Skip to content

Instantly share code, notes, and snippets.

View 0cyn's full-sized avatar
🐉

cynder 0cyn

🐉
View GitHub Profile
@zhuowei
zhuowei / reachable_services.txt
Created February 21, 2023 06:26
Reachable Mach services from the app sandbox on iOS 16.1
PurpleSystemAppPort
PurpleSystemEventPort
UIASTNotificationCenter
com.apple.ABDatabaseDoctor
com.apple.AppSSO.service-xpc
com.apple.AuthenticationServicesCore.AuthenticationServicesAgent
com.apple.CARenderServer
com.apple.ClipServices.clipserviced
com.apple.CoreAuthentication.daemon
com.apple.DeviceAccess.xpc
@DavidBuchanan314
DavidBuchanan314 / parse_bin_string.c
Created October 19, 2022 04:09
#include <stdio.h>
#define IS_DIG(x) (((x)|1)=='1')
#define SLEN(s) ((sizeof s)-1)
#define RIDX(s,x) ((x)<SLEN(s)?s[SLEN(s)-1-(x)]:0)
#define CNT(s,x,n) ((x)<n?IS_DIG(RIDX(s,(x))):0)
#define CNT4(s,x,n) (CNT(s,x+0,n)+CNT(s,x+1,n)+CNT(s,x+2,n)+CNT(s,x+3,n))
#define CNT16(s,x,n) (CNT4(s,x+0,n)+CNT4(s,x+4,n)+CNT4(s,x+8,n)+CNT4(s,x+12,n))
#define CNT64(s,x,n) (CNT16(s,x+0,n)+CNT16(s,x+16,n)+CNT16(s,x+32,n)+CNT16(s,x+48,n))
#define VAL(s,x) ((RIDX(s,x)=='1')<<(CNT64(s,0,x)))
#define VAL4(s,x) (VAL(s,x+0)+VAL(s,x+1)+VAL(s,x+2)+VAL(s,x+3))
@osy
osy / JBX-0001.md
Created May 19, 2022 04:49
Secure jailbreak infrastructure

Secure jailbreak infrastructure

  • Proposal: JBX-0001
  • Authors: osy
  • Status: draft

Introduction

The ecosystem of iOS [jailbreaks][1] has remained largely unchanged since iOS 1.0 even though the system internals of iOS has undergone several evolutions, enhancing security and enabling new features. iOS jailbreaks traditionally involves neutering a significant portion of the OS's security in order to enable unsigned code execution ("apps") and system modifications ("tweaks"). This allows [malware][2] to target jailbroken users and for misbehaving apps to corrupt data.

@dlevi309
dlevi309 / libproc.h
Last active March 10, 2022 07:39 — forked from bazad/vmmap.c
A simple vmmap implementation for macOS.
#ifndef _LIBPROC_H_
#define _LIBPROC_H_
#include <stdbool.h>
#include <stdint.h>
#include <sys/cdefs.h>
#include <sys/mount.h>
#include <sys/param.h>
#include <sys/resource.h>
#include <sys/stat.h>
@saagarjha
saagarjha / 2022WinterSeed.txt
Created December 17, 2021 13:58
19D5026g/19K5527e/19S5525f
https://updates.cdn-apple.com/2022WinterSeed/fullrestores/002-44494/03F7854E-907A-40F8-B339-E61CF30F192D/iPhone14,5_15.3_19D5026g_Restore.ipsw
https://updates.cdn-apple.com/2022WinterSeed/fullrestores/002-44635/54B0513B-EC2D-426B-961D-8E3266957FCB/iPhone14,2_15.3_19D5026g_Restore.ipsw
https://updates.cdn-apple.com/2022WinterSeed/fullrestores/002-44518/3F901A9B-1D42-4FA2-9FF3-8A76DD0F5D1D/iPhone14,3_15.3_19D5026g_Restore.ipsw
https://updates.cdn-apple.com/2022WinterSeed/fullrestores/002-44567/8F331E94-220A-467B-B184-5F775319B55E/iPhone14,4_15.3_19D5026g_Restore.ipsw
https://updates.cdn-apple.com/2022WinterSeed/fullrestores/002-44658/EE36DA05-8A9D-4336-B200-E929040EB68D/iPhone13,2,iPhone13,3_15.3_19D5026g_Restore.ipsw
https://updates.cdn-apple.com/2022WinterSeed/fullrestores/002-44740/B3BE35AE-0259-4EFF-A0FE-9773D1FACA35/iPhone13,4_15.3_19D5026g_Restore.ipsw
https://updates.cdn-apple.com/2022WinterSeed/fullrestores/002-44924/2AF69685-63D3-4391-A10C-0089ABF9C7D6/iPhone13,1_15.3_19D5026g_Restore.ipsw
https://upda
@0cyn
0cyn / bookmarks-4-29-2021.md
Created April 29, 2021 13:15
@littlelailo
littlelailo / apollo.txt
Created September 27, 2019 12:04
Apple Bootrom Bug
This bug was also called moonshine in the beginning
Basically the following bug is present in all bootroms I have looked at:
1. When usb is started to get an image over dfu, dfu registers an interface to handle all the commands and allocates a buffer for input and output
2. if you send data to dfu the setup packet is handled by the main code which then calls out to the interface code
3. the interface code verifies that wLength is shorter than the input output buffer length and if that's the case it updates a pointer passed as an argument with a pointer to the input output buffer
4. it then returns wLength which is the length it wants to recieve into the buffer
5. the usb main code then updates a global var with the length and gets ready to recieve the data packages
6. if a data package is recieved it gets written to the input output buffer via the pointer which was passed as an argument and another global variable is used to keep track of how many bytes were recieved already
7. if all the data was recieved th
@PsychoTea
PsychoTea / IOExternalMethodArguments.h
Created June 8, 2019 15:41
struct IOExternalMethodArguments
{
uint32_t version;
uint32_t selector;
uint64_t asyncWakePort;
uint64_t asyncReference;
uint32_t asyncReferenceCount;
const uint64_t *scalarInput;
uint32_t scalarInputCount;
const void *structureInput;
@DerekSelander
DerekSelander / dsresign
Last active April 16, 2023 02:26
Resign iOS .app directories, expects app dir, provisioning profile, [optional] new name for iOS app
#!/bin/bash
# MIT License
#
# Copyright (c) 2018 Derek Selander (@LOLgrep)
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
@Siguza
Siguza / dsc_syms.c
Last active February 20, 2022 02:19
dyld_shared_cache symbols to r2 flags
// Moved here: https://github.com/Siguza/misc/blob/master/dsc_syms.c