posi0nKFD / posi0nSword dev
Joined July 2023
- Tweets 214
- Following 95
- Followers 467
- Likes 180
21 Photos and videos
Update on my last post: I realized (noob moment) to reference the offset addresses correctly we needed to get the slide first so I’ve worked nonstop over the weekend to get the slide which led to this monstrosity: const executable =
read64(ftoi(itof(addrof(parseFloat) 0x18n))) ;
Jun 13
Committed jitAllowList modification to the WIP branch. Please not it will only work on iPhone 15 Plus, 26.1 due to offsets. For some reason this seems to (slightly) improve stability.
2
30
3,317
Will post updated version on GitHub shortly I need to clean up the code, as you can see the green lines are missing because I put in breakpoints for debugging so I used simple return statements rather than returning the entire info array. Stability is also greatly reduced now.
1
1
286
Jun 13
Committed jitAllowList modification to the WIP branch. Please not it will only work on iPhone 15 Plus, 26.1 due to offsets. For some reason this seems to (slightly) improve stability.
1
7
70
8,442
Jun 12
renamed the repo github.com/GenericCoding/poi…
Jun 11
Will add writeup and future avenues of research shortly. Putting on GitHub to invite contributions from the community.
Currently we have neither read nor write but can reference a memory address arbitrarily. Patched in 26.2, only tested on 26.1.
github.com/GenericCoding/cve…
2
18
4,176
Jun 12
GC (garbage collector) disabling has been ported from darksword along with write8. In the WIP branch on GitHub.
2
2
39
4,504
Jun 11
Anyone on iOS 26.1 can go ahead and test the arbitrary r/w on my GitHub, it will currently crash after getting r/w but this is just because it references an invalid address.
Jun 11
Luckily I saved my iP13 Mini iOS26.1
9
2
65
12,926
Jun 11
There is a dylib pac bypass used in darksword which needed device specific offsets, and is patched in 26.3, however the implementation relied on having read/write from the UAF alone, if this could be implemented after fakeobj and addrof r/w would be possible.
Jun 11
I made several attempts to port the related graphics OOB used in darksword which does effect 26.1, however it would require getting read and write primitives to setup IPC communication in order to be used meaningfully.
2
2
64
9,194
Jun 11
x.com/genericcoding/status/2… RW primitives obtained the darksword pac bypass can be implemented as it is in the web version of darksword.
Jun 11
Thank you so incredibly much to @zeroxjf for the commit fixing the verification and implementation of scribble kernel read write primitive! I will now focus on implementation of the PAC bypass 🥳
1
1
12
2,946
Jun 11
Thank you so incredibly much to @zeroxjf for the commit fixing the verification and implementation of scribble kernel read write primitive! I will now focus on implementation of the PAC bypass 🥳
2
4
70
8,440
Jun 11
I made several attempts to port the related graphics OOB used in darksword which does effect 26.1, however it would require getting read and write primitives to setup IPC communication in order to be used meaningfully.
Jun 11
Will add writeup and future avenues of research shortly. Putting on GitHub to invite contributions from the community.
Currently we have neither read nor write but can reference a memory address arbitrarily. Patched in 26.2, only tested on 26.1.
github.com/GenericCoding/cve…
1
12
10,762
Jun 11
Will add writeup and future avenues of research shortly. Putting on GitHub to invite contributions from the community.
Currently we have neither read nor write but can reference a memory address arbitrarily. Patched in 26.2, only tested on 26.1.
github.com/GenericCoding/cve…
1
4
29
7,509
GenericCoding retweeted
23 Dec 2023
Received my first iOS macOS kernel CVE!
Fixed in XNU for iOS 17 and macOS Sonoma; a full writeup will be posted here soon.
21 Jun 2023
shasum(fun thing) = edf70acbced16270bb490ec0a4fbcf5937d5ad13
Blog post coming soon(tm)
46
52
465
155,820