iOS Hacking Resources

Basics

Official references:

• ARMv8 Instruction Set Overview (short, kinda outdated at this point)
• ARMv8 Architecture Reference Manual (long)
• ARM A-Profile Exploration tools (same as above, but in machine readable form)
• ARM System Architecture Software Standards (ABIs, extensions, etc.)
• Clang Pointer Authentication ABI

My own doing:

• arm64 assembly crash course

Internals

Mach-O

• m4b - Mach-O binaries
• Jonathan Levin - DYLD DetaYLeD
• Jonathan Levin - Code Signing

Sandbox

• Jonathan Levin - The Apple Sandbox (Video and Slides)
• iBSparkes - Breaking Entitlements
• stek29 - Shenanigans, Shenanigans!
• argp - vs com.apple.security.sandbox

IPC

• Apple - Mach (Overview and API documentation (inside the XNU source in osfmk/man/index.html))
• nemo - Mach and MIG (examples are outdated and for PPC/Intel, but descriptions are still accurate)
• Ian Beer - Apple IPC (Video and Slides)

File Systems

• Apple - APFS Reference
• stek29 - LightweightVolumeManager::_mapForIO
• bxl1989 - Understanding and Attacking Apple File System

Kernel

• Apple - Kernel Programming Guide
• Apple - IOKit Fundamentals (available as Website or PDF)
• Apple - About the Virtual Memory System
• qwertyoruiopz - Attacking XNU (Part One and Two)
• Stefan Esser - Kernel Heap
• stek29 - NVRAM lock/unlock

Kernel Integrity

• xerub - Tick Tock
• Siguza - KTRR
• Jonathan Levin - Casa de PPL
• Brandon Azad - KTRW: The journey to build a debuggable iPhone (Blog Post and Video)

Control Flow Integrity

• Brandon Azad - Examining Pointer Authentication on the iPhone XS
• Qualcomm Product Security - Pointer Authentication on ARMv8.3
• Roberto Avanzi - The QARMA Block Cipher Family (Paper and Presentation)
• Roberto Avanzi - Crypto that is Light to Accept
• Rui Zong and Xiaoyang Dong - Meet-in-the-Middle Attack on QARMA Block Cipher

Other Mitigations

• Siguza - APRR
• Siguza - PAN
• Sven Peter - SPRR & GXF

Web

• Samuel Groß & Amy Burnett - Attacking JavaScript Engines in 2022 (Video and Slides)

Remote Targets

• Natalie Silvanovich - The Fully Remote Attack Surface of the iPhone

Persistence

• littlelailo - Tales of old: untethering iOS 11 (Video and Basic Rundown)

Hardware

• Ramtin Amin - Lightning Connector
• Ramtin Amin - NVMe NAND Storage
• Ramtin Amin - iPhone PCIe (dumping the 6s BootROM)
• Nyan Satan - Apple Lightning

SEP

• Tarjei Mandt, Mathew Solnik, David Wang - Demystifying the Secure Enclave Processor
• David Wang, Chris Wade - SEPOS: A Guided Tour
• windknown - Attack Secure Boot of SEP

Bootloader

• a1exdandy - Technical analysis of the checkm8 exploit
• Jonathan Levin - *OS: iBoot

Memory Safety

• Saar Amar - An Armful of CHERIs
• Saar Amar - Security Analysis of MTE Through Examples (Video and Slides)
• Saar Amar - Firebloom (Introduction, Type descriptors)

Write-Ups

• geohot - evasi0n7
• Jonathan Levin - TaiG 8.0 - 8.1.2 (Part One and Two)
• Jonathan Levin - TaiG 8.1.3 - 8.4 (Part One and Two)
• Jonathan Levin - Who needs task_for_pid anyway?
• qwertyoruiopz - About the “tpwn” Local Privilege Escalation
• Ian Beer - task_t considered harmful
• jndok - Exploiting Pegasus on OS X
• Siguza - Exploiting Pegasus on iOS
• Ian Beer - mach_portal (write-up and presentation slides)
• Ian Beer - Exception-oriented exploitation on iOS
• Jonathan Levin - Phœnix
• Gal Beniamini - Over The Air (Parts One, Two and Three)
• Siguza - v0rtex
• Ian Beer - async_wake_ios
• Siguza - IOHIDeous
• Jonathan Levin - QiLin (PDF and API)
• Brandon Azad - A fun XNU infoleak
• jeffball - Heap overflow in necp_client_action
• xerub - De Rebus Antiquis
• Ian Beer - multi_path
• Brandon Azad - blanket
• Brandon Azad - voucher_swap
• iBSparkes - MachSwap
• Ian Beer - Splitting atoms in XNU
• Natalie Silvanovich - The Many Possibilities of CVE-2019-8646
• Google Project Zero - A very deep dive into iOS Exploit chains found in the wild
  • Ian Beer - Parts One, Two, Three, Four, Five and Implant Teardown
  • Samuel Groß - JSC Exploits
• Ned Williamson - SockPuppet
• Samuel Groß - Remote iPhone Exploitation (Parts One, Two and Three)
• Siguza - cuck00
• Justin Sherman - used_sock
• Samuel Groß - Fuzzing ImageIO
• Siguza - Psychic Paper
• Brandon Azad - One Byte to rule them all
• Brandon Azad - The core of Apple is PPL: Breaking the XNU kernel's kernel
• Ian Beer - An iOS zero-click radio proximity exploit odyssey
• Alex Plaskett - Apple macOS 6LowPAN Vulnerability
• Luca Moro - Analysis and exploitation of the iOS kernel vulnerability CVE-2021-1782
• Alex Plaskett - XNU Kernel Memory Disclosure
• Jack Dates - Exploitation of a JavaScriptCore WebAssembly Vulnerability
• Mickey Jin - CVMServer Vulnerability in macOS and iOS
• K³ - Writing an iOS Kernel Exploit from Scratch
• CodeColorist - Mistuned Part 1: Client-side XSS to Calculator and More
• CodeColorist - Mistuned Part 2: Butterfly Effect
• Justin Sherman - CVE-2021-30656 kernel info leak
• Samuel Groß - Attacking JavaScript Engines
• Samuel Groß - Compile Your Own Type Confusions
• Adam Donenfeld - (De)coding an iOS Kernel Vulnerability
• xerub - The Bear in the Arena
• Linus Henze - Fugu14
• Justin Sherman - Popping iOS <=14.7 with IOMFB
• Ian Beer & Samuel Groß - A deep dive into an NSO zero-click iMessage exploit
• Ian Beer & Samuel Groß - FORCEDENTRY: Sandbox Escape
• Ian Beer - CVE-2021-30737, @xerub's 2021 iOS ASN.1 Vulnerability
• Ian Beer - CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers
• Ivan Fratric - DER Entitlements: The (Brief) Return of the Psychic Paper

Other Lists

• qwertyoruiopz - iOS Reverse Engineering (Wiki and Papers)
• Google Project Zero - All the bugs Ian Beer has killed
• Google Project Zero - All Apple bugs
• Google Project Zero - A survey of recent iOS kernel exploits

Community

"Hack Different" is a Discord server about hacking, reverse engineering and development loosely on and around Apple platforms.
It has a relaxed atmosphere and is a great place to hang out and connect with fellow researchers and enthusiasts.