Antonio Nappa

So what I found out is that it is possible to mask interrupts through swi 0x80, hence you can load r0 with an arbitrary value, i.e. 500 and call swi...

I get to the same point after the emulator goes to sleep and the screen goes blank

Indeed, but I'd be careful with licenses and key material. I have included some idapython scripts to work with the kernelcache but it requires cautiousness. On Tue, Jan 2, 2024,...

I don't know which version of bash you tried. What I will try in sequence is either an old bsd zsh static binary. Or likely I may just create a...

I have been thinking about this matter, and I have a partial solution, I'd inject code from the XNU kernel with _thread_create_running and then _pthread_set_self(NULL) would make the program resist...

also I have found a plausible issue, bash can't really work if you haven't abstracted stdin,stdout,stderr, since I see the function ipod_touch_sdio_ops it looks like you have your own way...

some other experiments, I have patched a few binaries here and there including kext and the Calculator, it seems that when I patch the kext to execute a QEMU hypercall...

I am looking into it, do you have the reference on how to call some useful syscalls such as posix_spawn() or execve()? The other issue is making a toolchain to...

Yeah, syscall interface is another issue, cause if I try to write sth even a shellcode I need to know what to call. Funny enough svc calls seem masked either...

Oh also, there's an exploit, but is in the USB stack IIRC, I don't know if you boot up that component, it's a UAF done by GeoHot a long ago