set_saved_state_pc on macOS 13.3 beta 2 (22E5230e) now has an extra pair of
ml_pac_safe_interrupts_disable / ml_pac_safe_interrupts_restore
I wonder why: the MANIPULATE_SIGNED_THREAD_STATE macro already calls those; I don't see any security reason for this change... pmap_sign_user_ptr_internal now checks for an invalid `key` at the very start and panic immediately.
Previously it panics after already calling ml_enable_user_jop_key.
I guess calling `panic` with userspace PAC keys makes `panic` panic?
Again, I don't see security impact

I got `tccd` to make a sandbox extension for reading/writing outside the sandbox on iOS 16.1RC, using Ian Beer's CVE-2022-46689 (MacDirtyCow) exploit
gist.github.com/zhuowei/bc7a90…
I can't do anything with this yet: I can't find anything to overwrite. Also, I don't have an offset finder I tried all the options from TrollTools using my sandbox extension, but only the "lock screen footnote" option worked; the rest all do nothing.
I guess sandbox extensions are less powerful than a TrollStore app with no-sandbox entitlement...
So yeah, kinda useless...

Ian Beer released his proof-of-concept for CVE-2022-46689 (MacDirtyCow):
bugs.chromium.org/p/project-zero…
His exploit accomplishes two things I didn't know was possible:
- writing the last byte in a 16k page
- take over system daemons

https://twitter.com/ProjectZeroBugs/status/1614023688088866817

Both of Ian Beer's solutions were clever:
- The bug only happens when the read/write addresses are unaligned.
I can't move the write address to the last byte because it would become aligned.
Ian Beer's solution: never move the write address; move the READ address instead

Made an app that overwrites the iOS system font using CVE-2022-46689.
github.com/zhuowei/WDBFon…
It works on iOS 16.1.2 and below on unjailbroken devices.
Four fonts are included: DejaVu Sans Condensed, Serif, Mono, and Choco Cooky (because Samsung). Replacing the system font temporarily with CVE-2022-46689 should be safe: all changes are reverted after a reboot. Still, back up your device before using.
(And this only affects some text in iOS - the rest use different fonts, and I'm only replacing SFUI.ttf)

Transcript:
Flynn (labelled as "Implementation detail"): [takes a look at the satchel of Private API when suddenly...]
Rapunzel: [knocks Flynn out with the frying pan of Terrible hack]
--
Rapunzel: [drags Flynn (Implementation Detail) to the cabinet of Public API]

Simulating an overhead projector in VR:
You, an Intellectual: computes a projection of the 2D plane on arbitrary 3D polygons using vector math
Me: render lightmap from projector's PoV, texture target with lightmap
Experienced dev: only support projecting on flat (virtual) walls Actual metaverse: ... don't let people show PowerPoints with a projector: just put a virtual 100-inch flat screen TV in the virtual conference room

Transcript:
Rainbow Dash: I'm not burnt out! (blows on burning thing)
Sunset: Let me see your calendar. These are unused PTO days!
Twilight: Hurry! This code moved too fast and broke all our things!
Sunset: Take a day off. Just trust me!
Rainbow Dash: OK. (Sunset shoves her into

Transcript:
Rainbow Dash: Meta's Q2 earnings... are down!
[$META collapses]
Applejack: [lets go of Hiring Plans] Pivot to VR!
Twilight: Are you crazy?
Applejack: I'm Wеb3! What's our biggest challenge?
Twilight: iOS and TikTok?
Applejack: It's people who shouldn't be here.

Learning Linus Henze's CVE-2022-26764 macOS 12.3.1 PPL bypass:
github.com/apple-oss-dist…
I hit this new panic on a patched macOS if I call
pmap_enter_options_addr on a dyld shared region virtual address.
So I just need to slot this into Bazad's googleprojectzero.blogspot.com/2020/07/the-co… TLB bypass? I'm wrong:
If I pmap_enter_options_addr with a shared cache addr, the mapping reverts to shared cache after ~2 seconds:
before remap 36000639f9000bf5
pmap_enter_options_addr returned 0
wrote 4141414141414141
again 4141414141414141
again 4141414141414141
again 36000639f9000bf5

You call "self-confidence" "parmant" (en.wiktionary.org/wiki/parmantig, nl.wiktionary.org/wiki/parmant)?
- Yes: it's a French loanword.
Well, I've read the French dictionary cover to cover and I never saw a word like "parmant".
- Which French?
Canadian.
- Oh. It's a Vallée de la Marne expression ... sorry if I missed the obvious, but the only French word I can find spelled remotely like "parmant" is "parmentier" (en.wiktionary.org/wiki/parmentie…), so... you're proud because you're served with potato in the style of Antoine-Augustin Parmentier?

