MOXiI is now self-published, which enables me to keep the book continuously updated! Unlike a traditional print book, with which you have to wait for a new edition, I can update the original HTML file, reprint to PDF, and submit another batch to print! This will obviously not help copies already printed at that point, but any future copies going to print will automatically be as up-to-date as possible. This means that whenever one chooses to buy the book, he or she is guaranteed the latest and greatest edition. Think of it as you would of software - wherein new versions come out every so often.
Over time, this will inevitably open up quite a gap between any past-printed versions and the latest ones. Beginning with v1.0.1, I started this changelog to help people track "What's New". If you bought an older copy and, at some point, wish to re-purchase the latest version of the book, please drop me a note and inform me you already have a previous version. I would be happy cut you a $15/0.05BTC discount when you get a new copy. Note that you have to use BTC or Paypal for that - I can't do that via Amazon, sorry. (And, hey - when's the last time a publisher offered you such a discount on upgrade?)
The MOXiI Volume I Change Log
|02/06/2018||1.0.2||Dozens of typos caught by Guido Soranzio - Thank you SO MUCH
|03/06/2018||1.0.3||iOS 9 did not leave behind the iPhone 4. iOS 8 did...
The MOXiI Volume III Change Log
|10/17/2016||1.0||Initial version, sent to mass production for very first time :-)|
|11/04/2016||1.0.1||TONS of typo fixes, thanks to Eddie Cornejo!
Rounded edges on outputs/listings.
|11/16/2016||1.1||Pangu 9.3.3 chapter (#21) added|
|01/10/2017||1.2||Pegasus/Trident chapter (#22) added
Mach_portal (Ian Beer's awesome 10.1.1 chain) chapter (#23) added (thanks, Ian!)
Yalu+mach_portal (Luca's KPP bypass) chapter (#24) added
Miscellaneous typo fixes by @timacfr - Thank you!
|02/04/2017||1.3g||Added Yalu 10.2 and CVE-2017-2370 exploit detail to chapter #24
A few typos in the appendix fixed (Thanks, jimmers!)
|03/21/2017||1.3.1||MACF coverage of priv_check changes from 2782 through 3789
Added LiberTV mention, naturally :-)
Just a few more typos..|
Coverage of Phœnix Jailbreak - as Chapter 22½, so as to not disrupt existing chapter numbering
- Updates to sandbox (new operations:
dynamic-code-generation, fs-rename, fs-snapshot-revert, ipc-posix-sem*, managed-preference-read, socket-ioctl)
- Code signature v20400 and use of detached in iOS 11
CSR_ALLOW_* constants (256, 512) for SIP
One year later :-)
What are hopefully the LAST $#$#% typo corrections (Thanks, Ian!).
amfid's role in kext verification (MacOS 13)
The new SystemPolicy.framework
Figure 5-4 updated for Code Signature 0x20400 (iOS11) (see below)
Figure 5-22 (Apple MIB hierarchy) slightly updated
CS_OPS_CLEARINSTALLER in Table 5-28
Fix table 6-17 which somehow remained with missing cells all this time
sandboxd (MacOS) new MIG messages in MacOS 13
A little more on datavault SIP (MacOS 13)
Detail on KTRR (KPP-successor in iPhone 7 and onwards) thanks to XNU 4570 sources
|12/01/2017||1.4.3||Added slot -6 to code signing special slot, note on DMG signing
Clarified a blatantly obvious (and pretty nasty) 0-day (in Chapter 5) that's still in iOS and even more so MacOS 10.13 with SIP - which for some reason isn't obvious enough, after a year the book has been out..
