After the great feedback from yesterday’s tweet, here’s another useful illustration - this time explaining how Use-After-Free (UAF) vulnerabilities can be exploited to gain code execution!
Recently I’ve been building an iOS kernel tracing tool, to notify when a specific function is called in the kernel & print arguments/return val. New blog post soon!
Just published a blog post talking about some iOS kernel framebuffer research I’ve been looking at over the last couple weeks. Have a read if you’re interested :)
Recently my mum was diagnosed with breast cancer for the second time. My brother Rory and his friend are running a half marathon to raise money for cancer research. If anyone here is able to donate, it would be greatly appreciated. Thank you 🙏
Haven't done one of these in a while, but today I created this short written tutorial on 'Reversing ARM Binaries' for beginner reverse engineers! Check it out here if you're interested
Early prototype of a possible ‘Learn ARM Assembly’ iOS app I was working on last week :-) Currently only supports simplified version of MOV, LDR & STR instructions (and has a bad UI), but if enough people are interested I’d consider improving it!
You can now Pre-Order ‘Beginner’s Guide to Exploitation on ARM’ Volume II at First batch arrives next Wednesday, so first 100 will ship on Thursday 13th! 📖
As already mentioned by multiple other devs, stay away from this jailbreak - it’s a clone of an older version of Electra. It could also potentially contain malware or damage your OS
Apple giving out pre-jailbroken research iPhones to security researchers starting next year, and will pay up to $1M for zero click remote chain with persistence 📱
Out of curiosity for how debuggers work, I began writing my own bare-bones ARM&ARM64 debugger for iOS. At the moment it has basic functionality, including attaching to processes, viewing register state, and reading and writing to memory!
Made another cheat sheet - this one illustrates how exploits can make use of a stack pivot to execute a large ROP chain/payload
#infosec
#ExploitDev
#ARM
I’m in the early stages of writing Volume II of BGEA - this book will follow on from Volume I, introducing more advanced exploit techniques & also covering some ARM64 stuff 📗
Progress! Successfully exploited CVE-2016-4655 to leak data from the kernel stack & calculate the KASLR slide :) time to look at the CVE-2016-4656 UAF next
UPDATE: You can now verbose boot your own iPhone X on iOS 13.1.1 or 13.1.2!
#checkm8
My jailbreak will not make any permanent changes to your device, so it is 100% safe to try. Download the latest ipwndfu, enter DFU Mode, and run:
./ipwndfu -p --boot
First batch of Volume II books have arrived! Pre-orders will begin to ship today & tomorrow. You can now order both books with 1-2 working day dispatch at
In the new year I plan to create a video/series on “how to develop your first jailbreak” using the Pegasus vulnerabilities as a starting point. The ‘ZygoBre4k’ app in the quoted tweet is an example of what we’ll be making in the series
Progress! Successfully exploited CVE-2016-4655 to leak data from the kernel stack & calculate the KASLR slide :) time to look at the CVE-2016-4656 UAF next
Live kernel debugging on a virtualised iOS 12.0! Having the ability to do this sort of thing with whichever iPhone/version you want is gonna greatly assist developers & researchers with future iOS kernel security research
If you're interested in bootstrapping iOS kernel security research keep a research-only device on iOS 11.3.1 for more tfp0. Release probably next week. Oh, and the 11.1.2 KDP-compatible kernel debugger really is coming soon!
EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices.
Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).
Stocked up on books for the year ahead! As of 2018, as well as accepting payments through I’ll also be accepting BTC as a payment method!
#HappyNewYear
Anyone had any luck running checkm8 on iPhone 7/7 Plus? A11 and A7 devices seem to be the most likely to succeed in my experience. Haven’t had a single successful try yet with A10
Just published a tool I wrote a couple months back to pull C++ object names from kernel memory. Bit hacky, but works & is useful if you're someone who spends a lot of time looking at kernel memory dumps.
Wasn’t tempted enough by the new iPhones this year, coming from an iPhone X. Maybe 2021. The new features added in each yearly refresh seem to be becoming less and less significant.
Quite possibly the most significant iOS tool/exploit to be released since 2010. Or since ever, considering the amount & range of different devices vulnerable. Changes the game. Great job
@axi0mX
Been studying the Pangu9 IOHIDResource kernel bug this past week and have been learning a lot more about IOKit as an attack surface. Very interesting stuff!
Having a play around with the cool set of iOS app security exercises in DVIA-V2! Great app for learning about various vulnerabilities in mobile applications
HACKED! Verbose booting iPhone X looks pretty cool. Starting in DFU Mode, it took 2 seconds to jailbreak it with checkm8, and then I made it automatically boot from NAND with patches for verbose boot. Latest iOS 13.1.1, and no need to upload any images. Thanks
@qwertyoruiopz
Using
@CorelliumHQ
for the first time! So far so good - the virtual devices are very responsive and quick & easy to set up! Lot's of fun to be had with this :D
Bit of a fiddly set up process, but managed to get Theos to work and compile apps on-device in iOS 11.3. Since it’s a highly requested topic and there are some small changes to the process since iOS 10, I’ll likely have a video out on this tomorrow
Having my first shot at AI/Machine learning stuff - right now this is just a basic hard-coded obstacle avoidance AI but will hopefully be able to implement a basic neural network to this so that it’ll become smarter!
The first ARM64 versions of my exploit-me challenges will be available soon on the Github repo 'ROP64_1' will be a 64-bit version of the 32-bit ROPLevel4 (involving exploiting a stack buffer overflow w/ASLR bypass)
#infosec
#exploitdev