Official references:
- ARMv8 Instruction Set Overview (short, kinda outdated at this point)
- ARMv8 Architecture Reference Manual (long)
- ARM A-Profile Exploration tools (same as above, but in machine readable form)
- ARM System Architecture Software Standards (ABIs, extensions, etc.)
- Clang Pointer Authentication ABI
My own doing:
Tip
Both infocenter.arm.com and developer.arm.com are outright nightmares to navigate, and search engines don't help either. But if you have any ARM document as a PDF and want to check for a newer version, there is a neat trick. At the bottom of any page of the PDF, you should have a document identifier like so:
That should have the form ARM XXX ddddX.x. Take the three letters and following four digits, convert them to lower case (in this case, ddi0406) and construct an URL like so:
https://developer.arm.com/docs/XXXdddd/latest (in this case https://developer.arm.com/docs/ddi0406/latest)
Mach-O
- m4b - Mach-O binaries
- Jonathan Levin - DYLD DetaYLeD
- Jonathan Levin - Code Signing
Sandbox
- Jonathan Levin - The Apple Sandbox (Video and Slides)
- iBSparkes - Breaking Entitlements
- stek29 - Shenanigans, Shenanigans!
- argp - vs com.apple.security.sandbox
IPC
- Apple - Mach (Overview and API documentation (inside the XNU source in
osfmk/man/index.html)) - nemo - Mach and MIG (examples are outdated and for PPC/Intel, but descriptions are still accurate)
- Ian Beer - Apple IPC (Video and Slides)
File Systems
- Apple - APFS Reference
- stek29 - LightweightVolumeManager::_mapForIO
- bxl1989 - Understanding and Attacking Apple File System
Kernel
- Apple - Kernel Programming Guide
- Apple - IOKit Fundamentals
- Apple - About the Virtual Memory System
- qwertyoruiopz - Attacking XNU (Part One and Two)
- Stefan Esser - Kernel Heap
- stek29 - NVRAM lock/unlock
Kernel Integrity
- xerub - Tick Tock
- Siguza - KTRR
- Jonathan Levin - Casa de PPL
- Brandon Azad - KTRW: The journey to build a debuggable iPhone (Blog Post and Video)
Control Flow Integrity
- Brandon Azad - Examining Pointer Authentication on the iPhone XS
- Qualcomm Product Security - Pointer Authentication on ARMv8.3
- Roberto Avanzi - The QARMA Block Cipher Family (Paper and Presentation)
- Roberto Avanzi - Crypto that is Light to Accept
- Rui Zong and Xiaoyang Dong - Meet-in-the-Middle Attack on QARMA Block Cipher
Hardware Mitigations
- Siguza - APRR
- Siguza - PAN
- Sven Peter - SPRR & GXF
- VoidiStaff - JITCage
Software Mitigations
- blacktop - Anatomy of Lockdown Mode
- Csaba Fitzl - Launch and Environment Constraints Deep Dive
Web
Remote Targets
- Natalie Silvanovich - The Fully Remote Attack Surface of the iPhone
Hardware
- Ramtin Amin - Lightning Connector
- Ramtin Amin - NVMe NAND Storage
- Ramtin Amin - iPhone PCIe (dumping the 6s BootROM)
- Nyan Satan - Apple Lightning
SEP
- Tarjei Mandt, Mathew Solnik, David Wang - Demystifying the Secure Enclave Processor
- David Wang, Chris Wade - SEPOS: A Guided Tour
Bootloader
- Jonathan Levin - iBoot
Memory Safety
- Saar Amar - An Armful of CHERIs
- Saar Amar - Security Analysis of MTE Through Examples (Video and Slides)
- Saar Amar - Firebloom (Introduction, Type descriptors)
- geohot - evasi0n7
- Jonathan Levin - TaiG 8.0 - 8.1.2 (Part One and Two)
- Jonathan Levin - TaiG 8.1.3 - 8.4 (Part One and Two)
- Jonathan Levin - Who needs task_for_pid anyway?
