matteyeux @matteyeux Twitter profile

Last Seen Profiles

@Adopt_me_Plz

@oziil511

@GoupixJenkins

@bokeplokalmalam

@lifeastwo

@csixc

@yuanna321

@yeilishx

@stwmaniax

@ONN_1

@bokeplokalmalam

@JoseyVersace

@unzaoo

@IntiWasAqui

@africafootutd

@khairaumh

@angelisapinks_

@18924244Hassan

@yumepapa419

@BTL_Balaji

@maricardatuin

@NYC_arches

@aitt00700

@EndsSebas

@ky0_jin

@BryAdee

@james_cobs

@pawel_grabowski

@neuza_n64925

@spikeydog120

@sonyejingifs

@fpusspa

@Geferon38

@j_byabato

@AzazeL_AGV

@ResearchNU

matteyeux

@matteyeux

5 years

Here is an iPhone 7 booting Android !

190

2K

6K

matteyeux

@matteyeux

5 months

Looks like someone dropped a Linux kernel 0day

41

534

3K

matteyeux

@matteyeux

1 year

I still find this funny that Apple keeps adding this stop sign on some rkos fw even on the Vision Pro one

8

98

1K

matteyeux

@matteyeux

6 years

@nixcraft Reminds me this comic from @CommitStrip

7

236

700

matteyeux

@matteyeux

4 years

Patched version of checkra1n + working KPF on iPhone 7/14.0 (no sep stuff)

56

92

648

matteyeux

@matteyeux

3 years

Pangu Team showed iOS 15 beta 4 jailbreak on iPhone 11 Pro at MOSEC

41

54

458

matteyeux

@matteyeux

4 years

Attack Secure Boot of SEP

4

120

385

matteyeux

@matteyeux

5 years

George Hotz | Programming | Exploring checkm8: a brand new iOS bootrom exploit by axi0mX

George Hotz | Programming | Exploring checkm8: a brand new iOS...

Date of stream 28 Sep 2019.Live-stream chat added as Subtitles/CC - English (Twitch Chat).Stream title: Exploring checkm8: a brand new iOS bootrom exploit by...

www.youtube.com

2

82

393

matteyeux

@matteyeux

8 months

Seems like someone pushed a bunch of iBoot symbols to Hexrays's Lumina server

9

57

394

matteyeux

@matteyeux

4 years

Nice, this 14.3 exploit works on A13 without any changes

17

37

349

matteyeux

@matteyeux

2 years

Another checkm8 exploit 😄

GitHub - 0x7ff/gaster: Checkm8 experiment to understand AP/SEP internals.

Checkm8 experiment to understand AP/SEP internals. - 0x7ff/gaster

github.com

20

77

332

matteyeux

@matteyeux

5 years

iPhone 11(Pro) SecureROM

13

40

325

matteyeux

@matteyeux

3 years

A15 SecureROM exploit

16

56

314

matteyeux

@matteyeux

4 years

Jailbreaks Never Die: Exploiting iOS 13.7 (slides)

8

71

299

matteyeux

@matteyeux

4 years

Linux kernel source tree for Apple M1

GitHub - corellium/linux-m1: Linux kernel source tree

Linux kernel source tree. Contribute to corellium/linux-m1 development by creating an account on GitHub.

github.com

1

68

295

matteyeux

@matteyeux

3 months

Well, a decryption tool is now available

GitHub - dhinakg/aeota: AEA OTA/IPSW decryption

AEA OTA/IPSW decryption. Contribute to dhinakg/aeota development by creating an account on GitHub.

github.com

matteyeux

@matteyeux

3 months

It looks like iOS 18 OTA firmware images are now encrypted

7

12

196

0

63

301

matteyeux

@matteyeux

4 years

How to decompress iOS 14.3 sep-firmware for A10 : 1. decrypt file 2. extract compressed part : dd if=sep-firmware.d10.RELEASE.im4p.dec of=sep.compressed skip=65536 bs=1 3. decompress with lzvn : ./lzvn -d sep.compressed sep.bin

5

81

279

matteyeux

@matteyeux

3 years

Emmutaler: Fuzzing the iOS Boot Loader

GitHub - galli-leo/emmutaler: A set of tools for fuzzing SecureROM. Managed to find and trigger...

