I am done with this platform! Mastodon: infosec.exchange/@opa334 Bluesky: bsky.app/profile/opa334.bsky… Threads / Instagram: opa334

On that note, enforcing boatloads are unlocked when devices are no longer supported by the manufacturer would be a great first step. I dread to think how many TFLOPs of compute end up in landfill every year because the software it’s forced to run makes it effectively useless.

I think — genuinely — the only hope for jailbreaking at the point is if the EU forces manufacturers to have unlocked bootloaders. It is deeply fucked up to me that you can buy a $1000 computer and are not allowed to install your own software on it.

sha256(quark.txt) = b29efa7b27e15d32e42d2acf7c5963aed2b53fbbf27177e4c654930421dddbe5 #coruna

My analysis of CVE-2025-43520, the kernel vulnerability exploited by DarkSword (patched in 26.1): gist.github.com/Muirey03/8c8…

Coruna's seedbell PAC bypass abused the fact that dyld didn't protect certain __DATA_CONST regions in the dyld shared cache as read only after populating GOT entries etc (I think to support certain objc method list types), (1/4)

So, let's talk about that Coruna exploit kit stuff now, shall we? Let's first establish a few basic grounding points, though, before people over-hype this too much: 1. There is zero guarantees that anything comes from this. Everything here requires stuff to be deobfuscated before it could ever be beneficial for anything. This process inherently requires effort, and it's the type of thing that isn't guaranteed to go anywhere. Additionally, while everything in this post is as accurate as current information tells us, there are things here that are subject to change or subject to validation. 2. Even if anything of note comes from the Coruna exploit kit, this is not a major major advancement. The bugs that this chain kit uses were all patched by 16.7.6/17.5. Additionally though, the last kernel exploit was patched in 16.7.5/17.2.1, which means that the highest possible advancement for jailbreaking is: - EoL (16.x): iOS/iPadOS 16.7.5 - 17.x: iOS 17.2.1/iPadOS 17.2 Which, to be clear, is not nothing - it would allow for the first proper jailbreak for arm64e 16.6-17.2.1, and it would also end the 2 year streak of no arm64e advance or no jailbreak-relevant exploits. But it isn't going to take us to 18.x or even late-17.x. Now that we've gotten that all out of the way, let's lay some groundwork here. The Coruna exploit kit is a Chinese/Russian spyware kit, involving 23 different bugs designed to target devices running iOS versions 13.0 - 17.2.1. You can read more about this spyware kit as spyware at the following two links: Google Cloud Article: cloud.google.com/blog/topics… iVerify Article: iverify.io/blog/coruna-insid… Now, Google and iVerify didn't directly publish any samples themselves about this (whether this will change in the future or not, I wouldn't know). But, some of the links that it was mentioned that the spyware was on are still operating and are still actively able to infect devices. This is how various individuals have been able to get samples and begin to look into them. Now, again, there are still a lot of things that need to be figured out before anything truly comes from this, but for now, let's focus on a few of the interesting things about this exploit kit: 1. The "PPL Bypass" bugs (for 17.x) appear to also work on SPTM devices. Some additional context: iOS/iPadOS 17 replaced PPL with SPTM and TXM on some devices. On the relevant versions here (M4 was introduced in 17.4 and iOS/iPadOS 18 shift M2 to SPTM), this encompasses out to: - PPL Devices: A12-A14/M2 - SPTM Devices: A15-A17 This change doesn't affect necessarily the flow of bugs (they usually will require PAC Bypasses) but it can potentially break certain bugs that would work for a PPL Bypass. Based on what we have seen, however, it appears these bugs do work on SPTM devices, which does mean - if anything comes from this - this will likely work on all devices for 17.0-17.2.1. 2. There's enough bugs here for a WebKit jailbreak (and TrollStore installation method for relevant versions). The entire goal of every chain that can be exploited with this kit is that it is designed to be a one-click exploit - you go to a malicious website and immediately have your crypto logins, location, camera roll, and other stuff siphoned off to China or Russia (depending on which type you get exploited by). Now, as we've established, this is a full kit of exploits for a variety of versions starting with 13.0, and the kit is ultimately able to accomplish a one-click up to/including 16.7.4 (EoL) and 17.2.1 for all devices. Because of that, all the bugs that would be needed for a WebKit-based jailbreak for 13.0-16.7.4/17.0-17.2.1 are present. Now, of course, that would require someone to put in the effort to exploit all of these bugs in a WebKit environment, but the option for someone to do that still exists. Additionally, for those on TrollStore versions (14.0b2-16.6.1/16.7 RC (20H18)/17.0): As it would be possible to achieve a WebKit-based jailbreak, that also inherently means a WebKit-based TrollStore installer would also be viable. (Note: If one did happen, it would obsolete almost every other method except for TrollHelperOTA (as that doesn't exploit a WebKit bug or kernel bug at all)).

