Diff of iOS 26.3 vs 26.4b1 elucidated an XPC check-in bug in 26.3: some services accepted plain Mach ports as valid client check-ins. Fixed in 26.4b1.

Opus 4.6 just built a fully functional iOS 17 tweak for me in two prompts. Nothing particularly complex/exciting, just something I wanted for convenience: a clean 5x (digital) zoom button in Camera app on non-15ProMax devices. Repo: zeroxjf.github.io

Messing with a sandbox bug I found on iOS 26.3

when you're 20 "you're absolutely right"s, 8 hallucinations and 5 timeouts into your vibe coding session

I know it’s been around but if you miss jailbreaking like I do, LiveContainer by Duy Tran et al is really a pretty useful tool for modern iOS. Sideloading with less hassle and even a (limited) tweak injection dylib. Recommend checking it out github.com/LiveContainer/…

Another one 👇

New research added to my WebKit–UAF–ANGLE–OOB analysis (iOS 26.1): full userland chain now documented, still short of full escalation. Repo updated with revised writeup + PoC. github.com/zeroxjf/WebKit…

Claude Code with 90% context window explaining the blatantly wrong code it generated

Apple recently patched the missing piece in the userland part of the Dec'25 full-chain exploit. CVE-2026-20700: dyld memory corruption to PAC bypass This bug completes the chain of CVE-2026-43529 (jsc UAF RCE, PoC public) and CVE-2026-14174 (Angle OOB EoP, no working PoC yet).

!!

Messing around with the Coruna exploits, as are many others right now I'm sure

Through much p̶a̶i̶n̶ fun RE'ing plasmaloader and it’s comms mechanism I now have the ‘Coruna’ iOS remote exploit chain(s) served up locally with a custom module 🎵

Codex, create jailbreak using Coruna exploits. Make no mistakes

Still waiting for the right deal on a Mac Mini or Studio to run OpenClaw, mostly just to act as a helper node for an autonomous vuln-finder I’ve been slowly building. One thing I’ve already decided though: there’s absolutely no way I'm signing in with any personal data

iOS 17.0.1-17.2.1 lack CoreTrust, but being able to inject arbitrary code to daemons opens a lot of possibles there right now: file manager inside SpringBoard that lets you access /var, on-device JIT enabler (will need some further RE to see how it works), etc. It is also

Nothing is guaranteed and I’m no expert, but the pieces seem largely there for someone to eventually turn this chain into a jailbreak for <iOS 17.2.1. At worst it’s a strong foundation to build on and a benefit to those still on 17.0.1–17.2.1. Just my opinion, could be wrong.