Jailbreaking, China and Playing the Racial Discrimination Card

Dont miss the update to this posting because Pangu replied back to this posting with a ton of lies.

A number of people might know that not long ago I gave a talk titled “iOS 678 Security – A study in fail” at SyScan 2015. Within this talk I was exposing the really bad security track record of Apple Security since the iOS 6 jailbreak in early 2013. I showed in detail how Apple kept ignoring vital elements of the exploitation chains, which made succeeding jailbreaks easier, because they could reuse previous techniques developed by the evad3rs. I also showed how Apple repeatedly failed to fix the same vulnerabilities over and over again, which again helped a lot in the development of the iOS 7.x and iOS 8.x jailbreaks. I ended my presentation (as previously announced) with a discussion of the new phenomenon that iOS jailbreaks are coming from China since mid-2014. As part of this discussion I was comparing previous jailbreaks that were all made by western security researchers and hackers with those new Chinese ones. During that talk i exposed a number of things that the guys behind Pangu did not want to see exposed to the public so they wrote a big blogpost accusing me of racial discrimination to distract people from the presented facts.

During the talk I was presenting a number of facts about previous jailbreaks.

  • previous jailbreaks were made by people from western countries
  • these jailbreakers used methods for jailbreaking that tried hard to not violate copyrights, contracts, software licenses, which severely limited them
  • they were releasing a lot of open source code for other iOS researchers to use
  • they applied kernel patches like task_for_pid0 in their jailbreaks to be completely open for other researchers that need to have access to the kernel
  • they did not get paid (“sponsored”) but tried to get by with donations
  • they basically made peanuts compared to information security companies who used their work to offer professional iOS consultings, forensics, etc…
  • and I also mentioned how this all combined made them decide to move away to different targets

After presenting the past of jailbreaking I switched over to the new breed of jailbreaks that all come from China.

  • I mentioned that all jailbreaks since then came from Chinese hackers – which is a fact
  • I mentioned that these new jailbreaks are financed by Chinese app stores, which is a fact and kinda admitted by Pangu and TaiG and easily visible from the fact that they bundle these app stores. However Pangu wants to stress that this is not payment but “sponsoring” and they make fun of the one million USD number that I mentioned. Well I remember a conversation with a leading Pangu member in his hotel room where he told me when he was trying to buy vulnerabilities from me: “you know these numbers they are rumoring about how much evad3rs made? They are real.” Also the offer of “up to 1 mio sponsoring” was sent by email to several different people involved in iOS jailbreaking by different Chinese companies in 2012/2013.
  • I mentioned that Chinese jailbreakers have been trying to buy/acquire vulnerabilities to achieve jailbreaks. This is a fact I know, because different teams repeatedly tried to buy from me and I also show a Twitter discussion on my slides that shows that Pangu offered 100k USD dollars to another jailbreaker. It is questionable how they can afford that if they really only get “sponsored” to buy new iDevices. But it is also questionable how they can afford to organize security conferences in expensive chinese hotels when they only get these small amounts.
    And btw. here are Twitter DMs from the Pangu member that attended my training in which he basically admits that he talked about buying/selling vulnerabilities for/to Pangu, something Pangu has officially stated to never do.
  • BTW: The people behind TaiG even have a website were they ask the community to share vulnerabilities – they do not even try to hide it
  • I continued to state that Chinese jailbreaks have been using shady methods like “stolen” enterprise certificates in their jailbreaks. Which was then disputed by Pangu. They claim those enterprise certificates were neither stolen nor leaked and they would be so cheap that they could simply buy them. But stating that they basically admitted in public that they have signed/would sign an iOS Enterprise Development Program contract with Apple to get a cert and then violate the contract by using it in a jailbreak. I do not know if admitting that in public was a good idea considering the amount of lawyers Apple has.
  • I then stated that so far Chinese jailbreaks have incorporated a lot of code written by other people that was either public or private and they did not take into consideration that things like software licenses exist. For example they took software from my training that does not come with a license that would allow world wide distribution. They have also taken code from planetbeing that was put on GitHub without a license, which makes it kinda unfree. Pangu keeps mentioning that they did not sign an NDA for my training and somehow believe that makes it okay to take actual software (not mere vulnerabilities) written by me and release it under their own name.
  • The next thing I discussed was how lucky the Chinese jailbreakers were that Apple did repeatedly fail to fix vulnerabilities, which allowed them to reuse the same stuff over and over again.
  • I then stated that a lot of the techniques and vulnerabilities (chains) they used were initially invented and discovered by westerners like the evad3rs or myself, which is a fact. Keep in mind that most of their initial code execution and incomplete code signing exploits are just the bugs from evasi0n/evasi0n7 that Apple repeatedly did not fix correctly.

