibels (dB) you'd find on a normal eq. There's not a direct conversion calculation, so finding what works for you will mostly be trial and error. I've made a shortcut called Equagram to assist with the conversions and the setup process, but it's getting old now and the conversions are pretty heavily skewed towards louder basses and lower mids.
Screentime Bypass - Shortcut
Screentime can be bypassed for websites only using .webloc files.
These files contain some generic .plist code along with a url to any website, that can then be opened without being blocked by screentime. These can be opened through the files app, or if the files app is blocked by screentime, through the quick look action.
Note: If you have a computer and are more technical you can use Cowabunga Lite to supervise your device and something like https://github.com/lunginspector/Lithium to disable screen time entirely.
The 'Send Message' action be used to bypass communication limits.
URL Schemes are ways to interact with apps using things such as https:// for websites, shortcuts:// to interact with the Shortcuts app, or itms-services:// to interact with iTunes. These are intended features, but can be used in some creative ways, espcially using Shortcuts.
I didn't find any of these myself. Whatever is linked in the description is how I found them.
Specific pages within the settings app can be opened automatically using the apps url scheme. See this GitHub page for a massive, community managed, organized list of every link to every available settings page.
I didn't find this and I'm not even gonna act like I understand how or why it works so just see this post
When setting the 'Run Shortcut' action to run the Shortcut your currently editing, instead of setting it to run that Shortcut, it sets it internally to run whatever Shortcut it is placed in. Basically, this means if you copy that action and paste it into another Shortcut, instead of running what you originally set it to, it will be set to run the Shortcut you are currently editing no matter what. This includes pasting it into automations, revealing the internal name of whatever automation your currently editing.
Steps to reproduce if you don't understand since I couldn't find a better way to explain that: 1. Create a new Shortcut named "A". 2. Add the 'Run Shortcut' action to this Shortcut. 3. Set the 'Run Shortcut' action you just made to run Shortcut "A". 4. Copy this action. 5. Paste this action into an automation. 6. This should now reveal the internal name of the automation, and running it will run the automation you created in a loop forever. Note that this cannot be used to run automations automatically from Shortcuts, due to that kind of being a paradox. (Now do you see why this was hard for me to explain)
Check if device is locked - Shortcut
The 'Get Device Details' Action set to 'Screen Brightness' can be used to automatically detect if your phone is locked or not. If the output of the action is 0, then either the device is locked, or the screen brightness is set to 0.
As a workaround for the screen brightness being 0 saying that the device is locked, you can temporarily set the brightness to 0.03, then check the brightness again. If it still outputs 0 then the device is locked. If it outputs 0.05 then the device is not locked, and you can set the brightness back to 0.
There's a Shortcut made by LungInspector called Accessible that utilizes an exploit within the Shortcuts app to gain read access to files you don't normally have access to. It can also be used to open any hidden iOS app. While Accessible is definitely a cool tool, being honest it's almost completely useless. Below are the things it can do.
Hidden Apps
Within iOS, there are many hidden apps that can't normally be accessed. Opening these apps by giving their full file path from root as a URL, and then opening them as a file allows you to open them anyway. Most of these hidden apps either crash on open or show a blank screen, but there are a few interesting ones.
The most useful hidden app I've seen is PreBoard.app, which on open locks your phone, shows a blank white screen with the apple logo, and waits until either FaceID or the password is given before continuing. It can in theory be used as a way to get a 'Check FaceID before continuing' action, but is pretty impractical. Here is a Shortcut to open PreBoard.app.
The core feature of Accessible is reading files you don't normally have access to. However it's extremely limited, only giving access to /Applications, /Developer, /Private, and /System - All of which are almost completely useless.
The Shortcuts app itself has many bugs, but luckily due to the apps nature, a lot of them can be fixed using workarounds.
Articles Shortcut Input Fix - Example
The 'Articles' and 'Safari web pages' Shortcut inputs are completely broken. Instead, using the 'URLs' Shortcut input, followed by the actions 'Get Body from (Shortcut Input)', and 'Get text from (Details of Articles)' fixes this.
Rarely, the 'Get Details from Article' action will give some error about not having permissions, but putting a 'Comment' action before it sometimes fixes this.
The 'Create Note' action is broken when run from the Apple Watch (Probably broken on only WatchOS 11+). Using the 'Append to Note' action instead is a good workaround. Pretty simple.
The Shortcuts app displays links associated with isl.mzstatic.com/image differently than most links, as they're used for App Icons, among many other things. When trying to display these links (such as for the Stop and Output action, or for any Shortcuts output), it outputs an error instead of the link.
On the screen requesting for permissions (Ex. Do you want to allow 'New Shortcut' to append the following images to a note?), instead of asking to append a link, it will ask to append an image. However, the Shortcuts app only has problems displaying these links, not processing them. So, if you check the actual note, it will append the link as normal instead of inputting an image.
The Shortcuts app itself has many memory leaks, causing it to run very very slow, and stutter constantly if left open for too long. Memory leaks I've been able to track down include: Searching for an action, editing automations, creating an automation on app open and viewing the list of every app installed, downloading a Shortcut from the Gallery, and possibly even backgrounding the app.
The only real way to fix this is to fully close and reopen the app, which isn't bad by any means but can get annoying considering how many triggers there are.
