Joshua L. Hill

Researcher Developer

Engineering and technology security expert with proven ability to innovate groundbreaking security products.

BlackHat 2012

Presented research on embedded security issues in Apple’s low level bootloaders and served as an expert on other iOS related security questions at Mobile Hacking II Workshop

HackInTheBox Amsterdam 2012

Presented technical details on vulnerabilities and exploits used in Absinthe jailbreak for iOS 5.0.1 with other members of iOS Jailbreak Dreamteam.

JailbreakCon London 2011

Discussed the past and future of jailbreaking at world’s first jailbreak community convention.
+

6

Exploits developed

14

Presentations and workshops

Skills

Programming Languages

C, C++, C#, Objective-C, Python, Perl, PHP, Java, Bash

Processor Architectures

x86, ARM & PPC Assembly

Embedded Programming

Embedded C/C++, MMU, UART, SPI, JTAG, MMIO

Operating Systems

Mac OS X, iOS, Android, Linux

Projects

iRecovery

Primary Developer

Established enterprise-wide information-security program; oversaw companywide efforts to identify and evaluate all critical systems; designed and implemented security processes and procedures.
Absinthe

Chief Architect and Primary Developer

Cross-platform framework used to develop sophisticated userland jailbreaks


Libdyldcache: Reverse engineered and reimplemented iOS dynamic shared cache format.
Libmachoman: Supported the implementation to parse and alter Mac OS X/iOS Mach-O binary format.
Libmbdb: Reverse engineered and reimplemented iOS mobile backup database format to parse and alter the data.
Developed Jailbreak tool for iOS versions 5.0.1 and 5.1.1, available for Mac OS X, and Linux platforms.
Provided first public jailbreak of iPhone4[s] by chaining together series of 5 separate exploits to gain code execution and bypass all iOS security protections including ASLR, DEP, and Sandbox.

Note: Absinthe framework was also used to create many other jailbreaks, such as evasion, p0sixspwn, unthreadedjb, and others
GreenPois0n

Chief Architect and Primary Developer

Cyanide • Syringe • Anthrax


Engaged in Cross-platform framework used to develop low-level bootloader jailbreaks for iOS versions 4.1.2, 4.2.1, and 5.0.1 available for MacOS X, and Linux platforms – Oct 2010 [updated Dec 2011]
Provided a persistent untethered jailbreak for current iOS devices (Except iPhone4[s] & iPad 2nd Gen)
Developed Syringe & Cyanide module helping to handle host side communication with device and viceversa.
Helped to automatically find function and patch offsets on the device by adding many new and powerful commands into iOS firmware.
Provided an interface for hooking and fuzzing difficult to access portions of the boot process.
Allowed booting of unsigned firmware and custom RAMDisks on iOS devices containing BootROM vulnerabilities.
Implemented ‘limera1n’, ‘SHAtter’, and ‘steaks4uce’ vulnerabilities.
Developed Anthrax module for generating custom RAMDisks to modify device filesystem.
Provided low level system calls into kernel and implementations of many common C functions for bootstrapping of system from a RAMDisk.
OpenJailbreak

Chief Architect and Primary Developer

A platform used as a community jailbreak


Supported in an unprecedented activity – publicly shared many of the components of previous jailbreaks (Greenpois0n and Absinthe).
Focused on teaching new developers and sharing knowledge resulting in a high number of developers who have become successful iOS hackers.

Exploit Development

PTMX Kernel Exploit

Feb 2014 - Out of Bounds Array

The PTMX facility failed to properly check if the minor device node number was within bounds of the array specified, leading to arbitrary code execution. This exploit was used in the Evasion 7 jailbreak.
PTrace Process Hijack Sandbox Exploit

Feb 2012 - Sandbox Escape, iOS firmware 5.0.1

Bypassed limitations and access restricted portions of the filesystem by allowing processes running in protected sandbox making possible to abuse debugging calls in order to attach to outside processes not running in a sandbox and hijack process execution.
Discovered vulnerability and performed analysis of XNU kernel to understand limitations of the system call.
Assisted in implementing exploit using only ROP gadgets to enable chaining of vulnerability from within other exploits.
HFS Legacy Stack Buffer Overflow Kernel Exploit

Jan 2011 - Kernel Stack Buffer Overflow, iOS firmware 4.2.1

Implemented insufficient boundary checks making possible to overflow the functions stack when decoding HFS volume name to Unicode.
Assisted in reverse engineering HFS portions of kernel binary for stack analysis.
Worked on encoding volume string so Unicode decoding would be free of NULLs and characters over 0x7F could be successfully decoded onto the stack.
'SHAtter' BootROM Exploit

Aug 2010 - Memset Overflow, Apple A4 SoC

Sent specific USB packets in a certain order allowing to trick the BootROM image validation routine into thinking the size of the uploaded image is larger than it actually was. After image validation failed the routine would attempt to zero out the data, causing the device to overwrite it’s own BSS and heap data with zeros.
Discovered vulnerability and reverse engineered USB sections to discover cause of the crash.
Performed extensive static analysis of USB and image loading routines to provide various possible exploitation scenarios. Assisted in development of exploit payload to load unsigned images.
0x21,2 USB MSG iBoot Exploit

Oct 2009 - NULL Pointer Dereference, iPhone3G[s] and iPod Touch 3rd Gen

Uploaded specially crafted data and sent a specific USB packet conducting to overwrite the ARM exception vectors and to gain the control of execution.
Assisted in exploitation techniques involving overwriting ARM interrupt vectors to redirect control of instruction pointer.
Developed payload to automatically find AES decryption routines for decryption of firmware keys and writing it to the devices framebuffer
‘24kpwn’ BootROM Exploit

Mar 2009 - Segment Overflow, iPod Touch 2nd Gen & early iPhone 3G[s]

Flashed over-sized firmware images to the device enabling to overwrite certain sections of the device’s BootROM BSS and to heap data with arbitrary data.
Supported with reverse engineering various portions of BootROM and providing exploitation ideas.
Modified firmware images and performed manual brute force to locate stack offset of return address used to gain control of instruction pointer.

Presentations and Training

iOS Internals

Guest trainer


2016 - Washington, DC

Mobile Security Summit

What is Openjailbreak pt2


2015 - Beijing, China

JailbreakCon

What is OpenJailbreak pt1


2014 - New York

HackInTheBox

Absinthe Dreamteam


2012

HackInTheBox

Hacking iBoot for fun and profit pt1


HackInTheBox

SHAttered Dreams


2014 - Kuala Lumpur, Malaysia

Blackhat

Intro to Qualcomm baseband hacking on iOS pt2


2014 - Las Vegas

Blackhat

Intro to Qualcomm baseband on iOS pt1


2013 - Las Vegas

Blackhat

Hacking iBoot for fun and profit pt2


2013 - Syscan, Singapore

Blackhat

Hacking iBoot for fun and profit pt2


2013 - Las Vegas

Blackhat

Hacking iBoot for fun and profit pt1


2012 - Abu Dhabi, UAE

Blackhat

Hacking iBoot for fun and profit pt1


2012 - Las Vegas (Training)

  1. Ventures

    Sudo Security Group Inc. - Chief Research Officer

    2014 - 2020

  2. Chronic-Dev LLC - Chief Architect & Senior Security Researcher

    2010 - 2012