Posts
I downloaded all 1,680,399 posts on Bluesky
I downloaded all the posts on Bluesky as of 2023-05-01. Then I did some data analysis on the 1680399 posts from 45457 accounts.
Get root on macOS 13.0.1 with CVE-2022-46689, the macOS Dirty Cow bug
Get root on macOS 13.0.1 with CVE-2022-46689 (macOS equivalent of the Dirty Cow bug), using the testcase extracted from Apple’s XNU source.
Get root on macOS 12.3.1: proof-of-concepts for Linus Henze's CoreTrust and DriverKit bugs (CVE-2022-26766, CVE-2022-26763)
Here are two proof-of-concepts for CVE-2022-26766 (CoreTrust allows any root certificate) and CVE-2022-26763 (
IOPCIDevice::_MemoryAccess
not checking bounds at all), two issues discovered by @LinusHenze and patched in macOS 12.4 / iOS 15.5.Hardware-accelerated virtual machines on jailbroken iPhone 12 / iOS 14.1
I unlocked Hypervisor.framework on my jailbroken phone and modified UTM, a popular QEMU port for iOS, to run arm64 Linux in a VM at full native speed. …for the clickbait - and to show iPhone’s untapped potential.
VoLTE/VoWiFi research with $0 of equipment: set up a phone network over Wi-Fi calling
You don’t need expensive equipment for VoLTE/VoWiFi research! Learn how VoLTE/VoWiFi works by setting up your own Wi-Fi calling server with free software.
Learning VoWifi, VoLTE, and IMS: because I'm too Millennial to make a phone call
I’m learning how VoWifi/VoLTE works by trying three experiments:
Datamining Facebook's Novi wallet
I tested Facebook’s new Novi digital wallet and found evidence for upcoming features, such as a debit card to access Novi balance, third-party linking with QR codes, and a way to buy Bitcoin directly from the app.
Jailbroken iOS can't run macOS apps. I spent a week to find out why.
I ran command line macOS tools, such as Bash and Geekbench, on a jailbroken iPhone by replacing iOS’s dyld shared cache (all of iOS’s code) with macOS’s. However, graphical apps will never work: macOS’s WindowServer won’t start, since iOS’s drivers are too different.
Disable Same Origin Policy in iOS WKWebView with private API
Safari’s Web Inspector has an option (Develop -> Disable Cross Origin Restrictions) to disable the same-origin policy for debugging. This allows, for example, the
fetch
API to load any page, not limited to the same domain or CORS-enabled domains.Examining CVE-2020-27932 on macOS 10.15.7
macOS 11.0/iOS 14.2/iOS 12.4.9 fixed an issue where
host_request_notification
doesn’t checkport->ip_specialreply
, causing it to overwriteip_sync_inheritor_port
. This can be used to reboot the system with a zone check error, but I can’t figure out what else this can do.Booting a macOS Apple Silicon kernel in QEMU
I booted the arm64e kernel of macOS 11.0.1 beta 1 kernel in QEMU up to launchd. It’s completely useless, but may be interesting if you’re wondering how an Apple Silicon Mac will boot.
Build macOS ARM apps in Xcode without a real macOS ARM SDK
Here’s a script that modifies Xcode’s macOS SDK to build for ARM. You can use this to find code that won’t compile on ARM, to get a head start on porting before Apple releases Xcode for an ARM Mac.
I tricked m3.euagendas.org, the Twitter analysis website, with adversarial inputs
I tricked m3.euagendas.org, the viral third-party Twitter account analysis website, into thinking I’m 40 years old: it only took 78 lines of code to generate an adversarial input against its neural network, using Foolbox, PyTorch, and Python.
Rendering SwiftUI views to HTML
I built a proof-of-concept tool to render SwiftUI to HTML. While I’m not intending to turn it into a full UI framework, I still learned plenty along the way: I learned how to use Swift’s generics, why declarative UI frmeworks use a shadow graph, and how Swift’s design is an evolution of C++’s philosophy.
Use GPU passthrough with Intel integrated graphics to accelerate QEMU on Fedora
UPDATE 2020-09: This no longer works for Intel Broadwell integrated GPUs as of Linux 5.4.
