Posts

• May 6, 2023

  I downloaded all 1,680,399 posts on Bluesky

  I downloaded all the posts on Bluesky as of 2023-05-01. Then I did some data analysis on the 1680399 posts from 45457 accounts.

• Dec 17, 2022

  Get root on macOS 13.0.1 with CVE-2022-46689, the macOS Dirty Cow bug

  Get root on macOS 13.0.1 with CVE-2022-46689 (macOS equivalent of the Dirty Cow bug), using the testcase extracted from Apple’s XNU source.

• Jul 2, 2022

  Get root on macOS 12.3.1: proof-of-concepts for Linus Henze's CoreTrust and DriverKit bugs (CVE-2022-26766, CVE-2022-26763)

  Here are two proof-of-concepts for CVE-2022-26766 (CoreTrust allows any root certificate) and CVE-2022-26763 (IOPCIDevice::_MemoryAccess not checking bounds at all), two issues discovered by @LinusHenze and patched in macOS 12.4 / iOS 15.5.

• Jun 6, 2022

  Hardware-accelerated virtual machines on jailbroken iPhone 12 / iOS 14.1

  I unlocked Hypervisor.framework on my jailbroken phone and modified UTM, a popular QEMU port for iOS, to run arm64 Linux in a VM at full native speed. …for the clickbait - and to show iPhone’s untapped potential.

• Jan 8, 2022

  VoLTE/VoWiFi research with $0 of equipment: set up a phone network over Wi-Fi calling

  You don’t need expensive equipment for VoLTE/VoWiFi research! Learn how VoLTE/VoWiFi works by setting up your own Wi-Fi calling server with free software.

• Dec 8, 2021

  Learning VoWifi, VoLTE, and IMS: because I'm too Millennial to make a phone call

  I’m learning how VoWifi/VoLTE works by trying three experiments:

• Nov 23, 2021

  Datamining Facebook's Novi wallet

  I tested Facebook’s new Novi digital wallet and found evidence for upcoming features, such as a debit card to access Novi balance, third-party linking with QR codes, and a way to buy Bitcoin directly from the app.

• Jun 7, 2021

  Jailbroken iOS can't run macOS apps. I spent a week to find out why.

  I ran command line macOS tools, such as Bash and Geekbench, on a jailbroken iPhone by replacing iOS’s dyld shared cache (all of iOS’s code) with macOS’s. However, graphical apps will never work: macOS’s WindowServer won’t start, since iOS’s drivers are too different.

• Dec 31, 2020

  Disable Same Origin Policy in iOS WKWebView with private API

  Safari’s Web Inspector has an option (Develop -> Disable Cross Origin Restrictions) to disable the same-origin policy for debugging. This allows, for example, the fetch API to load any page, not limited to the same domain or CORS-enabled domains.

• Dec 26, 2020

  Examining CVE-2020-27932 on macOS 10.15.7

  macOS 11.0/iOS 14.2/iOS 12.4.9 fixed an issue where host_request_notification doesn’t check port->ip_specialreply, causing it to overwrite ip_sync_inheritor_port. This can be used to reboot the system with a zone check error, but I can’t figure out what else this can do.

• Nov 9, 2020

  Booting a macOS Apple Silicon kernel in QEMU

  I booted the arm64e kernel of macOS 11.0.1 beta 1 kernel in QEMU up to launchd. It’s completely useless, but may be interesting if you’re wondering how an Apple Silicon Mac will boot.

• Jun 12, 2020

  Build macOS ARM apps in Xcode without a real macOS ARM SDK

  Here’s a script that modifies Xcode’s macOS SDK to build for ARM. You can use this to find code that won’t compile on ARM, to get a head start on porting before Apple releases Xcode for an ARM Mac.

• Jul 7, 2019

  I tricked m3.euagendas.org, the Twitter analysis website, with adversarial inputs

  I tricked m3.euagendas.org, the viral third-party Twitter account analysis website, into thinking I’m 40 years old: it only took 78 lines of code to generate an adversarial input against its neural network, using Foolbox, PyTorch, and Python.

• Jun 15, 2019

  Rendering SwiftUI views to HTML

  I built a proof-of-concept tool to render SwiftUI to HTML. While I’m not intending to turn it into a full UI framework, I still learned plenty along the way: I learned how to use Swift’s generics, why declarative UI frmeworks use a shadow graph, and how Swift’s design is an evolution of C++’s philosophy.

• Feb 12, 2019

  Use GPU passthrough with Intel integrated graphics to accelerate QEMU on Fedora

  UPDATE 2020-09: This no longer works for Intel Broadwell integrated GPUs as of Linux 5.4.