A set of tools for fuzzing SecureROM. Managed to find and trigger checkm8. - galli-leo/emmutaler

github.com

2

77

278

matteyeux

@matteyeux

5 years

SSD Advisory – iOS Jailbreak via Sandbox Escape and Kernel R/W leading to RCE

6

94

260

matteyeux

@matteyeux

6 years

iOS 11.3.1 exploit

GitHub - xerub/empty_list: iOS 11.3.1 exploit

iOS 11.3.1 exploit. Contribute to xerub/empty_list development by creating an account on GitHub.

github.com

3

97

242

matteyeux

@matteyeux

5 years

Fugu

17

24

226

matteyeux

@matteyeux

5 years

PoC tool for setting nonce without triggering KPP/KTRR/PAC. (requires tfp0)

GitHub - 0x7ff/dimentio: Tool for getting and setting nonce without triggering KPP/KTRR/PAC.

Tool for getting and setting nonce without triggering KPP/KTRR/PAC. - 0x7ff/dimentio

github.com

7

58

237

matteyeux

@matteyeux

2 years

[Slides] The hitchhacker’s guide to iPhone Lightning & JTAG hacking

9

81

247

matteyeux

@matteyeux

6 years

CVE-2018-4280: Mach port replacement vulnerability in launchd on iOS 11.2.6 leading to sandbox escape, privilege escalation, and codesigning bypass.

GitHub - bazad/blanket: CVE-2018-4280: Mach port replacement vulnerability in launchd on iOS 11.2.6...

CVE-2018-4280: Mach port replacement vulnerability in launchd on iOS 11.2.6 leading to sandbox escape, privilege escalation, and codesigning bypass. - bazad/blanket

github.com

3

76

234

matteyeux

@matteyeux

4 years

also A11 on 14.2b2

19

39

218

matteyeux

@matteyeux

3 years

Reverse Engineering the M1

7

70

231

matteyeux

@matteyeux

5 years

Recreating an iOS 0-day jailbreak out of Apple’s security patches

2

55

215

matteyeux

@matteyeux

3 years

iOS 15 (19A5261w) iBoot : iBoot-7429.0.72.112.2 Kernel : Darwin Kernel Version 21.0.0: Sat May 22 02:37:35 PDT 2021; root:xnu-7938.0.0.112.1~5/RELEASE_ARM64_T8030

8

20

209

matteyeux

@matteyeux

8 years

Wipe and reinstall a running Linux system via SSH, without rebooting. You know you want to.

GitHub - marcan/takeover.sh: Wipe and reinstall a running Linux system via SSH, without rebooting....

Wipe and reinstall a running Linux system via SSH, without rebooting. You know you want to. - marcan/takeover.sh

github.com

4

88

216

matteyeux

@matteyeux

4 years

Spotted that iPhone prototype ? :P

14

32

205

matteyeux

@matteyeux

5 years

Wen ETA Redsn0w for iPhone X

9

19

193

matteyeux

@matteyeux

5 years

Here is checkra1n web interface

9

27

194

matteyeux

@matteyeux

3 years

Exploiting checkm8 with unknown SecureROM for the T2 chip

4

68

206

matteyeux

@matteyeux

6 years

The making of an iOS 11 jailbreak - Kiddie to kernel hacker in 14 sleepless nights

1

92

205

matteyeux

@matteyeux

2 months

Unstripped SPTM found in the wild👀

12

27

207

matteyeux

@matteyeux

3 years

iOS 15.0 RC (19A344) iBoot d53g f616222bda5f10aadc5dd206c4cfb9dd9f287480e05bb40a61f6b6220412e7b01a7358245838fe2ce2dcce179341bbe3