I then closed that chapter with a description of what the new breed of jailbreakers have done for the community so far.

  • I explained that so far they have not released any code that would help other researcher to get into it, like previous jailbreakers did. (So far they only discussed some of the vulnerabilities they used after Apple finally fixed them)
  • I stated that Chinese jailbreaks have been heavily obfuscated to the point that they even bought commercial grade obfuscation software for it, which is a simple fact.
  • I said that they intentionally removed kernel patches like task_for_pid0 to stop other researchers from using their jailbreaks as basis for their own work. This is however only true for Pangu, who even have the code to do the patch in their jailbreak, but intentionally not call it. The people behind TaiG however do apply the patch, which shows that they are more open.
  • I also stated the fact that both Pangu and TaiG apply kernel patches in a destructive way. TaiG e.g. does overwrite the beginning of the kernel’s TEXT segment in memory and Pangu just trashes the kernel’s mach-o header in memory. This is most probably done because this header is required by other researcher’s to reconstruct the kernel binary from memory and I already established that Pangu does not want other researchers to be able to perform their work.

To summarize this I was presenting a number of facts about previous and current jailbreaks. There was no racial discrimination in my talk. I was merely pointing out facts that are observable by anyone who takes a look at the details. And yes I called Chinese people Chinese.

However since the blog post from Pangu that was written to discredit me I get pestered by some Chinese people who accuse me of racial discrimination and threaten me or my family. Fact is I have nothing against Chinese people in general. Actually I have a number of close Chinese friends who would die laughing if I told them that someone accused me of being racist towards China. Nevertheless I cannot stand people who want to be called security researchers, while they base all their work on shady and questionable methods. I also hate the fact that Pangu believes they can get away with openly lying to everyone, because they believe I have no proof for any of my claims. They even let one of their friends ask in the QA session of my talk at SyScan if I had physical proof for some of the things, so that they could get away with claiming that this is not true…

And because of this unbelievable behaviour on their part and their repeated attempts to make me look like the one having done wrong, I decided to do something that I normally would not have done (if they hadn’t actually attacked me like this in public). If you take a look at the picture below you will see that this is a lightning cable. The special thing about this lightning cable is that it is offering a serial connection to newer iOS devices that is otherwise not available. This is something that helps during the development of kernel/iBoot exploits (if you already have some working exploits). Security researchers like Ramtin Amin have created similar cables by reversing the protocol. The cable you see here however is not one of those. The photo of the cable you see here was sent to me by a member of Pangu who bragged about his friend having gotten a cable. He also told me that I should not discuss this on e.g. Twitter, because that would make getting these cables harder and harder. Apparently these cables are stolen from Apple or Apple partners and the penalty for this has been getting harsher, which made it more difficult to acquire.


While the person of Pangu did only say that “his friend” has gotten the cable, he later wanted to pay me off with such a cable after he realized that I was absolutely not okay with Pangu taking my vulnerabilities and my software without a license, as you can see here.


I think all this combined clearly shows that the people behind Pangu do not care about intellectual property, they do not care about software licenses, they do not care about violating contracts (with Apple) and they even traffic stolen goods.

You have to decide for yourself if you think these people deserve to be called “security researchers” instead of shady hackers. You also have to decide for yourself if you consider them to be a trustworthy party to provide future jailbreaks for devices that contain your personal and private data like your nude pictures 😛

I am curious what kind of response we will get from Pangu now that I have provided evidence.

Dont miss the update to this posting because Pangu replied back to this posting with a ton of lies.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s