CoolStar & Tihmstar


Talk Title :

Jailbreaking iOS in the post-apocalyptic era


Abstract :

In this talk we'll be presenting our work on jailbreaking iOS via a side-loaded app (and the challenges associated with jailbreaking newer iPhones models on newer iOS versions)

We will be discussing how Apple has enforced sandbox and code signing on iOS throughout the years and the way we have bypassed them

  • Code signing is used on iOS both to enforce Apple's platform policies (ensure that only software provided by Apple [either as part of iOS, or from the App Store] runs), and that no code can be downloaded without being authorized by Apple
  • Sandbox is used on iOS to keep apps in a relatively isolated environment, to enforce that they can not modify or access anything else on the system.

The two work in tandem to enforce platform security, as any 3rd party code without the right entitlements (which can only be granted by Apple) is kept sandboxed or is simply not run at all.

The talk walks the audience through the basics of iOS security, the requirements needed to break them and jailbreak the phone, as well as both mitigations Apple has added throughout the years (both in software and hardware) and the bypass we have used.

Encountered problems are outlined with their solutions fully described in the presentation.

Bio :

I am CoolStar, and my hobbies are hacking iOS devices, runtime modifications of software, working on Windows drivers and boot firmware (coreboot and UEFI), and reverse engineering drivers

I worked on jailbreaking iPhone, iPad, Apple Watch and iPod covering all devices from the iPhone 5S up until recent ones including the iPhone 13 Pro Some of the jailbreaks I've worked on: Electra (iOS 11), Chimera (iOS 12), Odyssey (iOS 13), Taurine (iOS 14), and upcoming Chayote (iOS 15)

Another side project I’ve worked on is a runtime code injection library (with assemblers and disassemblers) for AArch64 that so far runs on iOS, watchOS, Linux, and Nintendo Switch

I've also worked on porting and fixing both coreboot and edk2 (UEFI implementation) for various Intel and AMD chipsets (ranging from Intel 2nd gen Sandy Bridge all the way up to Intel 8th gen Kaby Lake-Refresh, in addition to AMD Ryzen) as well as writing Windows drivers for chromebooks containing said Intel and AMD chipsets (after fixing up coreboot so that Windows could boot on said chromebooks)

I worked on kernel mode Windows drivers for: Touch input devices, SMBus/I2C buses, and I2S (Intel Smart Sound and AMD Audio CoProcessor) audio endpoints

I've also reverse engineered (and cloned) both Apple's Magic Trackpad 2 and Intel's Smart Sound protocols. I have open sourced a lot of my work for both iOS jailbreaking and Windows kernel driver development on GitHub: https://github.com/coolstar

Want to connect with CoolStar?

Tihmstar is a vulnerability researcher, focused on mobile with a hobby of hacking iOS devices.

Tihmstar worked on jailbreaking iOS devices including iPhone, iPad, iPod, Apple Watch and Apple TV covering a wide range of devices from old ones like iPhone4s up to the most recent ones including iPhone12 pro.

Want to connect with Tihmstar?