The 'Time Between Dates' Action requires dates to be formatted in a specific way and have specific meta data attached to them. Otherwise it will occasionally (Around 0.5% of the time), throw an error saying that the provided date was invalid.
This was an absolute nightmare to track down especially because of how rare it happens, so now I officially know my least favorite action is Time Between Dates. In fact I hate it so much I converted all times into seconds manually using a bunch of calculate actions as a workaround. Note that iirc you can use Shortcuts to add health data to a random unused category, and then I think determine the time the between dates of 2 health data points(?). I found this years ago so I don't remember too well and didn't think about it until about 5 minutes ago as of writing this.
A bunch of other little things that don't deserve their own section.
Lithium is another Shortcut created by LungInspector that creates Mobile Device Management (MDM) profiles, allowing you to change settings you don't normally have access to (Such as disabling Screen Time). However, it requires device supervision, which requires a computer for initial setup. It's best used alongside Cowabunga Lite or Nugget.
Add to Homescreen - Shortcut
Normally when pressing share on a website, and then 'Add to Homescreen', it adds the website to your homescreen as a bookmark which opens Safari. Certain websites have a special tag that allows them to be run in fullscreen mode without opening Safari, however whenever the URL changes it opens in a weird Safari based windowed mode.
Embedding a website into another website with the fullscreen tag is a workaround to this limitation. https://kn0tzer.is-a.dev/add does this for you, and can be assisted through Shortcuts by using this.
The Shortcuts app itself doesn't show as an option in the 'When (App) is opened or closed' automation. This is by design to try and make it so can't lock yourself out of your own phone.
Some automations don't have the option to turn off 'Notify when run', clogging your lock screen with a bunch of useless Shortcuts notifications. A workaround for this is to enable Screen Time, select See all App & Website Activity, scroll to notifications and find Shortcuts in the list (if it's not already there use the 'Show notification' action to make it show up).
From there, you can disable notifications like any other app. Keep in mind this also breaks the 'Show notification' action. I found this from here, but who knows who found it first.
When the device is locked, running the 'Open Tab' Clock action wakes the screen and shows your lockscreen. When unlocking your phone, it then shows the clock app. This happens because the Clock app is one of the few apps (Like the calculator app) that can be opened without unlocking your phone. Opening the app through the 'Open Tab' action confuses it, and doesn't show the Clock app itself until you leave your lockscreen. If run from an automation (including an automation that runs a Shortcut with this action), it will work as intended and show the Clock app above the lockscreen. This has only been tested by me on iOS 18.0.1.
I used this in a Shortcut called wake on song change. I worked around the automation limitation by immediately running the 'Lock Screen' action after.
This may also persist through a full device restart
It’s possible to continue running a shortcut after a respring (or restart) by repeatedly triggering an automation that runs a Shortcut. For example, running a Shortcut that repeatedly toggles low power mode every 1 second, and then creating an automation that runs that same Shortcut every time low power mode is enabled or disabled will continue running after a respring (or restart). It will also continue running after you delete the Shortcut and automation. The only way I have found to consistently stop it is to delete the automation then restart your phone, or place the 'Stop This Shortcut' action inside of the automation. This has only been tested by me on iOS 18.0.1.
This can also give the error 'Could not run Set Low Power Mode - There was a problem with the app', or the error 'Could not acquire startup assertion' when trying to run an action during a respring, which otherwise wouldn't normally be possible.
While creating my Lockdown Mode shortcut which runs a very simple automation every time an app is opened, it was very important to make sure the global variable action I was using took as little time to run as possible. So, I tested many different apps and came to the conclusion that VBox was the fastest for setting global variables by far. As for reading global variables, VBox was tied in speed with Toolbox Pro. Using the files app is technically faster than VBox for setting global variables, however is significantly slower for reading them.
Magnifier Visual Intelligence - Shortcut
In the Magnifier app there's an option to use AI to describe anything shown in the camera in realtime. This is effectively the Visual Intelligence feature for devices that don't have it (Update: Visual Intelligence is 1% more useful than this as of 18.3 but still pretty much as useless as this). There's a Shortcut action that automatically opens this menu for you, despite on iOS 18+ it often being impossible to get to this through the magnifier app itself.
Only partially shortcut related, but still very interesting. A while ago, I installed an app from a Shortcut named BrickIt (recreation), which had an extremely long name (2,400,840 Emojis). This overloads iOS and freezes your phone until either you force reboot your device, or it resprings automatically after ~60 seconds. Everytime you try to open or uninstall the app, or even see the apps name, it freezes your phone again. The only way to remove the app is to either factory reset your device and restore a backup, or to overwrite it using a signed app with the same bundle ID. If you don't know what app signing or bundle ID's are then I wouldn't recommend reading this next part.
When unsigned, the BrickIt app installs and shows an error message when opening it that contains the apps name, crashing iOS. Attempting to install another unsigned app over it with the same bundle ID does effectively nothing. The only way to overwrite the app is to install a signed app with the same bundle id over it. However, this isn't as easy as it seems since most signing methods have PPQ Protection, adding a random string of characters to the end of the bundle id before installing. I ended up fixing the problem by using a developer certificate and disabling PPQ Check protection using Feather. This could probably fixed without a developer certificate though using any other sideloader other than SideStore, AltStore, or Sideloadly.