tihmstar @tihmstar Twitter profile

Pinned Tweet

tihmstar

@tihmstar

4 months

Since twitter is no more (for me) i'm giving that other platform a try now tihmstar @infosec .exchange

tihmstar

@tihmstar

4 months

I think tweetbot 5 finally died. Time to leave this place. RIP twitter

5

6

37

1

0

20

Last Seen Profiles

@bgbobcathockey

@Yale_OIA

@ZRAFC

@NastasyaParshin

@cassady_brewer

@Cyarron

@Chigedson

@NinaStarostina

@StarieSki

@Natchoumm

@OtherVoicesLive

@WolframOctavia

@deejaybugy

@stw_pdg

@AmbyrKoke

@NayRozCOD

@NifS

@Botamochivq

@dagsen

@TSEGuatemala

@zxsccp

@mrbrandmvhs

@GxlDeTorres

@NerfHera

@annalisaPe

@misoshima

@Contra_Mundum_1

@nz__g

@xplm_com

@Natypres

@soutaljazeera1

@ZoneOfInterest

@NintendoStoreES

@AndresSepCL

@AAffengruber

@NirvanaForCat

tihmstar

@tihmstar

7 years

Releasing Phoenix jailbreak for iOS 9.3.5 now! All 32bit devices supported! Be sure to check PGP signature :)

272

721

2K

tihmstar

@tihmstar

6 years

Merry Christmas everyone! Wishes you @s1guza and @tihmstar :)

283

440

1K

tihmstar

@tihmstar

2 years

I love how jailbreaking became more and more a community effort. Every one adds that little piece of the puzzle that he/she can/wants to do and at the end everyone profit from all the collab work :D Here are stable iOS 15.1.1 kernel read/write :)

GitHub - tihmstar/desc_race-fun_public

Contribute to tihmstar/desc_race-fun_public development by creating an account on GitHub.

github.com

56

229

1K

tihmstar

@tihmstar

6 years

I'll just leave this here

138

207

919

tihmstar

@tihmstar

4 years

What do you think? #checkra1n

32

78

877

tihmstar

@tihmstar

2 years

Finally had a chance to play around with the iOS 15.1 exploit. That thing really did all the hard work already. There is one tiny thing that i need to figure out and modify, then getting stable kernel r/w is super simple. Then it’s just cleanup really

31

104

751

tihmstar

@tihmstar

4 years

we out here #pongoOS #checkra1n #ra1nsn0w #ra1nra1n @qwertyoruiopz

26

75

725

tihmstar

@tihmstar

6 years

People asked if i would opensource the jailbreak Here you go :)

GitHub - tihmstar/doubleH3lix: Jailbreak for iOS 10.x 64bit devices without KTRR

Jailbreak for iOS 10.x 64bit devices without KTRR. Contribute to tihmstar/doubleH3lix development by creating an account on GitHub.

github.com

34

263

696

tihmstar

@tihmstar

4 years

#leak @TheOdysseyJB

47

100

691

tihmstar

@tihmstar

6 years

Fixed that nosuid issue, now cydia can actually install stuff :D

85

99

669

tihmstar

@tihmstar

5 years

How much would people care to watch me coding? Like if i was coding some updates and streaming, would people care to watch?

69

26

669

tihmstar

@tihmstar

5 years

Got tfp0 yeay :D Now i just need to clean up the kernel after exploit so it doesn't panic on exit ^^

62

110

646

tihmstar

@tihmstar

4 years

Random fact: There was an iOS 7 jailbreak which would bootlop the device while in the dark, because the light sensor would then cause the heap layout be different than what was expected. One fix was to put your phone under a lamp while booting

22

63

610

tihmstar

@tihmstar

5 years

Updated futurerestore with odysseus64 for downgrading to any iOS with checkm8 if SEP/BB are compatible. To compile you need (in correct order): openssl libpng xpwn libplist libusbmuxd libirecovery libimobiledevice libfragmentzip tsschecker img4tool liboffsetfinder64 libipatcher

17

94

562

tihmstar

@tihmstar

5 years

If this looks familiar to you, you might wanna try to run it on iOS 12 ;) I feel like some thing might still be improved, but idk when i can be bothered to do so. Meanwhile, have fun with v3ntex As you may have guessed, only tested on iPhone6,2 12.1.2 :P

