Adam Donenfeld @doadam Twitter profile

Pinned Tweet

Adam Donenfeld

2 months

For those curious, I was on the latest 17.4 at the time and Signal 7.2. 17.4.1 and 7.3 were released the next day. You're still welcome to contact me on WhatsApp or Twitter.

2

0

8

Last Seen Profiles

@RacePRG

@chagurock

@BastiMenket

@ishasdiaryy

@AlfAguera

@MikeBseen

@1989nicolas

@Probst_Inc

@Doug_Paulley

@tor82838

@julissa_eu

@VmaniakJ

@Whoisderon

@khem_pop

@Sub70

@Ak_charg_prep59

@stw_pdg

@ChantsPlayerDev

@pengen_stw

@pasapasasasamic

@tommyvlr

@Sandi_Thom

@buchii_gustavo

@BrianKempGA

@alicea1405

@cxbln

@John__Hyatt

@renaetoyou

@temitaition_

@BrumBrumEspana

@hundo_grand

@hombreingles

@suninbali

@foutupourfoutus

@BinorRaja

@thunderjam134

Adam Donenfeld

@doadam

7 years

#ETA : NOW

94

329

701

Adam Donenfeld

@doadam

6 years

1/N Apple has finally acknowledged my kernel heap overflow and fixed it on 11.2.5 (CVE-2018-4109). While I didn't write an exploit, it's one of the most hidden vulnerabilities I've ever found, and it took me a couple of days to trigger it once I found it!

25

89

372

Adam Donenfeld

@doadam

7 years

iOS 10.3.3 is no longer signed. If you were smart you are on 10.3.1. if you're on 11 good luck waiting till somewhen in 2018.

117

90

319

Adam Donenfeld

@doadam

7 years

If someone wants to take the hassle of wrapping it into a jailbreak I’d be happy to help. (2/2)

61

87

306

Adam Donenfeld

@doadam

7 years

Some people asked about donations, Thanks! but I'm employed. Go donate to your favorite charity organization :)

35

33

299

Adam Donenfeld

@doadam

7 years

I never said anything about jailbreak. I'm releasing an exploit (source code + instructions). (1/2)

40

81

273

Adam Donenfeld

@doadam

7 years

Apple bug submissions are also public now, and like I said in the presentation, some of them might still be working on 10.3.2 🙂

47

69

246

Adam Donenfeld

@doadam

5 years

Well, that should help get you started on the latest ones: iCrypto -f iBoot.d11.RELEASE.im4p -k 53c616cddb7c0ca65b216643d2c35f3a0b5223de14e82af376ee440973d1148e0fc4a46595b88292ee0c4adee3587298 -o iBoot.d11.RELEASE.4513.230.10

matteyeux

@matteyeux

5 years

@doadam Sure ! I can do it if you provide me a bootchain exploit

1

0

9

15

44

242

Adam Donenfeld

@doadam

7 years

I'm not sure if a coincidence or not, but on iOS 10.3.1, my sysctl trick to bypass SMAP was "challenged". Apple switched the order of l1dcache and l1icache... so now the whole exploit is a little bit more messed up. Anyway... ZiVA runs on 10.3.1 :)

34

52

236

Adam Donenfeld

@doadam

5 years

This would mean a jailbreak from iPhone 4S till iPhone 8/X for every version forever.

[email protected]

@axi0mX

5 years

EPIC JAILBREAK: Introducing checkm8 (read "checkmate"), a permanent unpatchable bootrom exploit for hundreds of millions of iOS devices. Most generations of iPhones and iPads are vulnerable: from iPhone 4S (A5 chip) to iPhone 8 and iPhone X (A11 chip).

919

6K

15K

4

29

202

Adam Donenfeld

@doadam

6 years

I must say, this is one of the only few times I feel like my work is actually reviewed based on its content and not based on the amount of money the company I represent pay :)

8

74

201

Adam Donenfeld

@doadam

7 years

🙄gg

20

26

171

Adam Donenfeld

@doadam

5 years

Would a "new mitigations introduced in iOS 13" presentation be something that people are interested in?

19

9

176

Adam Donenfeld

@doadam

5 years

it's been a while

5

19

157

Adam Donenfeld

@doadam

6 years

CVE-2018-4109: Overwriting kernel memory with a few video packets | Zimperium Mobile Security Blog

3

53

147

Adam Donenfeld

@doadam

7 years

It will be released during conferences’ season in the summer. You may want to save SHSH blobs :) #ZIMPERIUM #HITBGSEC (2/2)

35

61

137

Adam Donenfeld

@doadam

4 years

While iOS 14 introduced a lot of mitigations, it seems like iOS 14.2 is very "recent exploits" oriented (rather than general mitigations like sandboxing, heap isolation, etc). Lots of exciting features! My only question is how come we've had to wait for so long to see this.

