Unrestrict the restricted mode for USB on iPhone. A first analysis @citizenlab #CVE-2025-24200 👉 blog.quarkslab.com/first-ana…
5
142
456
86,096
Oops, they did it again! The Titan-M chip is the root of all security in Google's Pixel phones @DamianoMelotti & @max_r_b will talk about their journey from Reversing & Fuzzing to Code Execution & leaking its encryption keys tomorrow at @WEareTROOPERS troopers.de/troopers22/agend…
8
125
427
Did you know that Windows processes fundamental to Operating System security run in Isolated User Mode and can not be debugged ? Well that's true except when it isn't. Here @fdfalcon provides a step by step guide to do it blog.quarkslab.com/debugging… #Windows #ReverseEngineering
3
172
423
64,387
Is remote code execution in UEFI firmware possible? Yes it is. Meet #PixieFAIL: 9 vulnerabilities in the IPv6 stack of EDK II, the open source UEFI implementation used by billions of computers. Full details by @fdfalcon and @4Dgifts in our new blog post: blog.quarkslab.com/pixiefail…
4
204
342
78,717
A Starlink User Terminal is a dish best served reversed and that is exactly what @magocarlos1999 did for the past 6 months. Here he shares his journey and the tools he built during his internship at Quarkslab. Dive deep into Starlink's UT firmware! blog.quarkslab.com/starlink.…
1
123
291
71,551
Finding and chaining 4 vulns to exfiltrate encryption keys from the Android Keystore on Samsung series A* devices. Did you miss the "Attacking the Samsung Galaxy A* Boot Chain" talk by @max_r_b and Raphaël Neveu earlier this year ? Talk && PoC || GTFO: blog.quarkslab.com/attacking…
1
107
276
21,173
[BLOG] Reverse-engineering Broadcom wireless chipsets by @Phenol__ blog.quarkslab.com/reverse-e… The long and good trip of an intern, then the long and sad disclosure timeline of 5 vulnerabilities. Thx to @Broadcom we dont know what is vulnerable...
8
158
258
We are constantly being asked about so-called "secure messaging apps". Here is a quick overview
18
153
251
Fuchsia is Google's new open source OS with a focus on security and privacy. A Quarkslab researcher took a look and found several vulnerabilities. They are now fixed. Curious about the technical details ? Find them in our new blog post: blog.quarkslab.com/playing-a…
3
120
251
Good tools are made of bugs: How to monitor your Steam Deck with one byte. Finding and exploiting two vulnerabilities in AMD's UEFI firmware for fun and gaming . A Christmas gift in February, brought to you by the amazing @pwissenlit 🫶 blog.quarkslab.com/being-ove…
1
86
257
21,808
Glad to publish the technical audit report of our experts (involving @RobinDavid1) on the MimbleWimble #MWEB integration in Litecoin #LTC. Many thanks to @LitecoinProject & @DavidBurkett38 for making this assessment possible! blog.quarkslab.com/audit-of-…
35
87
233
Today is a big day, especially for @JonathanSalwan: he will defend his PhD: symbolic execution for binary deobfuscation. The team is super proud of the long road he walked!
18
37
226
[BLOG] Modern iOS Jailbreaks' Post-Exploitation blog.quarkslab.com/modern-ja… What is exactly a jailbreak, how it works and the match LiberiOS vs Electra.