A few more typos I could have sworn I eradicated yet @DubiousMind caught
Sandbox_ms (mac_syscall) changes in 570 and 765:
(AAPL: if you're reading this, try to not renumber in the future, it messes up my tables)
- vtrace (0x13)
- check_bulk (0x15)
- reference_retain_by_audit_token (0x1c)
- reference_release (0x1d)
- rootless_allows_task_for_pid (0x1e)
- rootless_preflight (0x20)
- rootless_protected_volume (0x21)
- rootless_mkdir_protected and datavault conversions(0x22)
- Chapter 25:
- Ian Beer's IOSurface 11.1.2 exploit (CVE-2017-13861)
- Discussion of post exploitation techniques and the new Jailbreak toolkit
|03/15/2018||1.5.1|| Two really tiny typo fixes ($HOME)/.ssh in Ch1 and missing parentheses in Ch25)
Corrected HT20194 to HT201954 (pg 254)
Clarification in Table 8-28: The first entitlement is held by requester, the other two by target (Thanks to 0xdead10cc!).
Also made note "The extensions are stored (along with other Sandbox related data) in the second MACF label slot (that is, #1) accessible from the process credentials (q.v. Listing 3-7)" before introducing |
sbtool, after Table 8-23.
Volume III's v1.5 version is the FINAL update (1.5.1 notwithstanding, since it was typo fixes and a clarification). I don't foresee any major jailbreaks until iOS 12 - which I don't aim to "support". Further, any such JBs would end up using the post-exploitation techniques described in Chapter 25 anyway. Also, the book is now about 530 pages - so that's it. If you were waiting for a time to get/update the book - I'd suggest now.
- 09/03/2017 - Figure 5-4: Code signatures have since been updated - and the new format (0x20400) is shown below:
- 10/17/2017 - DMG signatures: Whilst covering DMGs in Volume I (out next week!) I realized I omitted that as of somewhere in 10.11.x DMGs can be signed with embedded, not just detached signatures. This adds special slot -6, and hashes the entire DMG (sans koly and, obviously, signature) as the single slot 0 of the signature. This will be put into v1.4.3 and later.
- Table 8-19:
distributed-notification-post is, of course, to post to Distributed Notification Center, not Darwin
- Chapter 22.5, discussion of
mach_ports_register: The explanation should make it clear the bug is in the kernel-side MIG generated code. Readers might get the impression the bug is in Listing 22a-7. A better explanation (put into versions after 1.4 and the PhJB PDF) would be:
The call to this code is automatically generated by the Mach Interface Generator (MIG, q.v. I/11), which takes care (in user-mode) of properly initializing the portsCnt variable so that it matches the length of the OOL ports descriptor sent in the message. But user-mode MIG can easily be bypassed, and its code tweaked to deliberately mismatch the two values. The sanity checks restrict the value of portsCnt to be between 1 and 3 - but the kernel-side MIG checks fail to validate that it actually matches the number of ports in the ool descriptor itself. This still allows for an out of bounds condition, wherein extra port elements in kernel memory can be read - and then dereferenced - leading to a Use After Free (UaF) bug.
- Chapter 25 - The QiLin Toolkit - Page 486 - "and in particular the task_for_pid/com.apple.system-task-ports" - mistakenly inserted as the result of a vi '.' operation. Should just be ignored (considering that this specific entitlement pair is held by
ps, as shown already at the top of the same page, before the listing.
Q: and how can we early buyer get these updated contents?
A: see per above. With the Pangu Chapter, I made that public, but I can't do that for every chapter. Again, I MUST apologize for not being able to concoct some "update" scheme wherein I nickel and dime for so and so extra pages. But I can't do that because (A) it would be nickel and diming and (B) I can't track already 500 copies in first month or so. Before you get riled by this, pause for a sec and realize that you wouldn't expect that from any "traditional" print book, which grows obsolete as soon as it sees print.
Q: wen eta Trident/Pegasus: v1.2. and it's out
Q: what about the other volumes: Working on them. Volume I is next (soon, I hope). Then Volume II. It's just relatively easy to update an existing volume and keep it up-to-date.
Q: why does the book not have an index? Because doing one over HTML by hand is Sisyphean and certainly beyond my feeble capabilities. I did add a glossary in v1.3, though. And I'm working on making an online index.
Q: wen volume I? It's out already.
Q: wen volume II? Soon, but not too soon.
* - (of course I said that after 10.1.1, but - hey - at least I'm trying to keep up with this manic pace of jailbreaking!)