5

18

138

Adam Donenfeld

@doadam

6 years

3/N if it makes it better in any case, this is accessible from the sandbox (so theoretically if someone plans to write an exploit, @Morpheus______ 's jailbreak framework can be used with that).

10

29

132

Adam Donenfeld

@doadam

6 years

In-depth analysis of the bluetoothd vulnerabilities by @raniXCH

4

32

130

Adam Donenfeld

@doadam

7 years

@tihmstar People literally have a sandbox escape + kernel exploit + KPP bypass working and nobody bothered to combine them. People are lazy.

32

25

122

Adam Donenfeld

@doadam

7 years

Woho!!! Looking forward to see you there! The exploit will be public by then 📱🔓

19

42

118

Adam Donenfeld

@doadam

6 years

So in 2017 I managed, among dozens of other things, to switch to a new company, start working on iOS, getting a EU passport and in a 20 days notice emigrate to Europe. It has been the best year of my life, but 2018 is going to be even better!! 🎉🎊🎆

12

3

117

Adam Donenfeld

@doadam

7 years

I hope you loved the presentation! #HITBGSEC is definitely one of my favorites.

13

17

112

Adam Donenfeld

@doadam

5 years

I usually don't play CTFs but this year #35C3CTF gives so many "real life" challenges and I think that's how CTFs should be done. Kudos to @EatSleepPwnRpt ! Best CTF I've seen so far.

4

12

116

Adam Donenfeld

@doadam

7 years

#Apple fixed 8 kernel privilege escalation bugs I sent them. A privilege escalation exploit is already written (1/2)

11

55

105

Adam Donenfeld

@doadam

6 years

Apple finally credited me CVE-2018-4282 I reported back then in May! I'll get a blog post up hopefully this week

About the security content of iOS 11.4.1 - Apple Support

This document describes the security content of iOS 11.4.1.

support.apple.com

5

10

107

Adam Donenfeld

@doadam

6 years

😎

2

4

106

Adam Donenfeld

@doadam

6 years

2/N Is there any conference that would be interested in a detailed explanation + review of some tools I wrote to aid in that research?

9

11

103

Adam Donenfeld

@doadam

6 years

@s1guza @Morpheus______ omg u got krnl exploit fr 11.1.2??? WEN ETA PL0X???????????????????

6

12

104

Adam Donenfeld

@doadam

3 years

Before it gets deleted

12

23

111

Adam Donenfeld

@doadam

7 years

Just arrived today.. let's see what's going on 😎

11

10

104

Adam Donenfeld

@doadam

2 months

Here's a video of an unusual behavior I captured on my device Thursday last week. Note the number of "Signal Connection" (=verified) contacts I have never seen before, along with two VoIP call attempts.

11

28

106

Adam Donenfeld

@doadam

7 years

@loganpunkt Just landed in Singapore so was a little bit limited with connectivity. I think, if nothing pops up, tomorrow

5

19

99

Adam Donenfeld

@doadam

3 years

iOS 14.5 seems to sign ISA pointers, which is indeed a blow for 0clicks and sandbox escapes. But where there's a will 👀

2

7

106

Adam Donenfeld

@doadam

6 years

TIL: You can reboot the iPhone X using "idevicediagnostics restart" instead of throwing it against the wall

4

17

101

Adam Donenfeld

@doadam

6 years

A completely symbolicated iOS kernel

6

34

102

Adam Donenfeld

@doadam

7 years

If people are so obsessed with 1day root exploits, why not just bindiff code mentioned in the security advisory, find the bugs&exploit them?

17

10

95

Adam Donenfeld

@doadam

7 years

How symbolic. a year ago I was a speaker at #HITBGSEC , giving a presentation about an Android exploit. Saw then @Morpheus______ ' iOS preso..

5

16

94

Adam Donenfeld

@doadam

3 years

The last iOS major update was almost 3 months ago! Since the release of iOS 14, it was usually a month for each major version. Tons of security patches including new mitigations are on 14.5, probably the vastest major update in regards to security since I got into iOS research

6

22

94

Adam Donenfeld

@doadam

7 years

Just been to Singapore and foo() fighters concert.. amazing city like always - hope to be there again next year!