2
118
219
👏Our researchers @DamianoMelotti @max_r_b @doegox just finished their talk about reversing Google's Titan-M chip. Partial chip pinout, Ghidra loader, an open source API client, a fuzzer, 1st ever code exec exploit, slides & white paper now available here github.com/quarkslab/titanm
1
81
225
Attacking Titan M with Only One Byte Code execution and exfiltration of encryption keys from Google Pixel phone's Secure Element now being presented by @DamianoMelotti and @max_r_b at @BlackHatEvents #BHUSA Full details are now public in their blog post: blog.quarkslab.com/attacking…
3
102
220
[BLOG] Beware the Bad Neighbor: Analysis and PoC of the Windows IPv6 Router Advertisement Vulnerability (CVE-2020-16898) blog.quarkslab.com/beware-th… by @fdfalcon
5
112
186
Exploitation of UEFI bugs is a rarely discussed topic. In this blog post @pwissenlit shows how she leveraged a boring UEFI bug in the Tianocore's EDK2 implementation to develop a cool exploitation technique. For science! #UEFI #vulnresearch #exploit blog.quarkslab.com/for-scien…
2
69
184
40,192
Updated version with E2E encryption. Tricky points like key management or group conversation are not differentiated. We might add other apps to that list (reply to this tweet with the name / link). cc @marver
26
119
168
From classic HTML pages to advanced MFA bypasses, dive in with @_atsika in an exploration of phishing techniques 🎣. Learn some infrastructure tricks and delivery methods to bypass common detection. 👉blog.quarkslab.com/technical… (promise this one is legit 👀)
64
175
25,088
Nice commit in Broadcom wireless driver, no CVE. Dont worry, it is only a heap overflow leading to remote code exec in the Linux kernel but exploitable in very narrow conditions: Target needs to have Wake on Wireless LAN enabled (who does that?) #teasing github.com/torvalds/linux/co…
1
89
176
[BLOG] An overview of macOS kernel debugging blog.quarkslab.com/an-overvi… Deep dive into Kernel Debugging Protocol (KDP), from implementation to limitation
89
175
What separates human from mouse ? Diffing is not just for reverse engineering anymore ! Introducing Qbindiff: An open source, easily customizable binary diffing toolkit by Roxane Cohen, @RobinDavid1 and Riccardo Mori #diffing #ReverseEngineering #bindiff blog.quarkslab.com/qbindiff-…
58
160
26,487
Still looking for those elusive data encryption keys on your Samsung A* series phone? Don't worry! Join security researchers @max_r_b and @DamianoMelotti today at 5pm at @offensive_con to learn how to break Secure Boot and tamper with your phone enough to get those pesky keys.
2
22
154
20,453
[BLOG] Want to learn how to dump a #flash chip? Read blog.quarkslab.com/flash-dum… #PCB #KiCAD
124
146
[BLOG] Introduction to Trusted Execution Environment: ARM's TrustZone : blog.quarkslab.com/introduct… To be followed...
84
137
[BLOG] Analysis of Qualcomm Secure Boot Chains blog.quarkslab.com/analysis-… Nice work by Elouan during his internship: congrats :)
1
64
141
[Blog] A gentle introduction to Linux namespaces, the kernel abstraction that made containers great again. First blog post by Mihail Kirov 💪 <now with the right url> blog.quarkslab.com/digging-i…
1
41
137
[BLOG] Spectre is not a Bug, it is a Feature: blog.quarkslab.com/spectre-i… Using Spectre for obfuscation (or not)
1
105
129
Linux kernel instrumentation from Qemu and gdb: A technique to analyze binaries or kernel modules that may try to monitor themselves. In this blog post Professor @Mad5quirrel explains the trick blog.quarkslab.com/linux-ker…
49
134
8,123
[BLOG] Attacking ARM''s TrustZone Part II of Joffrey Guilbon's Introduction to Trusted Execution Environment blog.quarkslab.com/attacking…
1
78
120
[BLOG] Hello Rewind, meet world blog.quarkslab.com/hello-rew… @erynian, or how to perform snapshot-based coverage-guided fuzzing on Windows kernel components
71
124
[Blog] CVE-2020-0069: Autopsy of the Most Stable MediaTek Rootkit by @max_r_b: bit.ly/3br0DvQ
1
53
120
[BLOG] A Deep Dive Into Samsung's TrustZone (Part 3) In which code execution at Exception Level 3 (EL3), the highest privileged, is achieved. Work by @patateQbool @NeatMonster_ @lyte__ presented at BlackHat Las Vegas 2019 * includes a new bug, now fixed. blog.quarkslab.com/a-deep-di…
66
122
[BLOG] Reverse Engineering Samsung S6 SBOOT - Part II by @_kamino_ blog.quarkslab.com/reverse-e…
118
115
[BLOG] A Deep Dive Into Samsung's TrustZone (Part 1) blog.quarkslab.com/a-deep-di… by @NeatMonster_, @patateQbool and @pandasec_
67
119
Our blog post with full technical details about the two vulnerabilities in the TPM 2.0 reference implementation discovered by @fdfalcon is now live at blog.quarkslab.com/vulnerabi… #TPM #0day #not0day
53
116
14,763
DJI - The ART of obfuscation. A tragic story of bytecode hostage-taking with the complicity of the Android runtime. Quarkslab's engineer Eric Le Guevel investigates it: blog.quarkslab.com/dji-the-a…
50
115
15,894
[BLOG] Xen exploitation part 1: XSA-105, from nobody to root blog.quarkslab.com/xen-explo…
1
115
111
Always wanted to manipulate a binary disassembly without using the disassembler API? That's one of the possibilities offered by Quokka, our new binary exporter. Come and check it out on GitHub or read our blogpost announcement! blog.quarkslab.com/quokka-a-… github.com/quarkslab/quokka/