49

136

553

tihmstar

@tihmstar

6 years

Well, jelbrekTime it is! Have fun :D

GitHub - tihmstar/jelbrekTime: An developer jailbreak for Apple watch S3 watchOS 4.1

An developer jailbreak for Apple watch S3 watchOS 4.1 - tihmstar/jelbrekTime

github.com

50

148

565

tihmstar

@tihmstar

11 months

5

95

573

tihmstar

@tihmstar

4 years

Why learn languages? English: reading exploit writeups Russian: reading exploit writeups Chinese: reading exploit writeups Japanese: Watching anime in original dub German: looking professional while ordering german beer

18

67

533

tihmstar

@tihmstar

6 years

Lol calk down guys. That 10.3.3 jailbreak isn't even done yet. Still missing: - proper sandbox patches to get cydia fully working (maybe) - patches to get mobilesubstrate working - offsets for anything but i5 10.3.3 - fancy app Still a lot of work :P

72

84

517

tihmstar

@tihmstar

5 years

Just successfully did my first ios backup over wifi to my Helios4 NAS server :D Soon everybody will be able to do automatic local backups of their idevices over wifi!

43

60

512

tihmstar

@tihmstar

5 years

But keep you headphone jacks and lightning adapters excited and stay on iOS 11! If you're not jailbroken, stay unjailbroken. If you area jailbroken already, that's fine aswell. There is something cool coming #etason ™ ;)

40

83

498

tihmstar

@tihmstar

2 years

Finally *actually* arbitrary entitlements on iOS15 using @zhuowei ’s CT bypass. Thank you very much @xina520 for helping!

35

80

511

tihmstar

@tihmstar

5 years

Got kernel base :D But as you can see, this exploit relies on a headphone jack ._.

37

83

498

tihmstar

@tihmstar

7 years

Jailbreak 8.4.1 (32bit) #etason #etasonJB Be sure to verify SHA256 ;)

65

222

487

tihmstar

@tihmstar

4 years

It’s 2020 and i’m still kernelexploiting my iPhone in order to have 5 icons in the dock ._.

34

35

505

tihmstar

@tihmstar

2 years

@yarden_shafir 26 variable names a-z, then you gotta start re-using them for performance reasons and to save memory. Protip: declare then globally at the start of your file

17

1

509

tihmstar

@tihmstar

6 years

Thank you <3

45

38

488

tihmstar

@tihmstar

6 years

Icloud lock was my biggest concern, but since that's not an issue, there is no more reason not to release it. So jailbreak.me 4.0 sounds cool right? ;)

40

83

478

tihmstar

@tihmstar

5 years

alright, who's down to code some jailbreaks?

32

489

tihmstar

@tihmstar

2 years

got amfid task port! Bye bye codesign :D

30

50

494

tihmstar

@tihmstar

6 years

Looks like 4.0 made it afterall :D Thanks a lot to @cmwdotme for hosting it on his domain. Video here: ;)

[ENG] Jailbreak.me 4.0 for iOS 9.1-9.3.4 - iPhone / iPad / iPod...

In this video i show you how to use my jailbreak.me 4.0This (in theory) allows you to jailbreak any 32bit running 9.1-9.3.4However this was just a fun projec...

www.youtube.com

38

176

482

tihmstar

@tihmstar

6 years

We just ported v0rtex to 32bit :D @s1guza is going insane lately!

45

106

463

tihmstar

@tihmstar

5 years

oh shit! the apple watch is vulnerable to checkm8, isn't it? :o

24

34

463

tihmstar

@tihmstar

5 years

How to jailbreak iOS12: - copy&paste this into v0rtex - replace the gc part in v0rtex with the technique used on jelbreakTime - fix some offsets :P - profit! wen eta expliot?!?

SorryMybad

@S0rryMybad

5 years

Here is the PoC of the bug I used to jailbreak can work before 12.1.2..The blog post about exploit on A12 will come soon.😀

94

270

982

27

86

455

tihmstar

@tihmstar

4 years

Everybody loves verbose booting right? Why not make a tool for it?

14

40

465

tihmstar

@tihmstar

5 years

Didn't plan to release it like this, but i'm now busy with other stuff and probably not gonna come back to this project. tfp0 exploit which *should* work up to 11.4.1 on headphonejack-devices. Didn't finish cleanup, but maybe it's still useful .