- qwertyoruiopz - About the “tpwn” Local Privilege Escalation
- Ian Beer - task_t considered harmful
- jndok - Exploiting Pegasus on OS X
- Siguza - Exploiting Pegasus on iOS
- Ian Beer - mach_portal (write-up and presentation slides)
- Ian Beer - Exception-oriented exploitation on iOS
- Jonathan Levin - Phœnix
- Gal Beniamini - Over The Air (Parts One, Two and Three)
- Siguza - v0rtex
- Ian Beer - async_wake_ios
- Siguza - IOHIDeous
- Jonathan Levin - QiLin (PDF and API)
- Brandon Azad - A fun XNU infoleak
- jeffball - Heap overflow in necp_client_action
- xerub - De Rebus Antiquis
- Ian Beer - multi_path
- Brandon Azad - blanket
- Brandon Azad - voucher_swap
- iBSparkes - MachSwap
- Ian Beer - Splitting atoms in XNU
- Natalie Silvanovich - The Many Possibilities of CVE-2019-8646
- Google Project Zero - A very deep dive into iOS Exploit chains found in the wild
- Ian Beer - Parts One, Two, Three, Four, Five and Implant Teardown
- Samuel Groß - JSC Exploits
- a1exdandy - Technical analysis of the checkm8 exploit
- Ned Williamson - SockPuppet
- littlelailo - Tales of old: untethering iOS 11 (Video and Basic Rundown)
- Samuel Groß - Remote iPhone Exploitation (Parts One, Two and Three)
- Siguza - cuck00
- Justin Sherman - used_sock
- Samuel Groß - Fuzzing ImageIO
- Siguza - Psychic Paper
- Brandon Azad - One Byte to rule them all
- Brandon Azad - The core of Apple is PPL: Breaking the XNU kernel's kernel
- windknown - Attack Secure Boot of SEP
- Ian Beer - An iOS zero-click radio proximity exploit odyssey
- Alex Plaskett - Apple macOS 6LowPAN Vulnerability
- Luca Moro - Analysis and exploitation of the iOS kernel vulnerability CVE-2021-1782
- Alex Plaskett - XNU Kernel Memory Disclosure
- Jack Dates - Exploitation of a JavaScriptCore WebAssembly Vulnerability
- Mickey Jin - CVMServer Vulnerability in macOS and iOS
- K³ - Writing an iOS Kernel Exploit from Scratch
- CodeColorist - Mistuned Part 1: Client-side XSS to Calculator and More
- CodeColorist - Mistuned Part 2: Butterfly Effect
- Justin Sherman - CVE-2021-30656 kernel info leak
- Samuel Groß - Attacking JavaScript Engines
- Samuel Groß - Compile Your Own Type Confusions
- Adam Donenfeld - (De)coding an iOS Kernel Vulnerability
- xerub - The Bear in the Arena
- Linus Henze - Fugu14
- Justin Sherman - Popping iOS <=14.7 with IOMFB
- Ian Beer & Samuel Groß - A deep dive into an NSO zero-click iMessage exploit
- Ian Beer & Samuel Groß - FORCEDENTRY: Sandbox Escape
- Ian Beer - CVE-2021-30737, @xerub's 2021 iOS ASN.1 Vulnerability
- Ian Beer - CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers
- Ivan Fratric - DER Entitlements: The (Brief) Return of the Psychic Paper
- Félix Poulin-Bélanger - kfd
- Asahi Lina - AGX Exploit
- Gergely Kalman - librarian - a macOS TCC bypass in Music and TV
- Ian Beer - An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit
- DFSEC - That's FAR-out, Man
- Mickey Jin - xpcroleaccountd Root Privilege Escalation
- Alfie CG - Trigon: developing a deterministic kernel exploit for iOS
- Alfie CG & opa334 - The state of iOS jailbreaking in 2025
- Siguza - tachy0n
- qwertyoruiopz - iOS Reverse Engineering (Wiki and Papers)
- Google Project Zero - All the bugs Ian Beer has killed
- Google Project Zero - All Apple bugs
- Google Project Zero - A survey of recent iOS kernel exploits
"Hack Different" is a Discord server about hacking, reverse engineering and development loosely on and around Apple platforms.
It has a relaxed atmosphere and is a great place to hang out and connect with fellow researchers and enthusiasts.