47
109
[BLOG] Reverse Engineering a VxWorks OS Based Router by @crackinglandia: blog.quarkslab.com/reverse-e…
1
62
108
Look at those cute little blobs in your internal network. They look harmless, but how about the one carrying SOCKS? It's ProxyBlob, a reverse proxy over Azure. Check out @_atsika's article on how it came to exist after an assumed breach mission ⤵️ 👉 blog.quarkslab.com/proxyblob…
1
36
108
24,839
Mathieu Farrell (@coiffeur0x90) discovered a dylib injection vulnerability in Microsoft Teams on MacOS. The bug allows an attacker to secretly spy on users through their microphone and camera. Here he explains how he identified and exploited it: blog.quarkslab.com/exploitin…
1
42
101
8,047
Round of applause for @erynian that will present "Windows kernel snapshot-based fuzzing: the good, the bad and the ugly" at #GreHack21 piped.video/watch?v=2dS34u3T… github.com/quarkslab/rewind
1
31
106
Seats are still available for our awesome @hardwear_io Practical Car Hacking Training by @Phil_BARR3TT hardwear.io/usa-2022/trainin…
3
17
103
[BLOG] Exploring Execution Trace Analysis: digging into automation for trace collection and off-line dynamic trace analysis blog.quarkslab.com/exploring… by Luigi (@werewtk)
51
104
[BLOG] Weisfeiler-Lehman Graph Kernel for Binary Function Analysis blog.quarkslab.com/weisfeile… Compare functions from a new binary against a large database made of numerous known functions.
2
49
101
Are we human? or are we dancer? Introducing HydraDancer: A new hardware board and open source firmware for faster USB peripheral emulation. The Facedancer legacy lives on! Thiébaud Fuchs tells the story here blog.quarkslab.com/hydradanc…
38
100
15,202
Fuzzing is one of the top bug finding techniques and to celebrate the 25th year of ntop, one of the top network monitoring tools, Quarkslab's engineer Riccardo Mori talked about fuzzing it today at #ntopConf23 Here are the slides of his talk github.com/quarkslab/conf-pr…
1
26
96
8,961
Need to access those precious encrypted kitten pics but you can't unlock your phone ? Don't worry, in this blog post @max_r_b and @DamianoMelotti will take you in a journey to the depths of #Android's file-based encryption so you know what to do. blog.quarkslab.com/android-d…
4
47
96
11,791
Quarkslab @fdfalcon discovered 2 vulns in the TPM2.0 Reference Implementation. They affect many hardware, software and firmware TPMs. The Trusted Computing Group and CERT/CC issued security bulletins. Stay tuned for our technical analysis on March 14th kb.cert.org/vuls/id/782720
6
54
89
16,366
[BLOG] Overview of Intel SGX - Part 1, SGX Internals blog.quarkslab.com/overview-… Focus on processor and memory for the enclave.
55
91
🚀We just released a new version of QBDI, Quarkslab's Dynamic Binary Instrumentation Framework with full support for AARCH64 and ARM32/Thumb architectures. You can check it out here: qbdi.quarkslab.com/ Or get the code and pre-built packages from here: github.com/QBDI/QBDI/release…
30
91
14,483
We recently switched from IRC to @Mattermost and took the opportunity to develop an end-to-end encryption plugin! Let's welcome @adriengnt as he walks you through this new blog post. blog.quarkslab.com/mattermos…
32
90
[BLOG] Interested in rooting Google Android emulators? Here is a quick introduction to the Android Emuroot project. It describes the enhancements made by Eric to support Android 10 & 11 based on the initial work of @AirbusSecLab: blog.quarkslab.com/extending…
52
88
[BLOG] Symbolic Deobfuscation: From Virtualized Code Back to the Original blog.quarkslab.com/symbolic-… Work presented at DIMWA 2018 by @JonathanSalwan
2
63
88
[BLOG] Come and play with our on-the-fly hypervisor, Cappsule (yes, we developed an hypervisor): blog.quarkslab.com/on-the-fl…
3
126
83
[BLOG] Mistreating Triton: concolic execution vs. obfuscation blog.quarkslab.com/mistreati… cc @qb_triton
2
62
83
Dive deep into heap exploitation, glibc internals, and clever tricks with @philipp0x90 latest write-up on a challenging HitconCTF 2024 heap pwn! blog.quarkslab.com/heap-expl…
30
85
5,190
While casually reading Moodle's code @coiffeur0x90 found a SSRF bug exploitable by any authenticated user. Fun twist? This vuln matches exactly the example @orange_8361 presented at Black Hat 2017. Real life imitates conference slides 😅 Details here: blog.quarkslab.com/auditing-…
1
23
81
7,538
[BLOG] Playing with the Windows Notification Facility (WNF) blog.quarkslab.com/playing-w… cc @pwissenlit @aionescu @brucedang
44
81
Are you a network protocol reverse engineer? Tired of writing Wireshark plugins in memory unsafe or esoteric languages named after celestial objects? Now you can do it in a few lines of Go, Python or Rust with Wirego. Benoit Girard explains how here: blog.quarkslab.com/getting-s…
1
16
83
5,302
Fast and Curious: Emulating Renesas RH850 System-on-Chip using Unicorn Engine Brought to you by @virtualabs and @Phil_BARR3TT to make your automotive vulnerability research easier blog.quarkslab.com/emulating…
36
79
6,981
[BLOG] EEPROM: When Tearing-Off Becomes a Security Issue blog.quarkslab.com/eeprom-wh… by @doegox
2
50
80
[BLOG] Reverse Engineering the Win32k Type Isolation Mitigation by @fdfalcon blog.quarkslab.com/reverse-e… You'll never see kernel space the same way after type isolation.