Today marks the two year anniversary of Dopamine 2.0, and with it, the two year anniversary of the last proper jailbreak for new iOS versions for arm64e devices. With that, comes the rather obvious question - how did we get here? And while I'd love to say it's some extravagant reason that we've ended up here, the reality is just two very simple reasons. 1. Apple's security is just a lot better now. We're not in a time where relevant vulnerabilities are being publicly exploited on even a semi-frequent basis - it has been over 2 years since any new jailbreak-relevant exploits have been released: - PPL Bypass: dmaFail (patched in 16.5.1/16.6, publicized December 27th, 2023) - Kernel Exploit: puaf_landa (patched in 16.7/17.0, released December 31st, 2023) Even when we get PoC's (Proof of Concepts), most of them are either: - Unexploitable (e.g. only works on Intel macOS, only triggers panic, dies to mitigations, etc.) - Impractical to exploit (e.g. has horrific reliability, requires burning additional exploits/techniques, has overly limited device support, etc.) Back in, say, 2019, all that was needed for a jailbreak was a kernel exploit, of which they came somewhat frequently. Now, in 2026, even if your goal is just iOS 17, you now need: - kernel exploit (way harder now) - PAC Bypass* (not explicitly required, but most PPL/SPTM Bypasses need one) - PPL Bypass/SPTM Bypass (depends on device, SPTM has never been publicly exploited) 2. There's much less reason for most people to jailbreak. The reality is that modern iOS has a lot of features that used to require a jailbreak to get, but now don't. Some more modern examples: - Dark Mode (added in iOS 13) - Depth in Lock Screens (added in iOS 16/iPadOS 17) - Customizable Home Screens (theming is doable with shortcuts, customization was further expanded upon in iOS 18 and iOS 26) That's not to say that there's zero reason for a jailbreak to exist - there definitely is still many reasons to jailbreak. But it's more to say that most people don't need a jailbreak to get a good experience out of an iOS/iPadOS device.

Introducing our newest app for AltStore PAL — CSAM Store Checker 🔎 Given the rise of child sexual abuse material on certain iOS apps, we’ve built a tool that allows users to see whether CSAM is accessible through any apps on a given marketplace. altstore.io/source/marketpla…

We need legislation on sideloading ASAP. Yesterday, I learned the hard way that I’m not allowed to use my own personal, paid developer certificate to sign IPAs I want to install on my own personal device. Wow. 😬

The HackingTeam is back! New name, new malware, new exploits securelist.com/forumtroll-ap…

Memeing at #TheSAS2025

At @0x41con, I talked about how a newer version of Trigon was developed for A7 - A9 and A11 devices. I demoed the following untethered iOS 14 jailbreak, which is 100% reliable on all devices thanks to Trigon - the following video shows it running on an iPhone 6S and an iPhone 7.

I've just released the slides from my @0x41con talk with @opa334dev - "The State of iOS Jailbreaking in 2025". github.com/alfiecg24/Present…

I've just published a new blog post detailing how I developed a deterministic kernel exploit for iOS. Enjoy! alfiecg.uk/2025/03/01/Trigon…