17

7

87

Adam Donenfeld

@doadam

7 years

New ARM64 code is available! Thr AMCC initialization function appears to be rorgn_stash_range

argp

@_argp

7 years

XNU kernel 4570.1.46 sources (macOS High Sierra 10.13) are now available:

3

70

119

7

21

84

Adam Donenfeld

@doadam

7 years

@ynvb @Yannayli Well I successfully used both triple_fetch and ZiVA together, and the KPP bypass still works, so technically I could work on that

16

28

77

Adam Donenfeld

@doadam

7 years

@Morpheus______ started learning. One year later, I'm here again for iOS. Thank you!! His book was definitely a great way to start iOS pwning

6

10

84

Adam Donenfeld

@doadam

6 years

Officially calling out @appcode for the worst support ever. I have tickets waiting since November with 0 response. Thanks for nothing!

4

5

76

Adam Donenfeld

@doadam

7 years

@Sev_Momo How about before the conference? 🤔

19

14

78

Adam Donenfeld

@doadam

6 years

My talk in @HITBGSEC got accepted! See you in Singapore!

6

11

76

Adam Donenfeld

@doadam

7 years

Attending #HITBGSEC ? Please vote for our talk! we promise some fun iOS 0days ;) @HITBGSEC @ZIMPERIUM

3

34

70

Adam Donenfeld

@doadam

5 years

So one of my guesses about Apple trying to sue @CorelliumHQ is that their new research devices gonna suck and therefore everyone will try getting a corellium license instead. I still have no idea why somebody would beg for a device from Apple when fused ones are still easy to get

4

6

76

Adam Donenfeld

@doadam

5 years

I'm still overwhelmed by how great @0x41con was. I could never have done something like that without @xerub . I'd like to thank all the attendees and speakers as well for showing up. See you next year in (probably) Greece! @0x41con is on the map 😎🤟

7

6

76

Adam Donenfeld

@doadam

7 years

My presentation was accepted! If you come let me know :)

Black Hat

@BlackHatEvents

7 years

The final batch of #BHEU Briefings has been announced! See the latest research selected for presentation in London

0

5

16

5

6

75

Adam Donenfeld

@doadam

6 years

IMO, iOS kernel exploitation was recently the easiest platform out there... With great spraying, vtables in the kernel and simple memory allocator I couldn't ask for more. PAC makes it however more complicated than any other platform nowadays (or at least until Android gets it)

1

11

72

Adam Donenfeld

@doadam

4 years

so iPhone 12's design is just iPhone 4 but with an extra camera

11

5

70

Adam Donenfeld

@doadam

8 months

One of the most prominent XNU source releases in recent times, with "tagged address" hinting, amfi.h and more:

Release xnu-10002.1.13 · apple-oss-distributions/xnu

Imported from xnu-10002.1.13.tar.gz

github.com

4

13

76

Adam Donenfeld

@doadam

7 years

@Morpheus______ And was super impressed. I decided to start doing iOS thanks to his presentation back then. Read his book on the flight back and...

3

8

72

Adam Donenfeld

@doadam

7 years

Recommendation for a Dutch language course within Amsterdam? (unless you ask for a JB in Dutch, you're blocked on this twit).

22

4

66

Adam Donenfeld

@doadam

7 years

@prasanjeetprasa yes, bypasses PXN and PAN and doesn't interfere with KPP\AMCC

7

4

66

Adam Donenfeld

@doadam

6 years

@tihmstar If you really wanna take it far, you can always generate an IPA from your website and ask for a device UDID/other identifier, which will be used in the generated IPA so it will only work on a specific device... That's harsh, but nobody will mirror you this way

6

1

64

Adam Donenfeld

@doadam

4 years

At least for now, it seems like the new A14 doesn't have the memory tagging extension for the kernel.

2

12

65

Adam Donenfeld

@doadam

3 years

Spotted this on a flight back from Iceland, the Fagradalsfjall volcano (not a typo, I think)

2

3

66

Adam Donenfeld

@doadam

5 years

WhatsApp has (present tense) bugs in it, surprise. If you care more about IM security, I would download Signal (despite the existence of exploitable bugs in it as well) or something that doesn't become ads on Facebook later on.

3

7

62

Adam Donenfeld

@doadam

6 years

I hope I'd get the opportunity to present in #HITBGSEC . And for what it worths, I don't think I ever saw that kind of bugs in iOS before. I'm grateful for your votes, hope to see you there!