1

29

200

matteyeux

@matteyeux

5 years

I don't even know how to use an Android phone

8

6

202

matteyeux

@matteyeux

5 years

Checkra1n command line version

4

31

192

matteyeux

@matteyeux

2 years

wInd3x, the iPod Bootrom exploit 10 years too late

6

62

200

matteyeux

@matteyeux

4 years

@RazMashat From mosec account on Weibo

5

52

195

matteyeux

@matteyeux

5 years

iOS 13.3.1. (17D6050) Homepod iBoot bae48ea04ae32b1cb8c17c9b4120ef332b7aa58fae9a0f4393f3698799b02a4de497b0ca369b450c2ab27e7fa2d1701c

7

28

197

matteyeux

@matteyeux

6 years

get tfp0 on iOS 11.2 - 12.1.2

GitHub - tihmstar/v1ntex: getf tfp0 on iOS 11.2 - 11.4.1

getf tfp0 on iOS 11.2 - 11.4.1. Contribute to tihmstar/v1ntex development by creating an account on GitHub.

github.com

2

42

183

matteyeux

@matteyeux

6 years

A bunch of links related to VMware escape exploits

GitHub - xairy/vmware-exploitation: A collection of links related to VMware escape exploits

A collection of links related to VMware escape exploits - xairy/vmware-exploitation

github.com

1

112

192

matteyeux

@matteyeux

3 months

It looks like iOS 18 OTA firmware images are now encrypted

7

12

196

matteyeux

@matteyeux

4 years

Accelerating iOS on QEMU with hardware virtualization (KVM)

2

65

186

matteyeux

@matteyeux

5 years

Since checkra1n 0.9.8.1 you can access AES engine from userland to decrypt kbags. I updated autodecrypt to grab keys from a device

7

28

181

matteyeux

@matteyeux

4 years

Here is a script to split 64 bits Mach-O files from a decrypted sep-firmware (A11+)

5

40

182

matteyeux

@matteyeux

4 years

So the vulnerability announced at #MOSEC2020 is in SEPROM. It can't be patched.

5

34

176

matteyeux

@matteyeux

3 years

Apple added firebloom 🔥🌸 in A12 (except TV) and A12X iBoot in iOS 14.5

5

29

172

matteyeux

@matteyeux

2 years

Mandatory step: open twitter[.]com and brag about Linux on Apple, because internet

3

9

179

matteyeux

@matteyeux

11 months

Rootful version of Fugu15

GitHub - pinauten/Fugu15_Rootful: Rootful version of Fugu15 with full tweak support (including...

Rootful version of Fugu15 with full tweak support (including arm64 tweaks), for arm64e devices on iOS 15.0 - 15.4.1 - pinauten/Fugu15_Rootful

github.com

12

47

178

matteyeux

@matteyeux

5 months

Apple Security Research Device Picture Gallery

4

19

175

matteyeux

@matteyeux

4 years

To decrypt sep kbag with checkra1n 0.12.0 : - sep auto - sep decrypt <kbag>

6

28

168

matteyeux

@matteyeux

3 years

Another iBoot/SecureROM loader for IDA Pro

GitHub - matteyeux/ida-iboot-loader: IDA loader for Apple's 64 bits iBoot, SecureROM and AVPBooter

IDA loader for Apple's 64 bits iBoot, SecureROM and AVPBooter - matteyeux/ida-iboot-loader

github.com

2

32

171

matteyeux

@matteyeux

3 years

Nice to see that A14 SecureROM and SEPROM available on !