43

119

449

tihmstar

@tihmstar

5 years

Here are the slides to my #35c3 talk "Jailbreaking iOS: From past to present".

9

125

464

tihmstar

@tihmstar

2 years

In case you are curious, this is the ramdisk i'm booting in my checkm8-based iOS 15 jailbreak: When you reboot the device, all changes to rootfs are gone. I didn't care about persistence yet. Maybe it's useful for you, enjoy :)

GitHub - tihmstar/jbinit: iOS booter ramdisk creator for checkm8 based jailbreaks

iOS booter ramdisk creator for checkm8 based jailbreaks - tihmstar/jbinit

github.com

36

89

454

tihmstar

@tihmstar

2 years

how come checkra1n was never updated to iOS 15? :o (temporary) jb is super easy and i’m sure file _persistence_ can be solved in a multitude of ways

32

54

444

tihmstar

@tihmstar

5 years

people who saved any kind of shsh blobs (on device, ota, regular) will soon be able to downgrade to any version without prior jailbreak! (given latest SEP is supported)

30

46

438

tihmstar

@tihmstar

6 years

Here you go :D

79

59

427

tihmstar

@tihmstar

5 years

btw exploit is in the works, which can work up to 11.4.1 already got kernel read ;) dunno if i can be bothered to find offsets for anything but iPhone6,2/11.2.6 though, or make the exploit work on phones without headphone jack ¯\_(ツ)_/¯

24

63

429

tihmstar

@tihmstar

4 years

Just got my new iPhone :D

24

14

440

tihmstar

@tihmstar

5 years

Congrats :D FYI: there will be an update to futurerestore which will allow you to downgrade without much hassle. Just need to do a few other things first

matty

@moski_dev

5 years

iPhone 5s 12.4.2 --> pwndfu with Checkm8 --> 10.3.3 using freshly grabbed OTA blobs. Glad to get this device off iOS 12! Big thanks to @axi0mX @tihmstar and @LinusHenze for their respective work!

22

42

267

14

53

420

tihmstar

@tihmstar

4 years

I gotta feeling that today’s the day to work on some jailbreaks :D

19

25

416

tihmstar

@tihmstar

5 years

passed my todays exam! yeay :D

39

12

403

tihmstar

@tihmstar

6 years

It's jelbrekTime !

35

53

389

tihmstar

@tihmstar

5 years

It begins :o

Raffaele

@Ralph0045

5 years

Successfully downgraded my iPhone 5S to iOS 10.3.3 using OTA Blobs. Many thanks to @tihmstar @axi0mX and @LinusHenze

36

60

422

14

34

397

tihmstar

@tihmstar

4 years

Finally a usuable machine :D

20

36

394

tihmstar

@tihmstar

2 years

Congrats to Apple for killing checkm8-based jailbreaks without SEP exploits for endusers in iOS 16. A11 checkm8 based jailbreak is no longer practical without SEP exploit. Researchers are fine for now though

17

67

403

tihmstar

@tihmstar

5 years

I will soon be offering a 3-day training on how to compile software that i released on my github

26

28

385

tihmstar

@tihmstar

2 years

cs bypass, is that you? :o

24

59

397

tihmstar

@tihmstar

5 years

replaced the part which broke in iOS 12 with pipe buffers, now it works up to kread (12.1.2) Basically now just a few offsets need to be found. Code still on private branch until i can be bothered to fix the offsets to get it fully working at least on my device

25

52

372

tihmstar

@tihmstar

6 years

Just pushed h3lix RC2 which should fix the JavaScript bug

51

80

363

tihmstar

@tihmstar

7 years

Got the 8.4.1 jb working :)

[Demo] iOS 8.4.1 32bit untetherd jailbreak

Demo of an 8.4.1 untethered jailbreak running on iPhone 4s.

www.youtube.com

44

111

368

tihmstar

@tihmstar

4 years

12

23

351

tihmstar

@tihmstar

4 years

Releasing ra1nsn0w! A tethered booter for 64bit iOS devices :D Right now this only let's you do iBoot patches, but in future releases it will also allow patching kernel and booting cusom ramdisks ;)

29

103

353

tihmstar

@tihmstar

5 years

Just pushed iBoot64Patcher if you can figure out how to build it with latest liboffsetfinder you should be able to patch iBSS/iBEC and set custom bootargs (untested of course lol) i'll do lots of cleanups after i'm done with my exams

GitHub - tihmstar/iBoot64Patcher: A reboot of the popular iBoot32Patcher but with twice the amount...