2

23

60

Adam Donenfeld

@doadam

5 months

Very cool and unusual if true, not your typical yearly jailbreak release

Boris Larin

@oct0xor

5 months

Jailbreak and kernel debugging is coming to new iPhones! (Apple A12-A16 SoC’s < iOS 16.6)

134

370

2K

1

5

62

Adam Donenfeld

@doadam

6 years

Our house committee lost the certificate for the key in the main entrance. My flatmate Messi connected Arduino to the intercom and now we can remotely open up the door! I'm offering a 0$ bug bounty for the first guy who can open the building's door remotely ;)

2

7

61

Adam Donenfeld

@doadam

6 years

First time I experience snow while not in a vacation. It was super fun in the first 2 minutes

10

4

57

Adam Donenfeld

@doadam

6 years

Long live the European Union

European Commission

@EU_Commission

6 years

We will continue to protect #NetNeutrality in Europe, ensuring that all traffic is treated equally: → Every European must be able to have access to the #openinternet → No blocking or discrimination of online content, applications and services

148

4K

5K

5

8

58

Adam Donenfeld

@doadam

6 years

My findings about CVE-2018-4282:

2

13

59

Adam Donenfeld

@doadam

7 years

Suddenly saw that in Düsseldorf main station... Secret hiring advertisement by Bundesnachrichtendienst?? 😜

3

6

55

Adam Donenfeld

@doadam

7 years

@SparkZheng It has a CVE, just can't share exploit information before my #HITBGSEC 's talk. less than 24 hours :)

8

57

Adam Donenfeld

@doadam

7 years

@toniqyteza @MirzaNabeelACCA @oleschult @Jesse_FTW I'm waiting for the final approval of the blog post then I want to release it. Singapore time is just very harsh when contacting SF

10

9

55

Adam Donenfeld

@doadam

5 years

So are we gonna have 13.1 as soon as the new iPhone is out? lol

5

1

53

Adam Donenfeld

@doadam

5 years

@benhawkes I think people underestimate the amount of bugs Apple fix which are actively exploited in the wild. These are not the first ones and most certainly not the last ones.

1

7

58

Adam Donenfeld

@doadam

3 years

That moment when you're in Mexico and your credit card pwned the ATM ._.

7

0

55

Adam Donenfeld

@doadam

1 year

Seems like iOS 17 beta 1 puts crash dumps in /private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/ instead of the usual /private/var/mobile/Library/Logs/CrashReporter/. As a result, afcd -r won't completely delete the logs after they're

0

8

54

Adam Donenfeld

@doadam

7 years

Just demonstrated to @ihackbanme and @rani_idan full exploit chain! #greatsuccess #ComingSon

4

54

Adam Donenfeld

@doadam

6 years

#34c3 is by far the best conference I’ve attended so far. But I can’t hide my disappointment with Leipzig. The venue is in the middle of nowhere and each time you wanna go somewhere (eat, do something, etc) you must take a cab and can’t walk... :(

5

1

51

Adam Donenfeld

@doadam

7 years

@ntrippar @rani_idan According to rumors iOS 11 is jailbreakable 🤔

2

8

42

Adam Donenfeld

@doadam

5 years

I'm not affiliated, but that's the only guy who writes tools that manage to work for more than a month without getting insanely unstable

I don't talk about Darwin, no, no, no...

@Morpheus______

5 years

If you know and like my other free tools - then you totally need to know this one. Not free this time, but indubitably my finest creation yet. Took a *VERY* long time to get this tool be totally rock solid, dynamically object aware, and just plain awesome.

6

15

114

1

49

Adam Donenfeld

@doadam

4 years

Also by far the most comprehensive security update ever released on iPhone.

Kuba Suder 🇵🇱🇺🇦🦋

@kuba_suder

4 years

iOS 14 is a massive update for privacy: - limited photo library - approximate location access - clipboard access warning - LAN access permission - camera indicator - Safari tracker report - app data use info & tracking prompt - encrypted DNS - random MAC address I love it ❤️

23

389

2K

1

5

50

Adam Donenfeld

@doadam

6 years

It's like every new XNU release out there, Apple add new stages where compilation fails. (libdispatch, src/shims/atomic.h -> internal/atomic.h, if anyone had the same problem).

