toothpicker: an in-process, coverage-guided fuzzer for iOS
ToothPicker
ToothPicker is an in-process, coverage-guided fuzzer for iOS. It was developed to specifically target iOS’s Bluetooth daemon bluetoothd and to analyze various Bluetooth protocols on iOS. As it is built using FRIDA, it can be adapted to target any platform that runs FRIDA.
This repository also includes an over-the-air fuzzer with an exemplary implementation to fuzz Apple’s MagicPairing protocol using InternalBlue. Additionally, it contains the ReplayCrashFile.py script that can be used to verify crashes the in-process fuzzer has found.
In-Process Fuzzer
The In-Process Fuzzer works out-of-the-box on various iOS versions (13.3-13.6 tested), but symbols need to be specified. Other iOS versions require adaptions to function addresses. Additionally, it seems like FRIDA’s stalker has some problems with the iPhone 8. On newer iPhones that support PAC, the performance significantly suffers from signing pointers. Thus, it is recommended to run this on an iPhone 7.
ToothPicker is built on the codebase of frizzer. However, it has been adapted for this specific application as therefore not compatible with the original version anymore. There exist plans to replace this with a more dedicated component in the future.
Install & Use
Copyright (c) 2020 ToothPicker Team
