Awesome
iOS Hacking Resources
Basics
Official references:
- ARMv8 Instruction Set Overview (short, kinda outdated at this point)
- ARMv8 Architecture Reference Manual (long)
- ARM A-Profile Exploration tools (same as above, but in machine readable form)
- ARM System Architecture Software Standards (ABIs, extensions, etc.)
- Clang Pointer Authentication ABI
My own doing:
<!-- TODO: something about memory regions and access permissions --> <!-- TODO: something about C++ vtables --> <!-- TODO: something about symbol stubs -->[!TIP] Both
infocenter.arm.com
anddeveloper.arm.com
are outright nightmares to navigate, and search engines don't help either. But if you have any ARM document as a PDF and want to check for a newer version, there is a neat trick. At the bottom of any page of the PDF, you should have a document identifier like so:That should have the form
ARM XXX ddddX.x
. Take the three letters and following four digits, convert them to lower case (in this case,ddi0406
) and construct an URL like so:
https://developer.arm.com/docs/XXXdddd/latest
(in this casehttps://developer.arm.com/docs/ddi0406/latest
)
Internals
Mach-O
- m4b - Mach-O binaries
- Jonathan Levin - DYLD DetaYLeD <!-- Aug 2013 -->
- Jonathan Levin - Code Signing <!-- April 2015 -->
Sandbox
- Jonathan Levin - The Apple Sandbox (Video and Slides) <!-- Sep 2016 -->
- iBSparkes - Breaking Entitlements <!-- Apr 2018 -->
- stek29 - Shenanigans, Shenanigans! <!-- Dec 2018 -->
- argp - vs com.apple.security.sandbox <!-- March 2019 -->
IPC
- Apple - Mach (Overview and API documentation (inside the XNU source in
osfmk/man/index.html
)) - nemo - Mach and MIG (examples are outdated and for PPC/Intel, but descriptions are still accurate) <!-- 2006 -->
- Ian Beer - Apple IPC (Video and Slides) <!-- May 2015 -->
File Systems
- Apple - APFS Reference
- stek29 - LightweightVolumeManager::_mapForIO <!-- Jan 2018 -->
- bxl1989 - Understanding and Attacking Apple File System <!-- Jan 2019 -->
Kernel
- Apple - Kernel Programming Guide
- Apple - IOKit Fundamentals
- Apple - About the Virtual Memory System
- qwertyoruiopz - Attacking XNU (Part One and Two) <!-- July 2015 -->
- Stefan Esser - Kernel Heap <!-- Aug 2016 -->
- stek29 - NVRAM lock/unlock <!-- Jun 2018 -->
Kernel Integrity
- xerub - Tick Tock
- Siguza - KTRR
- Jonathan Levin - Casa de PPL
- Brandon Azad - KTRW: The journey to build a debuggable iPhone (Blog Post and Video)
Control Flow Integrity
- Brandon Azad - Examining Pointer Authentication on the iPhone XS
- Qualcomm Product Security - Pointer Authentication on ARMv8.3
- Roberto Avanzi - The QARMA Block Cipher Family (Paper and Presentation)
- Roberto Avanzi - Crypto that is Light to Accept
- Rui Zong and Xiaoyang Dong - Meet-in-the-Middle Attack on QARMA Block Cipher
Hardware Mitigations
- Siguza - APRR
- Siguza - PAN
- Sven Peter - SPRR & GXF
- VoidiStaff - JITCage
Software Mitigations
- blacktop - Anatomy of Lockdown Mode
- Csaba Fitzl - Launch and Environment Constraints Deep Dive
Web
Remote Targets
- Natalie Silvanovich - The Fully Remote Attack Surface of the iPhone
Hardware
- Ramtin Amin - Lightning Connector
- Ramtin Amin - NVMe NAND Storage
- Ramtin Amin - iPhone PCIe (dumping the 6s BootROM)
- Nyan Satan - Apple Lightning
SEP
- Tarjei Mandt, Mathew Solnik, David Wang - Demystifying the Secure Enclave Processor
- David Wang, Chris Wade - SEPOS: A Guided Tour
Bootloader
- Jonathan Levin - iBoot
Memory Safety
- Saar Amar - An Armful of CHERIs
- Saar Amar - Security Analysis of MTE Through Examples (Video and Slides)
- Saar Amar - Firebloom (Introduction, Type descriptors)
Write-Ups
- geohot - evasi0n7
- Jonathan Levin - TaiG 8.0 - 8.1.2 (Part One and Two)
- Jonathan Levin - TaiG 8.1.3 - 8.4 (Part One and Two)
- Jonathan Levin - Who needs task_for_pid anyway?
