pappanunny/ios-resources

Useful resources for iOS hacking

iOS Hacking Resources

Basics

Official references:

• ARMv8 Instruction Set Overview (short, kinda outdated at this point)
• ARMv8 Architecture Reference Manual (long)
• ARM A-Profile Exploration tools (same as above, but in machine readable form)
• ARM System Architecture Software Standards (ABIs, extensions, etc.)
• Clang Pointer Authentication ABI

My own doing:

• arm64 assembly crash course

Note on ARM documents:

Both infocenter.arm.com and developer.arm.com are outright nightmares to navigate, and search engines don't help either. But if you have any ARM document as a PDF and want to check for a newer version, there is a neat trick. At the bottom of any page of the PDF, you should have a document identifier like so:

That should have the form ARM XXX ddddX.x. Take the three letters and following four digits (in this case, DDI0406) and construct an URL like so:
https://developer.arm.com/docs/XXXdddd/latest
(In this case, https://developer.arm.com/docs/DDI0406/latest.)

Internals

Mach-O

• Jonathan Levin - DYLD DetaYLeD
• Jonathan Levin - Code Signing

Sandbox

• Jonathan Levin - The Apple Sandbox (Video and Slides)
• iBSparkes - Breaking Entitlements
• stek29 - Shenanigans, Shenanigans!
• argp - vs com.apple.security.sandbox

IPC

• Apple - Mach (Overview and API documentation (inside the XNU source in osfmk/man/index.html))
• nemo - Mach and MIG (examples are outdated and for PPC/Intel, but descriptions are still accurate)
• Ian Beer - Apple IPC (Video and Slides)

File Systems

• Apple - APFS Reference
• stek29 - LightweightVolumeManager::_mapForIO
• bxl1989 - Understanding and Attacking Apple File System

Kernel

• Apple - Kernel Programming Guide
• Apple - IOKit Fundamentals (available as Website or PDF)
• Apple - About the Virtual Memory System
• qwertyoruiopz - Attacking XNU (Part One and Two)
• Stefan Esser - Kernel Heap
• stek29 - NVRAM lock/unlock

Kernel Integrity

• xerub - Tick Tock
• Siguza - KTRR
• Jonathan Levin - Casa de PPL
• Brandon Azad - KTRW: The journey to build a debuggable iPhone (Blog Post and Video)

Control Flow Integrity

• Brandon Azad - Examining Pointer Authentication on the iPhone XS
• Qualcomm Product Security - Pointer Authentication on ARMv8.3
• Roberto Avanzi - The QARMA Block Cipher Family (Paper and Presentation)
• Roberto Avanzi - Crypto that is Light to Accept
• Rui Zong and Xiaoyang Dong - Meet-in-the-Middle Attack on QARMA Block Cipher

Other Mitigations

• Siguza - APRR
• Siguza - PAN

Remote Targets

• Natalie Silvanovich - The Fully Remote Attack Surface of the iPhone

Persistence

• littlelailo - Tales of old: untethering iOS 11 (Video and Basic Rundown)

Hardware

• Ramtin Amin - Lightning Connector
• Ramtin Amin - NVMe NAND Storage
• Ramtin Amin - iPhone PCIe (dumping the 6s BootROM)
• Nyan Satan - Apple Lightning

SEP

• Tarjei Mandt, Mathew Solnik, David Wang - Demystifying the Secure Enclave Processor
• David Wang, Chris Wade - SEPOS: A Guided Tour
• windknown - Attack Secure Boot of SEP

Bootloader

• a1exdandy - Technical analysis of the checkm8 exploit
• Jonathan Levin - *OS: iBoot

Write-Ups

• geohot - evasi0n7
• Jonathan Levin - TaiG 8.0 - 8.1.2 (Part One and Two)
• Jonathan Levin - TaiG 8.1.3 - 8.4 (Part One and Two)
• Jonathan Levin - Who needs task_for_pid anyway?
• qwertyoruiopz - About the “tpwn” Local Privilege Escalation
• Ian Beer - task_t considered harmful
• jndok - Exploiting Pegasus on OS X
• Siguza - Exploiting Pegasus on iOS
• Ian Beer - mach_portal (write-up and presentation slides)
• Ian Beer - Exception-oriented exploitation on iOS
• Jonathan Levin - Phœnix
• Gal Beniamini - Over The Air (Parts One, Two and Three)
• Siguza - v0rtex
• Ian Beer - async_wake_ios
• Siguza - IOHIDeous
• Jonathan Levin - QiLin (PDF and API)
• Brandon Azad - A fun XNU infoleak
• jeffball - Heap overflow in necp_client_action
• xerub - De Rebus Antiquis
• Ian Beer - multi_path
• Brandon Azad - blanket
• Brandon Azad - voucher_swap
• iBSparkes - MachSwap
• Ian Beer - Splitting atoms in XNU
• Natalie Silvanovich - The Many Possibilities of CVE-2019-8646
• Google Project Zero - A very deep dive into iOS Exploit chains found in the wild
  • Ian Beer - Parts One, Two, Three, Four, Five and Implant Teardown
  • Samuel Groß - JSC Exploits
• Ned Williamson - SockPuppet
• Samuel Groß - Remote iPhone Exploitation (Parts One, Two and Three)
• Siguza - cuck00
• jsherma100 - used_sock
• Samuel Groß - Fuzzing ImageIO
• Siguza - Psychic Paper
• Brandon Azad - One Byte to rule them all
• Brandon Azad - The core of Apple is PPL: Breaking the XNU kernel's kernel

Other Lists

• qwertyoruiopz - iOS Reverse Engineering (Wiki and Papers)
• Google Project Zero - All the bugs Ian Beer has killed
• Google Project Zero - All the bugs Brandon Azad has killed
• Google Project Zero - All the bugs Ned Williamson has killed
• Google Project Zero - A survey of recent iOS kernel exploits