Hacktricks-skills ios-exploitation

iOS exploitation research and analysis. Use this skill whenever the user mentions iOS security, exploit mitigations, kernel/userland heap analysis, PAC/BTI/ASLR/DEP, XNU kernel structures, iOS exploit chains, or any iOS security research task. This skill helps understand iOS hardening mechanisms, analyze kernel heap structures, work with exploitation tools like Ghidra/BinDiff, and understand modern iOS exploit patterns.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/binary-exploitation/ios-exploiting/ios-exploiting/SKILL.MD

source content

iOS Exploitation Research

A comprehensive skill for iOS security research, exploit analysis, and understanding iOS hardening mechanisms.

When to Use This Skill

Use this skill when the user needs help with:

Understanding iOS exploit mitigations (PAC, BTI, ASLR, DEP, KASLR, KPP, KTRR, PAN/PXN, TBI, PPL, MTE/EMTE)
Analyzing iOS kernel or userland heap structures
Working with iOS exploitation tools (Ghidra, BinDiff, kernelcache analysis)
Understanding iOS exploit chains and patterns
Researching iOS security architecture and XNU kernel internals
Analyzing iOS vulnerability mitigations and bypass techniques

iOS Exploit Mitigations Reference

Core Mitigations

Mitigation	Purpose	Key Details
Code Signing	All executable code must be cryptographically signed	Thwarts payload drop + execute; checks at runtime before loading binaries
CoreTrust	Runtime signature validation against Apple's root certificate	Thwarts post-install tampering, jailbreak persistence
DEP/NX/W^X	Writable pages are non-executable, executable pages are non-writable	Thwarts direct shellcode execution
ASLR	Randomizes base addresses of libraries, heap, stack	Thwarts hardcoded gadget addresses for ROP/JOP
KASLR	Randomizes kernel base address at boot	Thwarts kernel-level exploits relying on fixed locations
KPP/AMCC	Monitors kernel text integrity via hash/checksum	Thwarts persistent kernel patching, inline hooks
KTRR	Hardware-enforced read-only kernel text after boot	Thwarts any kernel code modification at EL1
PAC	Pointer Authentication Codes - cryptographic signatures on pointers	Thwarts pointer tampering, return address corruption
BTI	Branch Target Identification - validates indirect branch targets	Thwarts jumping to arbitrary gadget addresses
PAN/PXN	Privileged Access/Execute Never	Prevents kernel from accessing/executing user memory
TBI	Top Byte Ignore - allows pointer tagging	Enables memory tagging, metadata in pointers
PPL/SPTM	Page Protection Layer / Secure Page Table Monitor	Creates kernel-within-kernel protection boundary
MTE/EMTE	Memory Tagging Extension / Enhanced MTE	Detects UAF, OOB, invalid accesses via tag checking

Pointer Authentication Codes (PAC)

PAC is a hardware feature (ARMv8.3+) that embeds cryptographic signatures in pointer high bits.

Key Types:

```
APIAKey
```
/
```
APIBKey
```
- Instruction pointer keys
```
APDAKey
```
/
```
APDBKey
```
- Data pointer keys
```
APGAKey
```
- Generic key for non-pointer data

Instruction Families:

```
PACxx
```
- Sign pointer and insert PAC
```
AUTxx
```
- Authenticate and strip PAC
```
XPACxx
```
- Strip PAC without validation

Common PAC Bypasses:

dlsym() - Returns already-signed function pointers
Shared Cache - Pre-signed pointers in dyld shared cache
DYLD relocations - Timing-based bypasses during dynamic linking
NSPredicate/NSExpression - ObjC runtime methods for control flow

Branch Target Identification (BTI)

BTI validates indirect branch targets must have BTI landing pads.

BTI Variant	Permits	Use Case
BTI C	Call-style indirect branches (BLR)	Function entry points
BTI J	Jump-style branches (BR)	Jump tables, tail-calls
BTI JC	Both C and J	General indirect targets

Memory Tagging (MTE/EMTE)

Apple's Enhanced MTE (EMTE) / Memory Integrity Enforcement (MIE):

Synchronous mode - Tag mismatches caught immediately
Tag assignment - Secret tag assigned on allocation
Tag checking - Hardware validates pointer tag matches allocation tag
Retagging on free - Prevents use-after-free
Neighbor differentiation - Catches buffer overflows
Tag confidentiality - Prevents side-channel leakage

Kernel Heap Structures

Old Kernel Heap (Pre-iOS 15)

Zone Allocator (kalloc):