4

32

173

matteyeux

@matteyeux

3 years

checkra1n does not work on iOS 15.0/iPhone 7

7

20

164

matteyeux

@matteyeux

4 years

@blue_kanikama @jon_prosser iPhone SDKs have always been named iPhoneOS

2

19

169

matteyeux

@matteyeux

6 years

@coolstarorg

6

21

164

matteyeux

@matteyeux

7 years

Here we are, thanks @tihmstar my iPhone 5C is now jailbroken for life

9

10

155

matteyeux

@matteyeux

2 years

I finally have a working setup with the Raspberry Pico and the tamarin fw

11

16

165

matteyeux

@matteyeux

3 years

Security Research Device Cohort

4

25

163

matteyeux

@matteyeux

5 years

iOS Dual Booting Demystified

In this talk, we will investigate and present on the ways in which to boot a custom firmware image on an iOS device. In order to show this, we will detail ho...

www.youtube.com

0

37

151

matteyeux

@matteyeux

4 years

MagicCFG working without DCSD ✅

27

33

141

matteyeux

@matteyeux

6 years

PoC for the iOS 11.4.1 and MacOS 10.13 kernel vulnerability in lio_listio

GitHub - Synacktiv-contrib/lightspeed: PoC for the iOS 11.4.1 and MacOS 10.13 kernel vulnerability...

PoC for the iOS 11.4.1 and MacOS 10.13 kernel vulnerability in lio_listio - Synacktiv-contrib/lightspeed

github.com

12

72

153

matteyeux

@matteyeux

5 years

@YellowDinouse Malware

9

5

151

matteyeux

@matteyeux

7 years

Is jailbreak still dying ? This month we got : - Houdini - v0rtex - Ian Beer's tfp0 + kdbg - JailbreakMe for 32bits devices

7

40

145

matteyeux

@matteyeux

6 years

No, you can't get tfp0 with the FaceTime bug

7

16

143

matteyeux

@matteyeux

3 years

Replay of the iPhone 13 remote jailbreak demo by Pangu

1

33

147

matteyeux

@matteyeux

3 years

The qemu fork by @ntrung03 is pretty cool ! It's also possible to debug the A9 SecureROM in IDA 😁

1

32

150

matteyeux

@matteyeux

4 years

New blog post by Pangu Team

5

40

148

matteyeux

@matteyeux

2 years

So it's possible to boot Ubuntu initrd on iPhone 7

7

148

matteyeux

@matteyeux

5 years

iOS 5 iBoot bug

GitHub - JonathanSeals/Ancient-iBoot-Fun: iOS 5.x iBoot fun for the whole family!

iOS 5.x iBoot fun for the whole family! Contribute to JonathanSeals/Ancient-iBoot-Fun development by creating an account on GitHub.

github.com

2

28

140

matteyeux

@matteyeux

5 years

checkm8 PoC for macOS (T7000 only for now)

GitHub - 0x7ff/eclipsa: Checkm8 PoC tool for A8, A8X and A9 devices that allows you to boot...

Checkm8 PoC tool for A8, A8X and A9 devices that allows you to boot untrusted images (macOS only, credits: checkra1n team). - 0x7ff/eclipsa

github.com

2

41

139

matteyeux

@matteyeux

6 years

iOS 11.2 kernel pointer disclosure introduced by Apple's Meltdown mitigation.

GitHub - bazad/x18-leak: CVE-2018-4185: iOS 11.2-11.2.6 kernel pointer disclosure introduced by...

CVE-2018-4185: iOS 11.2-11.2.6 kernel pointer disclosure introduced by Apple's Meltdown mitigation. - bazad/x18-leak

github.com

7

64

142

matteyeux

@matteyeux

2 years

iOS 16.0 - 20A5283p iBoot-8419.0.42.112.1 Darwin Kernel Version 22.0.0: Thu May 26 20:49:02 PDT 2022; root:xnu-8792.0.50.112.3~4/RELEASE_ARM64_T8020

5

17

138

matteyeux

@matteyeux

2 years

An iOS Kernel Patchfinder, supporting iOS 15. Used by Fugu15.

GitHub - pinauten/KernelPatchfinder

Contribute to pinauten/KernelPatchfinder development by creating an account on GitHub.

github.com

4

21

133

matteyeux

@matteyeux

2 years

My iPhone 14 Pro in DFU is detected as "Debug USB" 🤨

9

139

matteyeux

@matteyeux

7 years

CVE-2017-13868: A fun XNU infoleak

3

71

139

matteyeux

@matteyeux

5 years

Recreating An iOS 0-Day Jailbreak Out Of Apple's Security Updates

#HITBGSEC D2: Recreating An iOS 0-Day Jailbreak Out Of Apple's...

