SecElf cyOS Jailbreak was a pwn challenge at Cybears CTF at BSides Canberra 2019.

The Problem:
The goal of the challenge was to develop a PoC “jailbreak” for the fictional cyOS. Given to players was a collection of files, which included the OS’s ELF loader, both source and compiled. A web service existed for players to upload their binaries, and hope for success. A sample binary was provided, which would successfully run when sent to the web service. A public key and a code signing python script was also provided.

The Auditing: I opened the loader code and studied it…

AppleIDAuthAgent is a service that exists on iOS that appears to handle actions regarding a users Apple ID, including iCloud information linked to that account. It runs an XPC service known as, which could be accessed by any application.

When looking around how the service was handling incoming XPC messages, I noticed that there was some log messages left behind. One of them was “DoGetMyInfo”, and was occurring when the command was 0x130. When I sent a message with that as part of the message.

What I got back was very interesting. The components that were easy to spot…

About 4 weeks ago, Hacker1 held their h1702ctf as a qualifier for the main h1702 event in Las Vegas later this month. The theme of this CTF was mobile applications, specifically applications on iOS and Android. I managed to be the 6th person to complete all the challenges. I managed to be invited to the actual event as a finalist, but am unfortunately unable to go.

As a bit of background of my experience, I mainly specialise in iOS and have barely touched on Android before.

Contents: iOS 1, iOS 2, iOS 3, iOS 4, iOS 5, iOS 6 Android…

I was wondering on GitHub one day when I saw this project called Electrino which happened to be rising up in the trending page. I decided to take a quick look at it, and discovered it was a project that aimed to use native web browser frameworks, rather than bundling a framework within the application (i.e. Electron). I thought “Hey this would be cool to do some stuff with”, and proceeded to submit a PR on adding a basic feature.

I then thought that creating seperate “module” files for each module would decrease app size as developers could pick and…

webinspectord is the service in charge of all operations related to the use of the ‘Web Inspector’ on iOS. It runs an XPC service known as

Note: All of the info I mention below is from webinspectord on iOS 10.2 IPSW. From what I’ve seen, 10.3+ has moved most of the stuff in this service to WebInspector.framework.

I originally found this vulnerability as a DoS. Here’s what I found:

Messages sent are usually created with _CFXPCCreateXPCMessageWithCFObject and when received, are decoded with _CFXPCCreateCFObjectFromXPCMessage. The issue within webinspectord is that it presumes that some keys will have a value of…

Note: This article at the beginning is more for beginners. I discuss more about XPC further down the article.

And so the long journey begins. For you and for me.

In summary, I decided to embark on a journey the entirely long way. I’ve received advice from lots of security researchers (on iOS) telling me to start on macOS, and then the lowest possible iOS version I can. But instead I decided to go straight to iOS 10.1.1 (and to 10.2), and begin attempting to create a jailbreak w/o any previous knowledge.

The first common step is escaping the sandbox…

With the reveal of iOS 10, some jailbreak developers have been trying to get dylib injection so they can either test existing tweaks or do some research.

The best way to do this is heavily based on friggog’s method. With some modifications, you can easily do this with iOS 10.

First, add the following to your Makefile:

TARGET = simulator:clang:latest:10.0 # Near the top
tweakname_USE_SUBSTRATE = 0 # Near decleration

Finally, in order to build to the simulator, you first need to open the simulator. Then, open terminal to your theos project and copy-paste the following:

make clean; make; xcrun…

George Dan

18, Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store