Fixed-size zones:
```
kalloc.16
```
,
```
kalloc.32
```
,
```
kalloc.64
```
, etc.
Raw freelist pointers in freed chunks
Predictable object placement via heap sprays
Easy freelist poisoning via overflow/UAF

Freelist Structure:

Zone page (64-byte chunks):
   [ A ] [ F ] [ F ] [ A ] [ F ] [ A ] [ F ]

Freelist view:
   HEAD ──► [ F ] ──► [ F ] ──► [ F ] ──► [ F ] ──► NULL

Exploitation:

Heap overflow into adjacent freed chunk → overwrite "next" pointer
Use-after-free write → overwrite "next" pointer
Next allocation returns attacker-controlled address

Modern Kernel Heap (iOS 15+/A12+)

kalloc_type System:

Type-based zones - Each object type has dedicated zone
Slabs and per-CPU caches - Decentralized allocation
Encoded freelist pointers - XOR-encoded with per-zone secret
Guarded allocations - Guard pages around critical objects
PPL/SPTM protection - Hardware-enforced page protection
PAC on pointers - Function pointers, vtables protected

Allocation Flow:

Type lookup →
```
kalloc_type_<object>
```
zone
Check per-CPU cache
If empty → global freelist
If empty → allocate new slab
Return chunk with encoded freelist pointer

Comparison:

Feature	Old Heap	Modern Heap
Granularity	Size-based	Size + type-based
Predictability	High	Low
Freelist	Raw pointers	Encoded pointers
Adjacency control	Easy	Hard
Exploit reliability	High	Low

Userland Heap (xzone malloc)

Modern iOS userland allocator (iOS 17+):

Architecture:

Segment groups - Partition by usage (data, pointer_xzones, data_large, pointer_large)
Metadata slabs - Out-of-line metadata separate from payloads
Chunks and blocks - Chunks for size classes, blocks for allocations
Guard pages - Unmapped slices between chunks
Type IDs -
```
malloc_type_id_t
```
for type-aware allocation

Security Features:

Metadata decoupling from object payloads
Guard pages catch out-of-bounds writes
Type-based segregation prevents cross-type reuse
EMTE/MIE integration for tag checking
Delayed reuse, poisoning, quarantine for freed blocks
Randomized placement within chunks

Exception Handling in XNU

Exception Flow:

CPU triggers synchronous exception
Low-level trap handler (
```
trap.c
```
,
```
exception.c
```
)
```
exception_triage()
```
routes exception
Delivers to: thread port → task port → host port
If unhandled → BSD signal or kernel panic

Exception Ports:

task_set_exception_ports()
thread_set_exception_ports()
host_set_exception_ports()

Mach Exception to Signal Mapping:

Mach Exception	Signal
EXC_BAD_ACCESS	SIGSEGV/SIGBUS
EXC_BAD_INSTRUCTION	SIGILL
EXC_ARITHMETIC	SIGFPE
EXC_SOFTWARE	SIGTRAP
EXC_BREAKPOINT	SIGTRAP
EXC_CRASH	SIGKILL
EXC_ARM_PAC	SIGILL (non-fatal)

PAC Exceptions:

```
EXC_ARM_PAC
```
raised on signature mismatch
```
TFRO_PAC_EXC_FATAL
```
flag makes PAC failures fatal (bypasses debugger)
Platform binaries use fatal PAC exceptions

Exploitation Tools

Ghidra + BinDiff Setup

Installation:

Download BinDiff DMG from https://www.zynamics.com/bindiff/manual
Install BinDiff
Open Ghidra, go to File → Install Extensions

Add

/Applications/BinDiff/Extra/Ghidra/BinExport

Install even with version mismatch

Kernel Version Diffing:

Download iOS IPSW files from https://ipsw.me/
Decompress to extract kernelcache binaries
Load both kernelcaches in Ghidra
Export as "Binary BinExport (v2) for BinDiff"
Open BinDiff, create workspace with primary (vulnerable) and secondary (patched)

Finding XNU Versions

Check iOS version to XNU mapping at: https://www.theiphonewiki.com/wiki/kernel

Example: iOS 15.1 RC/15.1/15.1.1 → Darwin Kernel Version 21.1.0 (xnu-8019.43.1~1)

Modern Exploit Chain Patterns

JSKit-Based Safari Chains

Pattern:

WebKit renderer RCE → kernel IPC UAF → kernel arbitrary R/W → code-sign bypass → unsigned system stager

Key Components:

JSKit framework - Reusable JavaScript-level arbitrary read/write primitive
Version abstraction - PAC bypass modules for different iOS releases
Manual Mach-O mapping - In-memory payload loading without filesystem artifacts
Portfolio model - Multiple interchangeable WebKit exploits

Kernel Bridge Pattern

CVE-2023-41992 (IPC UAF):

Kernel use-after-free in IPC code
Re-allocate freed object from userland
Abuse dangling pointers for arbitrary kernel R/W

CVE-2023-41991 (Code-sign bypass):

Patch trust cache / code-signing structures
Unsigned payloads execute as
```
system
```
Expose lightweight kernel R/W service

PREYHUNTER Helper Modules

Watcher anti-analysis:

Checks
```
security.mac.amfi.developer_mode_status
```
Detects diagnosticd, jailbreak traces (Cydia, bash, tcpdump, frida, sshd)
Detects AV apps (McAfee, Avast, Norton)
Blocks on custom HTTP proxy or root CAs

Helper surveillance:

```
/tmp/helper.sock
```
communication
DMHooker/UMHooker hook sets
VOIP audio capture (
```
/private/var/tmp/l/voip_%lu_%u_PART.m4a
```
)
System-wide keylogger
Photo capture without UI
SpringBoard notification suppression

HiddenDot suppression:

Hooks

SBSensorActivityDataProvider._handleNewDomainData:

Zeroes Objective-C
```
self
```
pointer
Drops camera/mic indicator updates

Research Workflow

Step 1: Identify Target iOS Version

Check iOS version and corresponding XNU kernel version
Download IPSW files for vulnerable and patched versions
Extract kernelcache binaries

Step 2: Set Up Analysis Environment

Install Ghidra and BinDiff
Load kernelcaches in Ghidra
Export BinExport format
Create BinDiff workspace

Step 3: Analyze Mitigations

Identify which mitigations are active (PAC, BTI, KTRR, PPL, etc.)
Determine hardware generation (A12+, A15+, etc.)
Check for EMTE/MIE support
Map out kernel heap structure (kalloc_type zones)

Step 4: Identify Vulnerability Class

Determine if userland or kernel vulnerability
Check for heap corruption, UAF, OOB, type confusion
Map to appropriate heap structure (kernel kalloc_type or userland xzone)
Identify available primitives (read/write, control flow)

Step 5: Plan Exploitation

Assess mitigation bypass requirements (PAC, BTI, etc.)
Determine if info leak needed for ASLR/KASLR
Plan heap grooming strategy (if applicable)
Identify code-sign bypass path (if kernel)

Step 6: Execute and Validate

Implement exploit chain
Test on target iOS version
Validate each stage (primitive → bypass → payload)
Document findings and patterns

Key References

XNU Source:

osfmk/kern/exception.c

osfmk/arm64/trap.c

bsd/kern/kern_sig.c

PAC Research: bazad.github.io
PAC Bypasses: i.blackhat.com
Project Zero: googleprojectzero.blogspot.com
Synacktiv: synacktiv.com
Epsilon: blog.epsilon-sec.com
Jamf Predator Analysis: jamf.com/blog
Google Threat Intel: cloud.google.com/blog

Quick Reference Commands

# Install BinDiff extension in Ghidra
ghidraRun
# File → Install Extensions → Add /Applications/BinDiff/Extra/Ghidra/BinExport

# Download iOS IPSW files
# Visit https://ipsw.me/ and download target versions

# Decompress IPSW to extract kernelcache
# Use standard archive tools to extract .ipsw → .dmg → kernelcache

# Check XNU version for iOS
# Visit https://www.theiphonewiki.com/wiki/kernel

Common Pitfalls

Assuming PAC is bypassable - Kernel PAC is highly robust; focus on userland bypasses
Ignoring type-based heap - Modern kalloc_type separates object types; heap sprays less effective
Overlooking EMTE - Memory tagging catches UAF/OOB immediately on supported hardware
Missing PPL/SPTM - Page protection layers prevent arbitrary kernel memory modification
Forgetting PAC exceptions -
```
TFRO_PAC_EXC_FATAL
```
prevents debugger interception on platform binaries
Assuming freelist poisoning works - Encoded freelist pointers require key knowledge
Ignoring PAN/PXN - Kernel cannot access/execute user memory by default

When to Escalate

If the user needs:

Specific exploit code implementation
Detailed binary analysis of a specific vulnerability
Custom tool development for iOS exploitation
Legal/ethical guidance on exploitation research

Provide the conceptual framework and direct them to appropriate resources or suggest they consult with security professionals for implementation details.