Page 1 of 5

MOXiI 2 - State of the union - new

PostPosted: Tue Feb 07, 2017 10:58 pm
by morpheus
Hi everyone,

So - first I retired the old state of the union thread. It's still relevant, but only as for the general details of Volume III. But now there's more:

- Volume III has been updated to v1.3 (q.v., which is updated to 10.2. I know I basically said I've had enough of updating after 10.1.1 and mach_portal, but two things happened - one is Beer's PoC, and the other is Luca's Yalu - And both of them are in open source. This gives an unprecedented ability to not just consider the open source of the exploits, but also see two different approaches for the same bug. So I added some 12 pages including annotations on the sources, which should help people not only understand the jailbreaks, but also customize them for their own devices (which, arguably, with Luca's you don't need, but for Beer you do). I also managed to squash what I hope are the last of the typos.

- Now, seriously, I am d-o-n-e with Volume 3 (assuming iOS 11 doesn't bring something major) which means I can finally announce the COLOR EDITION!!!!!

- This will be HARDCOVER *AND* COLOR, which looks #$%$#%$#%#$ AWESOME and certainly helps readability. But - and there's a but - it's terribly expensive. Book printing costs for that are through the roof and it's heavier, which means it will be A) $125 for the book and B) (likely) $25 for shipping. And it will not be available via AMZN (which clobbers me with fees), but only through here. And when I say "here", I mean the forum. Not moxii3@. It's a privilege of sorts I want to give to people who actually check in from time to time, which is why I'm not tweeting about it.

- If you are interested in Volume 3, let me know if you would consider an open binder/spiral cover, which would enable you to add pages. It's a thought, and certainly makes the book look less snazzy, but given the updates, could make it a whole lot more useful.

- As for Volume I, since people are starting to ask :-) it's doing very well, thank you. I'm expecting v1.0 around May-June, BUT - depending on what AAPL announces for iOS 11/MacOS 13 , that might mean you'd want to wait until I get a chance to digest WWDC , the MacOS beta and the (thankfully, no longer encrypted) betas of IOS , because it will *Certainly* be affected by their updates. Volume III, btw, likely won't be majorly affected, since security-wise I don't see what else they could put in (well, save for SIP on iOS, maybe). But - I could be wrong.

- And yeah, I know I'm taking long on this, but please bear with me. From feedback I'm getting, people agree with me it's worth the wait to be meticulous, thorough, leave no stone unturned, and ensure this trilogy will remain definitive and relevant so I never EVER have to do a third edition.

That's all for now. Comments more than welcome.

Re: MOXiI 2 - State of the union - new

PostPosted: Mon Feb 20, 2017 8:10 pm
by nottab0t
Keep up the good work Jonathan. Received volume III a month ago, and although I'd love to see your thoughts on 10.2, my income just isn't flexible enough to justify another $125 for 10 additional pages. Thus, it shall remain a mystery to me. :)

Looking forward to volumes 1 and 2 though!

Re: MOXiI 2 - State of the union - new

PostPosted: Wed Feb 22, 2017 2:00 am
by morpheus

After such kind , heartfelt words, how can I refuse you.

But please, people - don't spread this PDF or Tweet about it. This is a bonus to people who actually participate in the forum and take the time to read posts.

Re: MOXiI 2 - State of the union - new

PostPosted: Wed Feb 22, 2017 9:16 pm
by vega01
Big thanks!!! :P

Re: MOXiI 2 - State of the union - new

PostPosted: Wed Feb 22, 2017 11:58 pm
by nottab0t
Woah! Too cool. You're the best.

Re: MOXiI 2 - State of the union - new

PostPosted: Thu Feb 23, 2017 12:25 am
by Siguza
Agreed, that's damn cool of you, man. :P

Re: MOXiI 2 - State of the union - new

PostPosted: Thu Feb 23, 2017 4:17 am
by backendbilly
Thanks :)

Re: MOXiI 2 - State of the union - new

PostPosted: Thu Feb 23, 2017 4:54 am
by morpheus
You're all welcome :D In fact - A big thanks to you guys, because you make my work worth it - not the $$$s the book makes.