2

4

44

Adam Donenfeld

@doadam

27 days

@pninch פשוט לא שאלת מעולם מישהו לא ישראלי (גם אם הוא יהודי) כמה שיט הם עוברים בישראל בבידוק. במקרה הטוב שאלות משפילות שלא מבישות תחקיר בטחוני סגול צמצם של צה״ל, במקרה היותר סטנדרטי כל המזוודה מבולגנת בטירוף + השאלות. במקרה הפחות סטנדרטי עיכוב של כמה שעות.

9

0

49

Adam Donenfeld

@doadam

3 years

Isn't it that time of the year where Apple accidentally releases a symbolicated kernelcache?

2

4

50

Adam Donenfeld

@doadam

6 years

When I get home I'll release a PoC source code. According to rumors if your video is cool enough AppleD5500 will still be generous in terms of exploitation 🙄

0

4

44

Adam Donenfeld

@doadam

3 years

I predict some cool bugs in that prediction language implementation

Pieter Wuille

@pwuille

3 years

JPEG-XL (a freshly-standardized proposed successor to JPEG) has a tiny language in it to encode a prediction function (guess next pixel from previous). Images that are _exactly_ this prediction are super small, and can be pretty artsy. This one is amazing.

22

91

326

0

12

49

Adam Donenfeld

@doadam

6 years

Or in other words: if you wanna see how you can attack the kernel solely with a video from within the sandbox, you should come.

3

4

43

Adam Donenfeld

@doadam

7 years

After playing with digital currency for the last couple of weeks, I understand why people get addicted to Casinos

7

2

46

Adam Donenfeld

@doadam

5 years

Most iOS/Android updates bring pretty much nothing interesting to the table. But I must say, as a frequent traveler, Sidecar is the best feature I've yet to see in the last couple of years. Having 2 monitors while traveling? Apple really nailed it this time

4

5

46

Adam Donenfeld

@doadam

6 years

It was the best WarCon III ever!!!! @WarConPL

1

2

40

Adam Donenfeld

@doadam

3 years

Building WebKit in less than a minute 💪

1

2

48

Adam Donenfeld

@doadam

2 years

Good read as always, and also highlights how the recent XNU mitigations greatly required stepping up the game. Such vulns were a 1 week project or less up until 1-2 years ago.

Project Zero Bugs

@ProjectZeroBugs

2 years

XNU kernel use-after-free in mach_msg

2

73

264

2

8

47

Adam Donenfeld

@doadam

7 years

@Morpheus______ Good cool, so referring wen eta beggers to you from now on

4

3

43

Adam Donenfeld

@doadam

3 years

Not the first time someone I've never talked or reacted to from infosec is blocking me. And although I've never pressed follow, ngl - it was amusing watching this bullshit (especially the videos).

7

6

45

Adam Donenfeld

@doadam

5 years

So there's a possibility @0x41con is going to have a smoking area with weed permitted inside 😁

4

2

39

Adam Donenfeld

@doadam

3 years

Don't fall in love with bugs because they'll break your heart

Halvar Flake

@halvarflake

3 years

If you use 0days and they get burnt, that's the circle of life. Don't whine about it, whether you're a blackhat or government "counterterrorism" operation.

9

53

323

1

6

45

Adam Donenfeld

@doadam

3 years

Downgrading an iPhone has progressively become such a pain in the ass. It's like I can't even downgrade normally anymore, and the errors are less and less indicative. Is this a new mitigation?

3

2

41

Adam Donenfeld

@doadam

6 years

A friend of mine didn't come to CCC, anyone needs a ticket?

6

15

38

Adam Donenfeld

@doadam

6 years

See you all in BeVX!

TyphoonCon🌪️

@typhooncon

6 years

Announcing our second talk at our conference, Adam Donenfeld / @doadam on "Viewer discretion is advised: (De)coding an iOS vulnerability" -

1

12

18

1

7

40

Adam Donenfeld

@doadam

6 years

Am I the only one who thinks about an episode called metalhead in Black mirror?

Alan White

@aljwhite

6 years

This is one of the most terrifying things I’ve seen in all my life

7K

55K

116K

5

7

39

Adam Donenfeld

@doadam

6 years

For all the fellows coming to PoC and wanna learn Korean during the early morning while Jetlag hits you:

2

3

36

Adam Donenfeld

@doadam

6 years

@0x41con was awesome! It's the first time I attend such an event and I really enjoyed it! Looking forward for the next one which will take place in Amsterdam!!

3

40

Adam Donenfeld

@doadam

7 years

@jugglingchef @prasanjeetprasa very high

4

2

36