57
79
Interested in navigation of source code, binaries and other artifacts? Let a marsupial and goddess help you. Here @_cryptocorn_ and Fenrisfulsur introduce Numbat, a new Python API for Sourcetrail, and Pyrrha, a mapper collection for firmware cartography. blog.quarkslab.com/leveragin…
1
34
76
10,148
[BLOG] Vulnerabilities in High Assurance Boot of NXP i.MX microprocessors blog.quarkslab.com/vulnerabi… When a software bug breaks the hardware
2
81
69
Interested in dynamically hooking Golang programs ? TL;DR: it's complicated, but fear not because today @cryptonitemmk started a series of blog posts explaining why and how to do it. Here is the first: blog.quarkslab.com/lets-go-i… #golang #hooking #ReverseEngineering #debugging
1
26
78
9,153
[BLOG] We are opensourcing some material we designed for our training on automotive security. We designed a specific ECU for that purpose: blog.quarkslab.com/developme… Contributions are welcome, and contact us if you are interested in either the training or the ECU.
2
42
78
[BLOG] Reverse engineering of the Nitro OBD2: blog.quarkslab.com/reverse-e… NitroOBD2 Tuning Box increases performances of your car: #fraud?
3
73
75
[BLOG] A Deep Dive Into Samsung's TrustZone (Part 2) blog.quarkslab.com/a-deep-di… by @NeatMonster_, @patateQbool  and @pandasec_
1
58
76
[BLOG] Xen exploitation part 3: XSA-182, Qubes escape: blog.quarkslab.com/xen-explo… Final notes on finding Xen vm escape and exploitation
78
72
We are proud to announce the PhD defense of Ninon Eyrolles, the first PhD from @Quarkslab on code obfuscation: blog.quarkslab.com/phd-defen…
1
40
72
There is a small bug in the signature verification of OTA packages in the Android Open Source Framework. Official builds doing normal double verification of packages are not vulnerable but OEMs and third party apps may be. Jérémy Jourdois explains it here: blog.quarkslab.com/aosp_ota_…
27
74
7,173
Reversing Windows Container, episode I: Silo An exploration of the depths of #Windows #container technology by Quarkslab's engineer Lucas di Martino #docker #hyperv #reversing blog.quarkslab.com/reversing…
5
43
75
11,488
Sacre BLE! Fuzzing Bluetooth Low Energy GATT and annoying your colleagues for fun and silence Let Baptiste Boyer show you the way blog.quarkslab.com/bluetooth…
2
26
76
11,061
[BLOG] Romain Dumont takes us for a "Guided tour inside WinDefender's network inspection driver", showing us how Windows Defender uses the Windows Filtering Platform, along with some bugs he found on WdNisDrv.sys, and a tool to play with this driver. blog.quarkslab.com/guided-to…
1
50
71
[BLOG] Android Native Library Analysis with QBDI by @rh0main blog.quarkslab.com/android-n… Dynamic binary instrumentation to reverse engineer an Android JNI library. Yes, our DBI is improving its ARM support :)
42
73
PASTIS For the Win! Introducing PASTIS, an open source Python framework for ensemble fuzzing. Read about it in this blog post by @RobinDavid1 and Christian Heitman: blog.quarkslab.com/pastis-fo… #fuzzing #symexec #vulnresearch #apero
30
70
12,684
[BLOG] Have fun with LIEF and Executable Formats blog.quarkslab.com/have-fun-… by @rh0main
49
66
[BLOG+TOOL] LLDBagility: practical macOS kernel debugging: blog.quarkslab.com/lldbagili… An alternative to classic macOS kernel debugging based on virtual machine introspection based on Fast Debugging Protocol (FDP)
38
66
Last year Quarkslab engineers @_cryptocorn_ @Mad5quirrel @RobinDavid1 and @virtualabs participated in the Pwn2Own contest. Today, after a lengthy vuln disclosure process, they published the LAN side vulnerabilities they found in Netgear RAX30 routers. blog.quarkslab.com/our-pwn2o…