Crash Chrome 70 with the SQLite Magellan bug
This proof-of-concept crashes the Chrome renderer process using Tencent Blade Team's Magellan SQLite3 bug. It's based on a SQLite test case from the commit that fixed the bug.
Learn how iOS devices sync over USB by enabling usbmuxd's debug logs
To learn how iTunes and Xcode sync with iPhones, I enabled a hidden option in macOS’s
usbmuxd
daemon that logs how applications communicate with iOS devices over USB.How a kids' novel inspired me to simulate a gene drive on 86 million genealogy profiles
I read a novel where the rules for inheriting witchcraft resembles the real-world gene drive, so I developed a simulation and queried 86 million genealogy profiles to see how witchcraft would spread in real life.
Comparing Qualcomm's XBL UEFI bootloaders on Snapdragon 820, 835, and 845
I compared UEFI bootloaders from Google Pixel XL, 2XL, 3XL, and Lenovo Miix 630 to show how Qualcomm used the flexibility of UEFI to support Android and Windows.
It's impossible to port Animoji to iPad Air
… not because of the TrueDepth camera, but because its GPU and CPU aren’t powerful enough to track faces.
Tutorial - emulate AIX 7.2 in QEMU
QEMU 3.0.0 can boot IBM’s AIX to a shell prompt. AIX is IBM’s version of Unix for their Power Systems line of PowerPC servers. I’ve been researching emulation, so I wrote a tutorial for running AIX on your computer.
Compile Metal shader Bitcode to x86 and ARM assembly
Here’s how I reverse engineered Apple’s
metallib
archive format to extract the LLVM Bitcode for compiled Metal shaders. I proved that normal LLVM can read the Bitcode and compile it to x86-64 and ARM64 assembly.Create Memoji on iPad with Swift Playgrounds
I made a Swift Playground for iOS 12 that opens the Memoji editor on iPad. Along the way, I learned to swizzle Obj-C methods in Swift and to use a library with no documentation.
Changing macOS's uptime with a kernel extension
“
up 74007 days, 22:31
”? Yeah, seems legit: I booted my computer 200 years ago on December 10th, 1815. Actually, I wrote a kernel extension to change the output of theuptime
command on macOS, to learn the basics of kernel module programming.Tutorial - emulate an iOS kernel in QEMU up to launchd and userspace
I got
launchd
andrecoveryd
to start on an emulated iPhone running iOS 12 beta 4’s kernel using a modified QEMU. Here’s what I learned, and how you can try this yourself.Almost booting an iOS kernel in QEMU
I tried to boot an iOS 12 kernelcache in QEMU: I managed to get as far as IOKit startup before receiving a kernel panic. I learned a lot about how iOS boots up with this project.
Fixing macOS native tabs for Visual Studio Code
I helped track down the misbehaving macOS compatibility patch that broke native tabs support in VS Code. I also learned to avoid introducing new bugs in bugfixes.
Extracting libraries from dyld_shared_cache
I learned to extract working shared libraries from macOS’s dyld shared cache, and learned a bit about Mach-O executables, Objective-C, and problem solving along the way.
Port an iOS app to macOS 10.14 in 5 minutes
Here’s how to port your iOS apps to macOS 10.14 Beta using Apple’s iOSMac/Marzipan framework. A “Hello World” iOS app can become a macOS app in less than 5 minutes. (I timed it.).
iOS Simulator's secret trick to enable case sensitivity
Macs are case insensitive, but the iOS Simulator uses a hidden option in macOS’s kernel to enable case sensitivity, to match real iOS devices. This option can also be set with macOS’s
taskpolicy
tool, so you can launch any macOS process with case sensitivity enabled.Fixing two small bugs in Visual Studio Code
VSCode is my favorite editor, and I wanted to contribute back to this open source project that helped me so much. Thus, I learned to build and debug VSCode to triage and fix two bugs from their bug tracker.
These 299 macOS apps are so buggy, Apple had to fix them in AppKit
What do Photoshop, Matlab, Panic Transmit, and Eclipse have in common? They are among the 299 apps for which macOS applies compatibillity fixes.
Accessing screenshots from Android's Recent Apps screen
I learned to call Android’s hidden ActivityManager APIs from the ADB command line to access the screenshots of Recent Apps, so I can build a custom app switcher.
subscribe via RSS