Zhuowei Zhang
@zhuowei.notnow.dev
Mostly bad puns. It's pronounced "joe-way". Happy to explain jokes.
he/him, opinions are my own. https://zhuoweizhang.net
Mastodon: https://notnow.dev/zhuowei
he/him, opinions are my own. https://zhuoweizhang.net
Mastodon: https://notnow.dev/zhuowei
I got a write to 0x0041414141414141 with my proof-of-concept for CVE-2025-48593.
github.com/zhuowei/blue...
What can I do with this? Getting an infoleak is probably possible, but hard. For a proof-of-concept, I won’t bother defeating ASLR: I’ll just arbitrary-write to hardcoded memory addresses.
github.com/zhuowei/blue...
What can I do with this? Getting an infoleak is probably possible, but hard. For a proof-of-concept, I won’t bother defeating ASLR: I’ll just arbitrary-write to hardcoded memory addresses.
November 29, 2025 at 7:07 AM
I got a write to 0x0041414141414141 with my proof-of-concept for CVE-2025-48593.
github.com/zhuowei/blue...
What can I do with this? Getting an infoleak is probably possible, but hard. For a proof-of-concept, I won’t bother defeating ASLR: I’ll just arbitrary-write to hardcoded memory addresses.
github.com/zhuowei/blue...
What can I do with this? Getting an infoleak is probably possible, but hard. For a proof-of-concept, I won’t bother defeating ASLR: I’ll just arbitrary-write to hardcoded memory addresses.
I'm not the author of DynamicCow, and I'm not too familiar with modifying the dynamic island. You're probably looking for x.com/aboutzeph .
November 20, 2025 at 12:59 AM
I'm not the author of DynamicCow, and I'm not too familiar with modifying the dynamic island. You're probably looking for x.com/aboutzeph .
This CVE is from November Android Bulletin: source.android.com/docs/securit...
It should be a use-after-free; I haven't gotten it to do anything interesting though.
So far, I was only able to get a null pointer deref without malloc debug or an attempted write to library rodata with malloc debug.
It should be a use-after-free; I haven't gotten it to do anything interesting though.
So far, I was only able to get a null pointer deref without malloc debug or an attempted write to library rodata with malloc debug.
Android Security Bulletin—November 2025 | Android Open Source Project
source.android.com
November 14, 2025 at 5:27 AM
This CVE is from November Android Bulletin: source.android.com/docs/securit...
It should be a use-after-free; I haven't gotten it to do anything interesting though.
So far, I was only able to get a null pointer deref without malloc debug or an attempted write to library rodata with malloc debug.
It should be a use-after-free; I haven't gotten it to do anything interesting though.
So far, I was only able to get a null pointer deref without malloc debug or an attempted write to library rodata with malloc debug.
For me, I'm connecting my Linux VM to an Android Emulator on the host, so:
```
$ cat $TMPDIR/netsim.ini
web.port=7681
grpc.port=49824
$ ssh -R localhost:49824:localhost:49824 jane.local
$ bumble-hci-bridge android-netsim:localhost:49824 vhci
```
```
$ cat $TMPDIR/netsim.ini
web.port=7681
grpc.port=49824
$ ssh -R localhost:49824:localhost:49824 jane.local
$ bumble-hci-bridge android-netsim:localhost:49824 vhci
```
November 5, 2025 at 4:42 AM
For me, I'm connecting my Linux VM to an Android Emulator on the host, so:
```
$ cat $TMPDIR/netsim.ini
web.port=7681
grpc.port=49824
$ ssh -R localhost:49824:localhost:49824 jane.local
$ bumble-hci-bridge android-netsim:localhost:49824 vhci
```
```
$ cat $TMPDIR/netsim.ini
web.port=7681
grpc.port=49824
$ ssh -R localhost:49824:localhost:49824 jane.local
$ bumble-hci-bridge android-netsim:localhost:49824 vhci
```
On the virtual device side, it fails with a NULL pointer in identity_registration::IdentityRegistrationServiceImpl::loadDeviceCertificates.
So I guess I need to give the virtual device a fake device certificate, and possibly modify the app with a Frida script to disable certificate checking?
