HackerTrans
TopNewTrendsCommentsPastAskShowJobs

FluGameAce007

no profile record

Submissions

[untitled]

1 points·by FluGameAce007·10 miesięcy temu·0 comments

Apple A17 Pro Chip Hardware Flaw?

github.com
39 points·by FluGameAce007·10 miesięcy temu·26 comments

[untitled]

21 points·by FluGameAce007·11 miesięcy temu·0 comments

[untitled]

1 points·by FluGameAce007·11 miesięcy temu·0 comments

[untitled]

1 points·by FluGameAce007·11 miesięcy temu·0 comments

iOS 18.5 Bluetooth Privacy Vulnerabilities

github.com
78 points·by FluGameAce007·11 miesięcy temu·25 comments

Apple's Bluetooth trust persists after cryptographic failure (iOS 18.5)

substack.com
2 points·by FluGameAce007·w zeszłym roku·2 comments

iOS 1-Click Crypto Theft: Apple Fixed It, Google Shared It, Researcher Left Out

substack.com
7 points·by FluGameAce007·w zeszłym roku·1 comments

iOS Exploit Chain and Remaining Unpatched Surfaces

josephgoydish2.substack.com
2 points·by FluGameAce007·w zeszłym roku·0 comments

comments

FluGameAce007
·10 miesięcy temu·discuss
Disables request signing if the config “Bag” fails to load (e.g. DNS block, timeout).

Unsigned requests are sent directly to Apple APIs. No fallback, no integrity checks. Replay and downgrade attacks are possible.

Includes syslog evidence + PoC sketch: https://github.com/JGoyd/ams-failopen

Not theoretical — this was observed live in the wild.
FluGameAce007
·10 miesięcy temu·discuss
If debug logic can be reactivated... even briefly, even locally; then all bets are off for things like firmware extraction, secure boot bypass, or SEP fault analysis.
FluGameAce007
·10 miesięcy temu·discuss
But the issue isn't about parsing log semantics...

It's that a production device entered a state where normally fused-off debug logic became accessible. That shouldn’t be possible, regardless of how the logs were captured or named.
FluGameAce007
·10 miesięcy temu·discuss
If debug logic is still active, attackers with physical access can dump firmware, extract secrets, or bypass protections that should be fused off.

Think: stolen phones, shady repair shops, or border checks — cases where physical access + this flaw = real risk.

That’s why a hardware recall may be necessary... fuses are meant to be irreversible. If they fail, there's no patch.
FluGameAce007
·10 miesięcy temu·discuss
The device "recovering" while entering debug mode on production hardware is the security issue. Fuses are supposed to prevent that. They don’t. That’s the flaw.
FluGameAce007
·10 miesięcy temu·discuss
If a circuit breaker melts and causes other circuits to misbehave, we don’t say “big whoop”... we call it a fire hazard.
FluGameAce007
·10 miesięcy temu·discuss
Yes, it’s a security flaw, because debug logic is active on production hardware that should have it permanently fused off.

Worse, the system prunes logs aggressively, erasing the very diagnostic history that could expose this behavior. So not only is debug logic unintentionally enabled, the evidence is self-erasing.
FluGameAce007
·10 miesięcy temu·discuss
True.. I2C lockups are a known limitation, not a bug. But this isn’t about bus contention. The issue is that debug logic is active on production-fused silicon, despite dev-fused = 0 and debug = 0x0. That’s a hardware trust failure, not a design trade-off. Fuses are supposed to make debug paths unreachable—but they’re not. That’s the problem.
FluGameAce007
·10 miesięcy temu·discuss
This isn't just a bug... it's a hardware-level oversight that can cause iPhones to silently fail during boot, leaving no logs, no recovery mode, and no forensic trace.

The flaw is triggered by abrupt power loss (e.g. during brownouts or unstable charging), preventing the secure world and logging subsystems from initializing. Confirmed it on real A17 Pro device.

