explaingit

34306/ios-exploit-starterpack

13CSSAudience · researcherComplexity · 5/5ActiveSetup · easy

TLDR

Personal study collection of iOS security research notes organised as 8 phases from ARM64 and Darwin basics through XNU internals, exploit primitives, mitigations, and case studies.

Mindmap

mindmap
  root((ios-exploit-starterpack))
    Inputs
      Phase index
      Public exploit writeups
    Outputs
      Web pages
      Phase reading list
      Case studies
    Use Cases
      Self-study iOS internals
      Reference for exploit terms
      Bookmark research papers
    Tech Stack
      Markdown
      CSS
      Static site

Things people build with this

USE CASE 1

Use the 8-phase outline as a self-study syllabus for iOS kernel security research

USE CASE 2

Look up which mitigations like PAC, KTRR, PPL apply at which iOS generation

USE CASE 3

Find pointers to public case studies like checkm8, unc0ver, Dopamine, and Operation Triangulation

USE CASE 4

Build a tool list for an iOS reverse engineering lab from the Phase 7 inventory

Tech stack

MarkdownCSS

Getting it running

Difficulty · easy Time to first run · 5min

It is a static notes site, no install needed, but the underlying material requires deep systems background to actually use.

In plain English

This repository is a personal study collection put together by its author on the topic of iOS security research. The README is openly informal: the owner explains that they made the pages for themselves so they can read the material from anywhere, and that they are not really expecting anyone else to be the main audience. The content is organised as a table of eight phases, going from beginner topics to more advanced ones. Phase 0 covers foundations like ARM64 assembly, the C programming language, and how to set up reverse-engineering tools. Phase 1 moves into Darwin basics, the layer of macOS and iOS that includes the Mach-O executable format, code signing, app entitlements, the sandbox, and the dynamic linker called dyld. Phase 2 looks at the XNU kernel itself, including how Mach inter-process communication works, how virtual memory is laid out, and how the heap is organised into zones. From Phase 3 onward, the material gets more focused on iOS security research. Phase 3 walks through the attack surface: IOKit drivers, system calls, and the broad categories of bugs that tend to appear in them. Phase 4 covers exploit primitives such as information leaks, kernel read and write, and what attackers do after they have those capabilities. Phase 5 catalogues the hardware mitigations Apple has added over the years (PAC, KTRR, CTRR, PPL, SPTM, TXM, and Exclaves). Phase 6 is a set of case studies based on publicly documented work like checkm8, unc0ver, Dopamine, Trigon, Operation Triangulation, Coruna, DarkSword, and write-ups by researchers Ian Beer and Siguza, with what the author describes as cross-cutting pattern analysis and proof-of-concept code. Phase 7 lists the tools and lab setup commonly used: IDA, Ghidra, lldb, Frida, plus notes on device setup and kernelcache analysis. Beyond the table of contents shown above, the README does not include installation steps, code samples, or usage instructions. The repository is mainly a set of web pages (the project language is reported as CSS), so the value sits in the rendered notes rather than in any executable code. No licence is mentioned in the README.

Copy-paste prompts

Prompt 1
Turn the 8-phase outline in ios-exploit-starterpack into a 12-week study plan with weekly goals
Prompt 2
Summarise the differences between PAC, KTRR, CTRR, PPL, SPTM, TXM, and Exclaves in one table
Prompt 3
Pick 3 case studies from the list and explain the bug class and exploit primitive each used
Prompt 4
Recommend prerequisite ARM64 and C resources someone needs before starting Phase 0
Prompt 5
Suggest a kernelcache analysis workflow with IDA, Ghidra, lldb, and Frida for a beginner
Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.