So I guess I need to give the virtual device a fake device certificate, and possibly modify the app with a Frida script to disable certificate checking?
November 2, 2025 at 8:54 PM
On the virtual device side, it fails with a NULL pointer in identity_registration::IdentityRegistrationServiceImpl::loadDeviceCertificates.
So I guess I need to give the virtual device a fake device certificate, and possibly modify the app with a Frida script to disable certificate checking?
So I guess I need to give the virtual device a fake device certificate, and possibly modify the app with a Frida script to disable certificate checking?
I’ve almost got my virtual Meta Ray-Ban Display in the Android Emulator to pair with the Meta AI app:
On the app side, it fails with “connectivity::Identity: Identity failed with error: Device has sent generic failure message.”.
On the app side, it fails with “connectivity::Identity: Identity failed with error: Device has sent generic failure message.”.
November 2, 2025 at 8:54 PM
I’ve almost got my virtual Meta Ray-Ban Display in the Android Emulator to pair with the Meta AI app:
On the app side, it fails with “connectivity::Identity: Identity failed with error: Device has sent generic failure message.”.
On the app side, it fails with “connectivity::Identity: Identity failed with error: Device has sent generic failure message.”.
For XR research, there's FreeXR (discord.gg/ABCXxDyqrH / github.com/FreeXR) and XRBreak (estradiol.city/@ity/1144828...)
November 2, 2025 at 5:29 PM
For XR research, there's FreeXR (discord.gg/ABCXxDyqrH / github.com/FreeXR) and XRBreak (estradiol.city/@ity/1144828...)
I haven't tried: Horizon OS has more customizations in e.g. the graphics compositor, so it might be more difficult.
November 2, 2025 at 5:19 PM
I haven't tried: Horizon OS has more customizations in e.g. the graphics compositor, so it might be more difficult.
My script to repack the firmware:
github.com/zhuowei/meta...
I got the firmware by capturing the network call when I paired my real glasses to the Meta AI app:
drive.google.com/file/d/1Wd-A...
I have more notes on the Meta Ray-Bans in Mastodon:
notnow.dev/notice/AznWC...
notnow.dev/notice/Az6rp...
github.com/zhuowei/meta...
I got the firmware by capturing the network call when I paired my real glasses to the Meta AI app:
drive.google.com/file/d/1Wd-A...
I have more notes on the Meta Ray-Bans in Mastodon:
notnow.dev/notice/AznWC...
notnow.dev/notice/Az6rp...
GitHub - zhuowei/meta-rayban-firmware-android-emulator
Contribute to zhuowei/meta-rayban-firmware-android-emulator development by creating an account on GitHub.
github.com
November 1, 2025 at 11:24 PM
My script to repack the firmware:
github.com/zhuowei/meta...
I got the firmware by capturing the network call when I paired my real glasses to the Meta AI app:
drive.google.com/file/d/1Wd-A...
I have more notes on the Meta Ray-Bans in Mastodon:
notnow.dev/notice/AznWC...
notnow.dev/notice/Az6rp...
github.com/zhuowei/meta...
I got the firmware by capturing the network call when I paired my real glasses to the Meta AI app:
drive.google.com/file/d/1Wd-A...
I have more notes on the Meta Ray-Bans in Mastodon:
notnow.dev/notice/AznWC...
notnow.dev/notice/Az6rp...
OK, there we go: I got the Meta Ray-Ban Display's firmware to show its app grid on an Android Emulator. github.com/zhuowei/meta...
Unfortunately, most apps just ask to connect to the phone app.
So I need to get the virtual Bluetooth pairing working.
#MetaRayban
Unfortunately, most apps just ask to connect to the phone app.
So I need to get the virtual Bluetooth pairing working.
#MetaRayban
November 1, 2025 at 9:15 PM
OK, there we go: I got the Meta Ray-Ban Display's firmware to show its app grid on an Android Emulator. github.com/zhuowei/meta...
Unfortunately, most apps just ask to connect to the phone app.
So I need to get the virtual Bluetooth pairing working.
#MetaRayban
Unfortunately, most apps just ask to connect to the phone app.
So I need to get the virtual Bluetooth pairing working.
#MetaRayban