I cast out the digits after the decimal in my floating point number, leaving them lost and `floor`orn
Ich habe alle Ziffern nach dem Dezimalpunkt in meiner Gleitkommazahl `Math.floor`en
Ik heb alle cijfers achter de decimaalteken in mijn drijvendekommagetal verdreven en vloer-en This is still not enough to satisfy European Union regulations, since my best attempt at Spanish is
`Math.floor` pisotea las cifras detrás del punto decimal

Trying to decompile Hypervisor.framework by hand: github.com/zhuowei/HvDeco… my decompiled version can actually start a virtual CPU (and immediately vmexit with esr=0x82000006 because, uh, I didn't map memory or set PC) my jailbroken iPhone 12, with:
- my tweak that exports the Hypervisor.framework apis to userspace
- my decompiled Hypervisor.framework
gives me the same error as my Mac (esr=0x82000006) when I try to start my VM with no memory.
It works! It's completely useless, but it works.

Hear that whirring noise? That's the sound of 1,000 MacBook Pro fans spinning up as script kiddies open IDA and diff iOS 15.5 against 15.4.1 in a race to jailbreak 15.4.1 (This is obviously a joke: you'd want to diff macOS 11.6.5 against macOS 11.6.6 instead if you just want to see the security fixes)

I will run μClinux on this Panic Playdate by the end of today.
Let's go. First I need to find out how to enter bootloader.
The official documentation documents Left + Lock + Menu to mount internal storage (help.play.date/games/sideload…)
Down + Lock + Menu mounts a 10mb "BOOT" segment:
SDK's pdutil can also enter both mods with `datadisk` and `recoverydisk`

People ask me, "you shirtpost about infosec so much: why don't you switch careers and study infosec yourself?"
It would take too long to gain the experience required to understand and implement attacks.
In 2020 I spent two months analyzing an iOS bug (worthdoingbadly.com/specialreply/) This bug was discovered by Project Zero, so I knew they would release their writeup (googleprojectzero.github.io/0days-in-the-w…)
I wanted to compare my writeup - written with no past knowledge in XNU - compares to their writeup, to see how much experience helps in understanding and exploiting bugs.

This "Back to the Future" rip-off (Intertwined) has its first dramatic shot of a clock in episode 1 at exactly 4m20s. This is going to be good. Intertwined writers: "we made the main character too genre savvy, add red herrings so she doesn't guess the whole plot!"
Allegra: "hey, an audition for a theatre production of 'Freaky Friday'. Obviously that story can't happen in real life, thus I will never understand my mother"

Me, learning entirely the wrong lesson from the end of Encanto (spoilers):
bmV2ZXIgYmluZCB5b3VyIG1hZ2ljIHRvIGEgZm9jdXMgdGhhdCBjYW4gZGlzYXBwZWFyIChJIHNheSBhcyBJIGJpbmQgbXkgc291bCB0byBNaW5lY3JhZnQgQW5kcm9pZCdzIHN5bWJvbHMpCg== Me, learning the wrong lesson from the end of Encanto (spoilers):
hT eamig cnoylw ko eof rwt oeppoel- w ohb to hra eahnuet dybt ehl fi ehtyes ohlu'devh da .vEreoyeni nht enEactn ola lnuedsratdnt ah tht eebuayto fhtie ricytd pene dhwloylo nhtie rhctaleiaen'sa obimanlb eimesyr

Cobblers' children go barefoot, and VR metaverse committees meet via Google Docs I had to specify "VR metaverse" since Google Docs is already a metaverse

til: SMS over VoLTE is based on GSM's SMS formats, not CDMA's.
Also til: CDMA has its own SMS formats... Here's a comparison: docs.huihoo.com/symbian/s60-5t…
In particular, CDMA implements emergency alerts using SMS, but GSM implements emergency alerts with separate Cell Broadcast messages

This YouTube upload of "Le bleu lumiere" (How Far I'll Go) is pitched up a semitone to avoid copyright strikes from Disney...
even though it's uploaded by Disney on their own official channel

(Spider-men pointing meme) (No, this isn't a PAL -> NTSC conversion bug: 50Hz -> 60Hz is like three semitones; I checked)

iPhones run Privacy Extension IPv6 addresses over VoWifi VPN, even when I assign a single /128 address:
Address assigned: fdad:dabb:ed:1::dead:beef/128
Requests from iPhone: fdad:dabb:ed:1:84f3:8782:907c:b57e (the last 64 bits changes every time I reconnect)
This confuses my VPN Next step: use rvictl (developer.apple.com/documentation/…) to capture real VoWifi traffic so I can do whatever my carrier does to get iPhones to not do this...