- qwertyoruiopz - About the “tpwn” Local Privilege Escalation
- Ian Beer - task_t considered harmful
- jndok - Exploiting Pegasus on OS X
- Siguza - Exploiting Pegasus on iOS
- Ian Beer - mach_portal (write-up and presentation slides)
- Ian Beer - Exception-oriented exploitation on iOS
- Jonathan Levin - Phœnix
- Gal Beniamini - Over The Air (Parts One, Two and Three)
- Siguza - v0rtex
- Ian Beer - async_wake_ios
- Siguza - IOHIDeous
- Jonathan Levin - QiLin (PDF and API)
- Brandon Azad - A fun XNU infoleak
- jeffball - Heap overflow in necp_client_action
- xerub - De Rebus Antiquis
- Ian Beer - multi_path
- Brandon Azad - blanket
- Brandon Azad - voucher_swap
- iBSparkes - MachSwap
- Ian Beer - Splitting atoms in XNU
- Natalie Silvanovich - The Many Possibilities of CVE-2019-8646
- Google Project Zero - A very deep dive into iOS Exploit chains found in the wild
- Ian Beer - Parts One, Two, Three, Four, Five and Implant Teardown
- Samuel Groß - JSC Exploits
- a1exdandy - Technical analysis of the checkm8 exploit
- Ned Williamson - SockPuppet
- littlelailo - Tales of old: untethering iOS 11 (Video and Basic Rundown)
- Samuel Groß - Remote iPhone Exploitation (Parts One, Two and Three)
- Siguza - cuck00
- Justin Sherman - used_sock
- Samuel Groß - Fuzzing ImageIO
- Siguza - Psychic Paper
- Brandon Azad - One Byte to rule them all
- Brandon Azad - The core of Apple is PPL: Breaking the XNU kernel's kernel
- windknown - Attack Secure Boot of SEP
- Ian Beer - An iOS zero-click radio proximity exploit odyssey
- Alex Plaskett - Apple macOS 6LowPAN Vulnerability
- Luca Moro - Analysis and exploitation of the iOS kernel vulnerability CVE-2021-1782
- Alex Plaskett - XNU Kernel Memory Disclosure
- Jack Dates - Exploitation of a JavaScriptCore WebAssembly Vulnerability
- Mickey Jin - CVMServer Vulnerability in macOS and iOS
- K³ - Writing an iOS Kernel Exploit from Scratch
- CodeColorist - Mistuned Part 1: Client-side XSS to Calculator and More
- CodeColorist - Mistuned Part 2: Butterfly Effect
- Justin Sherman - CVE-2021-30656 kernel info leak
- Samuel Groß - Attacking JavaScript Engines
- Samuel Groß - Compile Your Own Type Confusions
- Adam Donenfeld - (De)coding an iOS Kernel Vulnerability
- xerub - The Bear in the Arena
- Linus Henze - Fugu14
- Justin Sherman - Popping iOS <=14.7 with IOMFB
- Ian Beer & Samuel Groß - A deep dive into an NSO zero-click iMessage exploit
- Ian Beer & Samuel Groß - FORCEDENTRY: Sandbox Escape
- Ian Beer - CVE-2021-30737, @xerub's 2021 iOS ASN.1 Vulnerability
- Ian Beer - CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers
- Ivan Fratric - DER Entitlements: The (Brief) Return of the Psychic Paper
- Félix Poulin-Bélanger - kfd
- Asahi Lina - AGX Exploit
- Gergely Kalman - librarian - a macOS TCC bypass in Music and TV
- Ian Beer - An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit
- DFSEC - That's FAR-out, Man
- Mickey Jin - xpcroleaccountd Root Privilege Escalation
Other Lists
- qwertyoruiopz - iOS Reverse Engineering (Wiki and Papers)
- Google Project Zero - All the bugs Ian Beer has killed
- Google Project Zero - All Apple bugs
- Google Project Zero - A survey of recent iOS kernel exploits
Community
"Hack Different" is a Discord server about hacking, reverse engineering and development loosely on and around Apple platforms.
It has a relaxed atmosphere and is a great place to hang out and connect with fellow researchers and enthusiasts.