SecondDog/ios-resources

Useful resources for iOS hacking

iOS Hacking Resources

Basics

Official references:

• ARMv8 Instruction Set Overview (short, kinda outdated at this point)
• ARMv8 Architecture Reference Manual (long)
• ARM A-Profile Exploration tools (same as above, but in machine readable form)
• ARM System Architecture Software Standards (ABIs, extensions, etc.)

My own doing:

• arm64 assembly crash course

Internals

Mach-O

• Jonathan Levin - DYLD DetaYLeD
• Jonathan Levin - Code Signing

Sandbox

• Jonathan Levin - The Apple Sandbox (Video and Slides)

IPC

• Apple - Mach (Overview and API documentation (inside the XNU source in osfmk/man/index.html))
• nemo - Mach and MIG (examples are outdated and for PPC/Intel, but descriptions are still accurate)
• Ian Beer - Apple IPC (Video and Slides)

File Systems

• Apple - APFS Reference

Kernel

• Apple - Kernel Programming Guide
• Apple - IOKit Fundamentals (available as Website or PDF)
• Apple - About the Virtual Memory System
• qwertyoruiopz - Attacking XNU (Part One and Two)
• Stefan Esser - Kernel Heap (I hope I don't get sued)

Kernel Integrity

• xerub - Tick Tock
• Siguza - KTRR

Control Flow Integrity

• Brandon Azad - Examining Pointer Authentication on the iPhone XS
• Qualcomm Product Security - Pointer Authentication on ARMv8.3
• Roberto Avanzi - The QARMA Block Cipher Family (Paper and Presentation)
• Roberto Avanzi - Crypto that is Light to Accept
• Rui Zong and Xiaoyang Dong - Meet-in-the-Middle Attack on QARMA Block Cipher

Hardware

• Ramtin Amin - Lightning Connector
• Ramtin Amin - NVMe NAND Storage
• Ramtin Amin - iPhone PCIe (dumping the 6s BootROM)

Write-Ups

• geohot - evasi0n7
• Jonathan Levin - TaiG 8.0 - 8.1.2 (Part One and Two)
• Jonathan Levin - TaiG 8.1.3 - 8.4 (Part One and Two)
• Jonathan Levin - Who needs task_for_pid anyway?
• qwertyoruiopz - About the “tpwn” Local Privilege Escalation
• Ian Beer - task_t considered harmful
• jndok - Exploiting Pegasus on OS X
• Siguza - Exploiting Pegasus on iOS
• Ian Beer - mach_portal (write-up and presentation slides)
• Ian Beer - Exception-oriented exploitation on iOS
• Jonathan Levin - Phœnix
• Gal Beniamini - Over The Air (Parts One, Two and Three)
• Siguza - v0rtex
• Ian Beer - async_wake_ios
• Siguza - IOHIDeous
• Jonathan Levin - QiLin (PDF and API)
• Brandon Azad - A fun XNU infoleak
• jeffball - Heap overflow in necp_client_action
• xerub - De Rebus Antiquis
• Ian Beer - multi_path
• Brandon Azad - blanket

Other Lists

• qwertyoruiopz - iOS Reverse Engineering (Wiki and Papers)
• Google Project Zero - All the bugs Ian Beer has killed