In February 2019 after the release of iOS 12.1.4 Google disclosed that this update fixes two vulnerabilities in iOS that Google has found being used in the w...

www.youtube.com

2

34

135

matteyeux

@matteyeux

5 years

DEV iBoot + Diags with menu on iPhone 8

8

16

132

matteyeux

@matteyeux

4 years

FYI : checkra1n does not support yet iOS 14 :P

8

19

132

matteyeux

@matteyeux

4 years

Based on @haiyuidesu 's sephelper I made a SEPROM loader for Binary Ninja

10

29

130

matteyeux

@matteyeux

5 years

KTRR bypass analysis (in French) 😁

7

12

129

matteyeux

@matteyeux

6 years

Was able to build multi_path last night (without dev cert)

6

29

123

matteyeux

@matteyeux

5 years

Accessing physical memory on iOS

GitHub - 0x7ff/maphys: Accessing physical memory on iOS.

Accessing physical memory on iOS. Contribute to 0x7ff/maphys development by creating an account on GitHub.

github.com

3

28

126

matteyeux

@matteyeux

3 years

Demo exploit code for CVE-2020-27904, a tfp0 bug.

GitHub - pattern-f/xattr-oob-swap: Demo exploit code for CVE-2020-27904, a tfp0 bug.

Demo exploit code for CVE-2020-27904, a tfp0 bug. Contribute to pattern-f/xattr-oob-swap development by creating an account on GitHub.

github.com

2

38

128

matteyeux

@matteyeux

6 years

iOS 11.4.1 unstripped kernels

4

39

116

matteyeux

@matteyeux

6 years

A tool for analyzing and find vulnerabilities in macOS and iOS kernel drivers.

1

41

122

matteyeux

@matteyeux

1 year

iBoot* for n301 (Apple Vision Pro) 1.0 - 21N5165g e93c560966ad2d584c5fb86f7c32ab2e003739b11d51fdddc3a76eed70ae05422419d89983a4b796d3b68f9ec82c0370 *iBEC.n301.RELEASE.im4p

0

18

125

matteyeux

@matteyeux

5 years

Real question is : can we use checkra1n for Linux on an iPhone running Linux

@[email protected]

@qwertyoruiopz

5 years

Linux on T8010 via PongoOS :) /cc @CorelliumHQ @never_released

35

165

817

4

116

matteyeux

@matteyeux

4 years

checkm8 port for S5L8940X/S5L8942X/S5L8945X

6

29

114

matteyeux

@matteyeux

7 years

An iOS kernel exploit designated to work on all iOS devices <= 10.3.1

4

74

121

matteyeux

@matteyeux

5 years

Technical analysis of the checkm8 exploit

1

34

115

matteyeux

@matteyeux

5 years

Mapping physical memory to user space (EL0) on iOS. (+ AES PoC)

GitHub - 0x7ff/golb: Mapping physical memory to user space (EL0) on iOS.

Mapping physical memory to user space (EL0) on iOS. - 0x7ff/golb

github.com

3

33

114

matteyeux

@matteyeux

4 years

Twitter does not allow anymore to tweet hashes. So it's not possible to publish iOS bootloader keys here ¯\_(ツ)_/¯

5

4

116

matteyeux

@matteyeux

1 year

CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple SEAR and CitizenLab Seems to be one of the bugs in ImageIO exploited in the latest iMessage exploit chain (BLASTPASS)

Stable Channel Update for Desktop

The Stable and Extended stable channels has been updated to 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows, which will...

chromereleases.googleblog.com

2

31

121

matteyeux

@matteyeux

4 years

Here is a tip to use diags without a DCSD lightning cable. In iBoot set a new boot-arg : setenv boot-args usbserial=enabled. Then run saveenv and boot diags.

6

34

107

matteyeux

@matteyeux

5 years

Checkra1n on KVM + QEMU