A reboot of the popular iBoot32Patcher but with twice the amount of bits - tihmstar/iBoot64Patcher

github.com

11

69

358

tihmstar

@tihmstar

6 years

Just found this in my mentions. I watched it so many times and it's still funny haha xD

38

46

350

tihmstar

@tihmstar

4 years

#Odyssey #leak

52

74

332

tihmstar

@tihmstar

4 years

This is pretty dope! iPad Pro A12 on 13.3 (non-jailbroken) running firefox in sway in archlinux on UTM (qemu) x86_64.

23

50

347

tihmstar

@tihmstar

7 years

looks like this guy will be supported too on release :D i added offsets for iPad mini @s1guza added offsets for iPad 2 more to come :)

52

77

326

tihmstar

@tihmstar

5 years

Now this looks like a job for me So everybody just follow me

18

19

336

tihmstar

@tihmstar

4 years

lol

17

35

342

tihmstar

@tihmstar

5 months

To downgrade to iOS 1.0 you need to: - Restore to 3.1.3 - Restore 1.1.4 twice (will fail once waiting on NAND and once fail on Baseband) - Erase baseband with Ziphone - Restore 1.1.4 (successfull this time) - Restore 1.0

16

27

350

tihmstar

@tihmstar

7 years

There is something in the works :D

44

86

333

tihmstar

@tihmstar

6 years

Thank you very much to everyone who submitted a logos/designs/etc. I got a lot of really good ones, some of them even with svg/psd/ai files, fonts and xcode projects. Wow! The logo has finally been chosen :D

11

38

308

tihmstar

@tihmstar

5 years

i finished the exploit enough to be useful for my purpose, which is porting the KPP bypass to iOS 11(.2.6 and up). However i unfortunatelly can't release the exploit standalone (as planned originally) just yet, since that would interfere with other peoples projects :(

18

51

329

tihmstar

@tihmstar

5 years

Just pushed an update to liboffsetfinder and iBoot64Patcher to unlock nvram. I guess this is the first useful #checkm8 thing for the user at the moment. Basically you can boot up any version pwn iBSS/iBEC and set a generator in recovery which will be read on next boot.

22

67

332

tihmstar

@tihmstar

2 years

#leak offline version ._.

tihmstar

@tihmstar

2 years

oh the jailbreak works, just never turn on wifi on the device ._.

14

10

204

19

58

335

tihmstar

@tihmstar

7 years

Just restored my iPhone4s and rejailbroke. Exploit worked first try, seems pretty stable now :) #etason

42

50

327

tihmstar

@tihmstar

5 years

Definetly NOT yet *jailbroken* ! But at least he got kread and kslide working correctly, so it's surely going the right way :D #v3ntexOn32Bit

11

37

324

tihmstar

@tihmstar

4 years

So i purchased a PS4 on ebay, now how do i hack it? User-Agent: Mozilla/5.0 (PlayStation 4 7.02) AppleWebKit/605.1.15 (KHTML, like Gecko) Any suggestions?

49

16

314

tihmstar

@tihmstar

6 years

Progress?

22

42

310

tihmstar

@tihmstar

5 years

That website is SCAM obviously! Never install *any* mobileconfig profile from a website promising you a jailbreak ever!!!

23

62

308

tihmstar

@tihmstar

2 years

someone got access to @tihmstar ’s private checkm8 jb 🤔

CoolStar

@CStar_OW

2 years

126

118

922

25

35

322

tihmstar

@tihmstar

4 years

Success :D

tihmstar

@tihmstar

4 years

I gotta feeling that today’s the day to work on some jailbreaks :D

19

25

416

21

16

312

tihmstar

@tihmstar

2 years

I guess i can't help but tease you a bit more :P Here are the patches i used on my iPhone8 to boot into iOS 15.1 jb - remove passcode - kernelpatches may be incomplete (i didn't test tweaks, just sileo)

iPhone 8 15.1 19B74 checkm8 jb patches

iPhone 8 15.1 19B74 checkm8 jb patches. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

20

69

316

tihmstar

@tihmstar

5 years

I don't know why, but exploiting iOS is just increadibly fun to me! Here is my voucher_swap exploit, tested on iPhone5,2 11.2.6 :)