2
23
70
8,924
Quarkslab audited PHP-SRC, the open source interpreter of PHP. The security audit, sponsored by @OSTIFofficial with funding from @sovtechagency, aimed at strengthening the project's security ahead of the upcoming PHP 8.4 release. Here is what we found: blog.quarkslab.com/security-…
27
68
7,538
Are "MIFARE-compatible" contactless cards not playing fair? That's what you may wonder after @doegox spotted some odd behavior. Curiosity led to experiments to devise a new attack technique that uncovered some backdoors. The RFID hacking spirit lives on! blog.quarkslab.com/mifare-cl…
1
38
68
7,966
[BLOG] Read the blogpost detailing the 4 vulnerabilities found by @fdfalcon in the IPv6 stack of FreeBSD more specifically in rtsold back in November. Fixes were issued by FreeBSD on December 1st, 2020 along with security advisory. blog.quarkslab.com/bad-neigh…
1
39
65
[Blog] Obfuscating Java bytecode with LLVM and Epona Melchior de Roquefeuil writes about his 2-month internship at Quarkslab. Thank you Melchior! blog.quarkslab.com/obfuscati…
2
39
65
[BLOG] Results of our OpenVPN audit: blog.quarkslab.com/security-… Thanks to @OSTIFofficial, all donors, and the @OpenVPN team! #CVE-2017-7478
1
89
62
Last Tuesday the FreeBSD team released a patch to 4 vulnerabilities in code processing ICMPv6 packets, including a potential unauthenticated RCE from nodes on link-local. The bugs were found by @fdfalcon and reported on november 10th. Advisory & Patch: freebsd.org/security/advisor…
26
63
[BLOG] An Experimental Study of Different Binary Exporters blog.quarkslab.com/an-experi…
1
44
63
[BLOG+TOOL] Binmap: a system scanner blog.quarkslab.com/binmap-a-… Vulnerability research is not only about luck, it is also about strategy
2
70
58
[BLOG] Reverse Engineering Samsung S6 SBOOT - Part I by @_kamino_ blog.quarkslab.com/reverse-e…
62
61
[Blog] Looking into Kubernetes pentesting ? Playing with CTFs ? Get in the pod! Meet kdigger: A context discovery tool for Kubernetes brought to you by @mahe_tardy blog.quarkslab.com/kdigger-a…
34
61
[BLOG] Deobfuscation: recovering an #OLLVM-protected program blog.quarkslab.com/deobfusca…
2
84
59
[BLOG] Android Application Diffing: Analysis of Modded Version by @bla5r and @rh0main blog.quarkslab.com/android-a… Defeating obfuscation and spotting actual mutations in altered applications
25
62
Exploiting GLPI: A Red Team Christmas story. Or how Mathieu Farrell tried to reproduce a known vulnerability and the elves brought him two 0days. We unveil how he obtained code execution and added a backdoor to GLPI, a PHP-based IT asset management app blog.quarkslab.com/exploitin…
25
62
8,213
Interested in automating binary diffing? Attend @RobinDavid1 and Riccardo Mori's workshop at @BalCC0n #BalCCon2k23. They will showcase OSS tools developed by our team: Quokka, Pyrrha, python-binexport and python-bindiff (released last week!) Details at cfp.balccon.org/balccon2k23/…
16
62
7,136
We’re happy to announce that after 8 years of self-funding, we've raised our 1st #funding round with @ACEMANAGEMENT5. This investment will help us strengthen our R&D security teams and enable us to accelerate our software development efforts: bit.ly/2MVNW1N
6
14
60
Very glad to officially announce Epona, our software protection solution based on #LLVM: epona.quarkslab.com #Obfuscation #Reverse
2
60
59
Wireless hacking doesn't have to be a mess of dongles and ad-hoc code anymore. Yesterday @virtualabs and @CayreRomain from @Eurecom released WHAD, a set of open source tools, libraries and firmware to make wireless security research easier. The code repo: github.com/whad-team/whad-cl…
1
26
60
4,995