Proof-of-concept app to overwrite fonts on iOS using CVE-2022-46689.
Works on iOS 16.1.2 and below (tested on iOS 16.1) on unjailbroken devices.
IPA available in the Releases section.
- DejaVu Sans Condensed
- DejaVu Serif
- DejaVu Sans Mono
- Go Regular
- Go Mono
- Fira Sans
- Segoe UI
- Comic Sans MS
- Choco Cooky
You can also import custom fonts that were ported for iOS.
DejaVu Sans Condensed | DejaVu Serif | DejaVu Sans Mono | Choco Cooky
Go Regular | Go Mono | Segoe UI | Comic Sans MS
Hanna Soft + JoyPixels | Bronkoh | Noto Serif SC | Fira Sans
Screenshot credit: @ev_ynw for the ported Hanna Soft and Bronkoh fonts, JoyPixels for the emoji font
Where to find ported fonts
- The built-in fonts are not properly ported (I don't know how to port fonts). For best results, use a custom font.
- with the built-in fonts:
- Only regular text uses the changed font: thin/medium/bold text falls back to Helvetica instead.
- If the font doesn't show up at all, disable "Bold Text" in accessibility settings.
- File pickers in apps will fail to open with the error "Something went wrong while displaying documents."
- This happens if you replace the emoji font, or install fonts with multiple weights
- Try the experimental .ttc fix by using "Import custom with fix for .ttc"
- iOS 14.x devices which are jailbroken / were jailbroken before will not be able to revert to the original font.
- Workaround: do not use this app if you're on iOS 14.x and have previously jailbroken. Instead, just jailbreak and replace fonts normally.
The CVE-2022-46689 issue - as far as I know - only lets you overwrite 16383 bytes out of every 16384 bytes: the last byte of the page can't be written.
(I could be wrong)
To work around this, I package the font using the WOFF2 webfont format, which is supported on iOS. WOFF2 uses Brotli for compression, which lets me insert padding to skip over the last byte.
repackfonts/make_woff2src.sh for details: this script:
- renames the font to .SFUI-Regular with TTX following this answer
- rebuilds the font to .woff2
repackfonts/BrotliPadding.swiftto decompress the WOFF2 file and insert padding to skip past the 16384th byte
- Ian Beer of Project Zero for finding CVE-2022-46689.
- Apple for the test case and patch. (I didn't change anything: I only wrapped the test case in a library.)
- Everyone on Twitter who helped out and experimented with CVE-2022-46689, especially @dedbeddedbed, @AppleDry05, and @haxi0sm for exploring what can be done with this issue..
- WOFF2 compressor by Google
- ttcpad by LIJI32
- Fontforge stripttc
- The DejaVu fonts are distributed according to their license.
- The Go fonts are distributed according to their license.
- The Fira Sans font is converted by @jonpalmisc - thanks!
- Segoe UI and Comic Sans MS are the property of Microsoft.
- Choco Cooky is the property of Samsung.
- I don't have any rights to redistribute these, but I'm posting them anyways because #yolo.