GitHub - tihmstar/v1ntex: getf tfp0 on iOS 11.2 - 11.4.1

getf tfp0 on iOS 11.2 - 11.4.1. Contribute to tihmstar/v1ntex development by creating an account on GitHub.

github.com

20

45

300

tihmstar

@tihmstar

6 years

OMG i spent so much time trying to figure out why i couldn't get mobilesubstrate working, until i realized it was all Anemone's fault -_-

24

28

299

tihmstar

@tihmstar

4 years

This took me waaaay to fucking long :o iPhone 8 verbose boot iOS 14 beta 3 Idk if it crashes mid-boot and reboots to stock, but atm i don’t even care

6

26

301

tihmstar

@tihmstar

2 years

@pattern_F_ @realBrightiup nice! @CStar_OW and i also managed to get root and list files in /Applications yesterday. We didn’t test reading files, but should be doable i think. Sandbox is still i pita, but we already have a few ideas :) Just a couple more steps for the real fun :D

6

39

314

tihmstar

@tihmstar

5 years

Releasing img4tool v2! A complete rewrite of the original img4tool with more features and improvements. You can now install the libimg4tool library for easier including in your projects :D Check it out now!

GitHub - tihmstar/img4tool: A tool for manipulating IMG4, IM4M and IM4P files

A tool for manipulating IMG4, IM4M and IM4P files. Contribute to tihmstar/img4tool development by creating an account on GitHub.

github.com

12

67

301

tihmstar

@tihmstar

7 years

Tested with iPhone4,1 9.3.5 and iPod5,1 9.3.5. First beta will officially only support these 2 devices. #etason

60

80

300

tihmstar

@tihmstar

5 years

All this time i was working on liboffsetfinder/iBoot64Patcher and didn't try verbose boot even once until now

8

22

304

tihmstar

@tihmstar

6 years

Beware: The jailbreak has not been tested on anything but iPhone5,2 10.3.3 !

53

33

289

tihmstar

@tihmstar

6 years

Since we currently have this unexpected ability to get to iOS 10.3: I'm currently in the process of helping @sticktron out with his g0blin JB for 64bit devices up to iOS 10.3.3 Now i can actually test stuff myself which is good :D

38

48

292

tihmstar

@tihmstar

6 years

Finally figured out how to map executable code into a process and how to patch rx memory! yeay :D Demo: -map in dynamic library to process -call it's main -patche it's rx memory -call main again

5

41

295

tihmstar

@tihmstar

2 years

Slides for the #NullconGoa2022 presentation "Jailbreaking iOS in the Post-Apocalyptic Age" with @CStar_OW can be found here:

11

72

304

tihmstar

@tihmstar

6 years

I don't get why all those iOS 11 jailbreaks are trying to deploy some kind of jailbreakd. Even without KPP/KTRR bypass there should be a much nicer and cleaner way with the help of publicly available code.

19

24

285

tihmstar

@tihmstar

6 years

Looks like if you patch up a few projects from libimobiledevice github, you can boot into recovery mode using the files from OTA updates

15

36

291

tihmstar

@tihmstar

5 years

Almost finished rewriting img4tool :D Pretty much only proper buildsystem is left to do. Way better codebase, bugfixes and more features #etason ;)

11

30

291

tihmstar

@tihmstar

7 years

Looks like @s1guza and i hacked it with just 2 offsets :P

52

85

286

tihmstar

@tihmstar

5 years

Again i will update futurerestore to make it an easy to use process, but for those who really can't wait this is a great tutorial :)

matty

@moski_dev

5 years

Guide to downgrade to 10.3.3 with OTA blobs on compatible devices is online!

27

73

233

11

42

288

tihmstar

@tihmstar

6 years

It's pretty cool what people came up with regarding 64bit downgrades with futurerestore: various nonce setters, forks, fixes, SEP/BB compatibility lists etc. I like that :)

22

37

281

tihmstar

@tihmstar

6 years

Anemone + h3lix = 10.2 32bit jailbreak :D

31

32

292

tihmstar

@tihmstar

6 years

Also lot of people don't realize that mirroring jailbreak ipa's causes people to download outdated ipa's and spamming the developers with bugreports about things that have long be fixed. Seriously unless there is a license allowing you to do stuff, why don't you ask first?

17

34

279

tihmstar

@tihmstar

5 months

I finally reached the end of downgrading