The code snippets and conceptual analysis presented in this document are based on iOS 16.2.
The bug was disclosed and patched after Pwn2Own 2024 and was assigned CVE-2024-27834. Details of the patch can be found in the WebKit repository.
Hyungyu Seo wh1te4ever
WHW0x455
/ bypass_pac_in_jit_public.md
Last active
February 26, 2026 08:32
Bypass PAC in JIT - CVE-2024-27834
The iphone-dataprotection project (GiHub mirror) includes a tool to determine an iOS device's 4-digit passcode using a brute force technique. That project only claims support for devices <= iOS 8 and < A5. It turns out the code also supports A5 devices on iOS 9.
However the brute force utility also requires a companion kernel patch to enable access to keys such as 0x835 in calls to the AES accelerator from userland. This doc confirms the value of said patches for 32-bit iOS 9.
This writeup also describes the various st