But now show me some appreciation and provide me feedback. No excuses since you can all read this. Do so critically and tell me:

A) Did you understand it? from 0%-100%?
B) How could I improve?
C) Did you spot another potential design flaw in KPP? :-)

Re: MOXiI 2 - State of the union - new

PostPosted: Thu Feb 23, 2017 6:09 am
by backendbilly
I was honestly about to give a constructive criticism towards section 24 - Yalu (10.0 - 10.2). Here I go.

1. Beginning with a few quotes that do not appear to truly stand to the complexity of the discoveries in the chapter. I simply don't see how you can sweet-talk state machines. After all they'are state machines that can have only so many outcomes ;). The other quotes related to simplifying complicated things. How so? "The art of ignoring the bullshit" and "The art of evaluating reality". I personally think qwertyoruiop sucks at quotes :lol:
This is proof that exploitation is art.
The art of sweet-talking state machines.
The art of taking complicated things and simplifying them.
The art of ignoring the bullshit.
The art of evaluating reality.

2. The chapter goes on to mention all these wrappers such as "ReadAnywhere64", and "FuncAnywhere32" without much context into what they mean. Some googling revealed the Yalu source code. At first I wasn't truly sure if they were derived from kernel sources (which I thought was weird naming convention).

He seems to be piggybacking over IOConnectTrap4, passing arguments in a slightly shuffled order

I wasn't sure what to make of that but from reading the first time, I was completely lost.

triggered crahes

5. I personally find myself missing valuable information from Vol I and II to be able to make sense of some of the logic behind the jailbreak. For example, XNU's common_start, _start_common. There is so much going on in chapter 24 that I found myself that I need to do plenty of research to truly appreciate the inner workings of the jailbreak.

6. There is the section on "10.2: A deadly trap and a recipe for disaster", so the assumption is the top half is related to 10.0 to 10.1.1?

7. It is very much assumed that the reader is fluent in kernel inner workings based on the explanations and notes made to point out bugs etc.

In summary: Super technical with the assumption that readers are Ian Beer, Todesco, Pangu, and other kernel gurus. For casual readers, enthusiasts, power users, ... I personally feel much of it won't be fully comprehend without upfront, steep learning curve into the art of exploitation, reading upcoming vol I & II, and other sources. I'll have to read it probably 5 more times with lots of googling and source code review to truly appreciate and comprehend the technical jargon.

A) Did you understand it? from 0%-100%?

At this point, I would say 20%. Need to read it again and research some stuff up front.

B) How could I improve?

Some references and/or explanation to the technical jargon used such as kernel based function calls, objects, etc. In my opinion I believe this chapter (24) comes way after other necessary materials needed to make sense of technical jargon behind it.

C) Did you spot another potential design flaw in KPP? :-)

I personally did not.


Re: MOXiI 2 - State of the union - new

PostPosted: Thu Feb 23, 2017 1:07 pm
by morpheus


1) The quote - that was Luca's. In another exploit, which I think captures his manifesto well. I'm guessing it sounds more coherent if you smoke pot?

2) ReadAnywhere64: Read a 64-bit value from anywhere in kernel memory
FuncAnywhere32: Execute code in kernel space.

I admit I thought it was self explanatory at first, and then the code itself became open source. Bear in mind that there are references to read/func execution primitives all over part II of the book, however. But these are seriously detailed over two pages...

3) So the shuffling of arguments is later explained in 24-4 (433)

4) Crahes - %$#%$#$#! How many times I went over looking for typos, and STILL another one eludes me! #$%#$%$#%#$!!!!!!

5) Missing info: I concur. This IS volume III. Lots of the symbols are explained in Volume II. Can't change that.

6) Yep. Note the first page: "Yalu has later been updated to support 10.2 (wherein the mach_portal bug has been patched), by using a bug in mach_voucher_extract_attr_recipe_trap, discovered by Marco Grassi and then burned by Ian Beer as CVE-2017-2370. The bug is discussed here as well, with two different exploitation methods - Beer's, and Todesco's."

7) That can be said to hold true for most of Part II, again bearing in mind this IS volume III. I figured it already has enough value on its own for the interested reader without Volume II - which is being worked on.

And, yeah, well - super technical is right. But that was the intent. All of MOXiI 2 will be this way, btw, so be prepared people. I can't avoid that. The book is not meant to be digested in a single sitting, and requires re-reading, re-reading, and again re-reading to figure out the often too subtle points wherein I point out some darn obvious design flaws.