I do security research on Apple platforms and WebKit. This blog is where I dump my notes — what I broke, how I broke it, and what went wrong along the way.

Things I’m currently poking at:

  • Writing end-to-end exploits for JavaScriptCore — DFG JIT type confusion all the way to arbitrary memory read/write on stock iPhones, fighting with NaN-boxing, heap feng shui, and WASM global slot tricks
  • Built amfree, which hooks amfid via ObjC runtime swizzle on Apple Silicon to bypass code signing without disabling SIP
  • Diffing Apple security patches to figure out what they actually fixed. Like CVE-2026-20660 — one missing lastPathComponent call in the gzip FNAME handler and Safari gives you arbitrary file write
  • The usual Frida / IDA / cross-arch debugging tooling stuff

Posts have full technical detail — IR dumps, disassembly diffs, memory layouts, working PoC code. I also write up the failed attempts, because honestly that’s usually the most useful part.

All content is for legal, authorized research and educational purposes only.