The code snippets and conceptual analysis presented in this document are based on iOS 16.2.
The bug was disclosed and patched after Pwn2Own 2024 and was assigned CVE-2024-27834. Details of the patch can be found in the WebKit repository.
arm64eabi
WHW0x455
/ bypass_pac_in_jit_public.md
Last active
February 12, 2026 23:41
Bypass PAC in JIT - CVE-2024-27834
hde-moff
/ aria2c_dl.sh
Created
January 30, 2026 14:15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| set -eu | |
| # Mirror IP addresses for updates.cdn-apple.com | |
| MIRRORS=" | |
| 17.253.53.35 | |
| 17.253.53.203 | |
| 17.253.53.202 | |
| 37.143.84.100 | |
| 37.143.84.113 |
justtryingthingsout
/ acce-h17g-core-sysregs.json
Last active
October 16, 2025 11:23
System Registers for the M5 efficiency core, complete with field names (bitranges are inclusive on both ends)
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "name": "DSPSR", | |
| "enc": [3, 3, 4, 5, 0], | |
| "minel": 0, | |
| "width": 32, | |
| "fields": [ | |
| { | |
| "name": "N", | |
| "lsb": 31, |
justtryingthingsout
/ accp-h17g-core-sysregs.json
Last active
October 19, 2025 04:47
System Registers for the M5 performance core, complete with field names (bitranges are inclusive on both ends)
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ | |
| { | |
| "name": "DSPSR", | |
| "enc": [3, 3, 4, 5, 0], | |
| "minel": 0, | |
| "width": 32, | |
| "fields": [ | |
| { | |
| "name": "N", | |
| "lsb": 31, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // ViewController.m | |
| // JBDetectTest | |
| // | |
| // Created by seo on 3/27/25. | |
| // | |
| #import "ViewController.h" | |
| #import <dlfcn.h> |
JJTech0130
/ debugger_jit_improved.m
Last active
October 30, 2025 09:09
Improved method of using a debugger for JIT on iOS... Uses split rx/rw regions, and works on iOS 18.4b1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #import <Foundation/Foundation.h> | |
| #import <mach/mach.h> | |
| #import <stdio.h> | |
| #import <stdlib.h> | |
| #import <string.h> | |
| #include <libkern/OSCacheControl.h> | |
| const int REGION_SIZE = 0x4000*1; | |
| void write_instructions(void* page) |
justtryingthingsout
/ l2c_sts.txt
Last active
June 2, 2025 08:05
Graphics AGX L2C Error Status (0x206140008 in Operation Triangulation)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The `chkdatecc` field was set during Operation Triangulation. | |
| 0x206140008: | |
| b[63]: rsvd_63 Reserved | |
| b[62]: cfgerren Enable error register locking and asynchronous reporting when CfgErrESV is set. | |
| b[61]: chksnphit Deprecated | |
| (If set, check that snoops hit in L2C tag, and if they miss, log an error. | |
| If clear, trust the way info from AF and do not read the tags for snoops.) |
justtryingthingsout
/ l2cramcfg.txt
Last active
June 1, 2025 22:03
Graphics AGX L2C RAM Configuration (0x206140108 in Operation Triangulation)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The `ready` and `enablesize` fields were set during Operation Triangulation. | |
| 0x206140108: | |
| b[63]: ready RAM available for use | |
| b[62:30]: rsvd_62_30 Reserved | |
| b[29:24]: regionbase Base region within LLC (starting way). | |
| Base address does not change. | |
| (EnableSize+RegionBase) must be less than or equal to (RegionNum+1) and | |
| EnableSize must be less than or equal to RegionNum. | |
| b[23:22]: rsvd_23_22 Reserved |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // pplrw.m | |
| // kfd | |
| // | |
| // Created by Lars Fröder on 29.12.23. | |
| // | |
| #import <Foundation/Foundation.h> | |
| #import <dlfcn.h> | |
| #import <mach-o/dyld.h> |
NewerOlder