Curious if others can reproduce this, or if similar behavior exists in M-series chips.
FluGameAce007
·11 miesięcy temu·discuss
Observed on a production-fused A16 Bionic devices (e.g., iPhone 14 Pro Max),the internal debug pathways activating under stock iOS (debug = 0x0, dev-fused = 0). SecureROM, firmware, and co-processors all exhibit debug behavior without jailbreak, tampering, or provisioning profiles.

This violates Apple’s hardware trust model and exposes internal diagnostics meant for development silicon.
FluGameAce007
·11 miesięcy temu·discuss
This post details an active vulnerability chain on iOS 18.6.2 involving malformed Siri Shortcuts that persist in the background, abuse system daemons, and tolerate TLS trust mismatches. Full report with logs and CVSS scoring available on GitHub. Reproducible in production
FluGameAce007
·11 miesięcy temu·discuss
A forensic analysis of iOS 18.6 reveals a silent data exfiltration sequence initiated entirely by Apple system daemons — no app involved, no permission prompt, no UI indicator. In a ~3-second window, nsurlsessiond and symptomsd transferred ~5MB of data over the network. This activity is not tied to any userland app, does not trigger any TCC prompt, and cannot be viewed or controlled in iOS privacy settings.

Sequence of events:

tccd preflights access to Reminders (TCC-protected) with no app context

abm-helper, CommCenterRootHelper, and cfprefsd coordinate via Mach/XPC

sosd attempts to write to a sensitive communications safety plist

nsurlsessiond purges its cache

symptomsd logs 5MB+ of RX/TX traffic — with no app running

There is:

No telemetry toggle

No EDR/MDM visibility

No disclosure from Apple

This breaks the app-based sandbox and represents:

A system-native stealth exfil pipeline

Cross-daemon privilege chaining

A real privacy and compliance blind spot
FluGameAce007
·11 miesięcy temu·discuss
"Preflight=yes" bypassing user prompts is not expected or documented behavior... period.

The fact that internal system daemons can silently trigger access to TCC-protected domains (like Contacts, FaceID, Microphone, and Bluetooth) without app association or user consent breaks Apple’s own stated privacy model.
FluGameAce007
·11 miesięcy temu·discuss
What is surprising is that it's accessing my camera, contact list and my mic...
FluGameAce007
·11 miesięcy temu·discuss
Using only Apple’s official diagnostic tools (Console.app) on a clean, non-jailbroken iPhone 14 Pro Max, the following issues were observed:

System daemons silently initiate Bluetooth Low Energy (BLE) scans without app activity or user interaction.

GPS location harvesting occurs with no prompts, indicators, or active apps.

Internal frameworks bypass Apple’s Transparency, Consent, and Control (TCC) protections using undocumented flags.

Bluetooth trust metadata (e.g., IRKs, pairing history) is exposed even when devices are disconnected.

Cryptographic failures are silently ignored during trust operations.

These behaviors suggest an integrated telemetry pipeline that operates beneath iOS’s user-facing privacy model. The full report includes logs, technical breakdowns, and reproduction steps.
FluGameAce007
·w zeszłym roku·discuss
I discovered this while analyzing system logs during unrelated testing. What began as an anomaly led to repeatable behaviors — silent BLE scans, GPS activation, trust logic continuing even after keychain failures. I used Console.app on a clean iPhone 14 Pro Max running iOS 18.5 — no jailbreak, no third-party tools.

Full details are in the post, along with raw footage and a downloadable report. I'm open to technical discussion and critique.
FluGameAce007
·w zeszłym roku·discuss
In December 2024, I reported a one-click iOS vulnerability triggered by playing a malicious MP4 audio file via iMessage or SMS. The exploit chain included:

AudioConverterService – memory corruption, AppleBCMWLAN.dext – kernel-level escalation, CryptoTokenKit – silent ECDSA key exfiltration enabling crypto theft.

Despite submitting the report to Apple (ID OE19648805943313), I received no acknowledgment or credit. On April 11, 2025, I forwarded the same working exploit to Google. Days later, Apple patched the issue under CVE-2025-31200, with credit going to Google—not the original researcher.

The linked post documents the full timeline, attack chain, and its potential connection to real-world crypto theft. I am posting for transparency to users.