Tinyik/ios-resources

Useful resources for iOS hacking

iOS Hacking Resources

Basics

Official references:

• ARM64 instruction set reference (short)
• ARMv8 Architecture Reference Manual (long)

My own doing:

• arm64 assembly crash course

Internals

Mach-O

• Jonathan Levin - DYLD DetaYLeD
• Jonathan Levin - Code Signing

Sandbox

• Jonathan Levin - The Apple Sandbox (Video and Slides)

IPC

• Apple - Mach (Overview and API documentation (inside the XNU source in osfmk/man/index.html))
• nemo - Mach and MIG (examples are outdated and for PPC/Intel, but descriptions are still accurate)
• Ian Beer - Apple IPC (Video and Slides)

Kernel

• Apple - Kernel Programming Guide
• Apple - IOKit Fundamentals
• Apple - About the Virtual Memory System
• qwertyoruiopz - Attacking XNU (Part One and Two)
• Stefan Esser - Kernel Heap (I hope I don't get sued)

KPP

• xerub - Tick Tock

Hardware

• Ramtin Amin - Lightning Connector
• Ramtin Amin - NVMe NAND Storage
• Ramtin Amin - iPhone PCIe (dumping the 6s BootROM)

Write-Ups

• geohot - evasi0n7
• Jonathan Levin - TaiG 8.0 - 8.1.2 (Part One and Two)
• Jonathan Levin - TaiG 8.1.3 - 8.4 (Part One and Two)
• Jonathan Levin - Who needs task_for_pid anyway?
• qwertyoruiopz - About the “tpwn” Local Privilege Escalation
• Ian Beer - task_t considered harmful
• jndok - Exploiting Pegasus on OS X
• Siguza - Exploiting Pegasus on iOS
• Ian Beer - mach_portal (write-up and presentation slides)
• Ian Beer - Exception-oriented exploitation on iOS
• Jonathan Levin - Phœnix
• Gal Beniamini - Over The Air (Parts One, Two and Three)
• Siguza - v0rtex
• Ian Beer - async_wake_ios

Other Lists

• qwertyoruiopz - iOS Reverse Engineering (Wiki and Papers)
• Ian Beer - All the bugs he has killed