• Dec 14, 2018

  Crash Chrome 70 with the SQLite Magellan bug

  This proof-of-concept crashes the Chrome renderer process using Tencent Blade Team's Magellan SQLite3 bug. It's based on a SQLite test case from the commit that fixed the bug.

• Nov 25, 2018

  Learn how iOS devices sync over USB by enabling usbmuxd's debug logs

  To learn how iTunes and Xcode sync with iPhones, I enabled a hidden option in macOS’s usbmuxd daemon that logs how applications communicate with iOS devices over USB.

• Nov 10, 2018

  How a kids' novel inspired me to simulate a gene drive on 86 million genealogy profiles

  I read a novel where the rules for inheriting witchcraft resembles the real-world gene drive, so I developed a simulation and queried 86 million genealogy profiles to see how witchcraft would spread in real life.

• Oct 30, 2018

  Comparing Qualcomm's XBL UEFI bootloaders on Snapdragon 820, 835, and 845

  I compared UEFI bootloaders from Google Pixel XL, 2XL, 3XL, and Lenovo Miix 630 to show how Qualcomm used the flexibility of UEFI to support Android and Windows.

• Oct 25, 2018

  It's impossible to port Animoji to iPad Air

  … not because of the TrueDepth camera, but because its GPU and CPU aren’t powerful enough to track faces.

• Sep 6, 2018

  Tutorial - emulate AIX 7.2 in QEMU

  QEMU 3.0.0 can boot IBM’s AIX to a shell prompt. AIX is IBM’s version of Unix for their Power Systems line of PowerPC servers. I’ve been researching emulation, so I wrote a tutorial for running AIX on your computer.

• Aug 25, 2018

  Compile Metal shader Bitcode to x86 and ARM assembly

  Here’s how I reverse engineered Apple’s metallib archive format to extract the LLVM Bitcode for compiled Metal shaders. I proved that normal LLVM can read the Bitcode and compile it to x86-64 and ARM64 assembly.

• Aug 11, 2018

  Create Memoji on iPad with Swift Playgrounds

  I made a Swift Playground for iOS 12 that opens the Memoji editor on iPad. Along the way, I learned to swizzle Obj-C methods in Swift and to use a library with no documentation.

• Jul 28, 2018

  Changing macOS's uptime with a kernel extension

  “up 74007 days, 22:31”? Yeah, seems legit: I booted my computer 200 years ago on December 10th, 1815. Actually, I wrote a kernel extension to change the output of the uptime command on macOS, to learn the basics of kernel module programming.

• Jul 22, 2018

  Tutorial - emulate an iOS kernel in QEMU up to launchd and userspace

  I got launchd and recoveryd to start on an emulated iPhone running iOS 12 beta 4’s kernel using a modified QEMU. Here’s what I learned, and how you can try this yourself.

• Jul 15, 2018

  Almost booting an iOS kernel in QEMU

  I tried to boot an iOS 12 kernelcache in QEMU: I managed to get as far as IOKit startup before receiving a kernel panic. I learned a lot about how iOS boots up with this project.

• Jun 28, 2018

  Fixing macOS native tabs for Visual Studio Code

  I helped track down the misbehaving macOS compatibility patch that broke native tabs support in VS Code. I also learned to avoid introducing new bugs in bugfixes.

• Jun 24, 2018

  Extracting libraries from dyld_shared_cache

  I learned to extract working shared libraries from macOS’s dyld shared cache, and learned a bit about Mach-O executables, Objective-C, and problem solving along the way.

• Jun 6, 2018

  Port an iOS app to macOS 10.14 in 5 minutes

  Here’s how to port your iOS apps to macOS 10.14 Beta using Apple’s iOSMac/Marzipan framework. A “Hello World” iOS app can become a macOS app in less than 5 minutes. (I timed it.).

• Jun 1, 2018

  iOS Simulator's secret trick to enable case sensitivity

  Macs are case insensitive, but the iOS Simulator uses a hidden option in macOS’s kernel to enable case sensitivity, to match real iOS devices. This option can also be set with macOS’s taskpolicy tool, so you can launch any macOS process with case sensitivity enabled.

• May 24, 2018

  Fixing two small bugs in Visual Studio Code

  VSCode is my favorite editor, and I wanted to contribute back to this open source project that helped me so much. Thus, I learned to build and debug VSCode to triage and fix two bugs from their bug tracker.

• May 17, 2018

  These 299 macOS apps are so buggy, Apple had to fix them in AppKit

  What do Photoshop, Matlab, Panic Transmit, and Eclipse have in common? They are among the 299 apps for which macOS applies compatibillity fixes.

• May 10, 2018

  Accessing screenshots from Android's Recent Apps screen

  I learned to call Android’s hidden ActivityManager APIs from the ADB command line to access the screenshots of Recent Apps, so I can build a custom app switcher.

subscribe via RSS