Slide #1 image


Hacked Tesla Model S car and allowed to control sunroof, central display, door locks and the braking system.

Slide #3 image

KeenLab iOS 11 Jailbreak

Successfully demonstrated iOS 11 Beta 2 and iOS 10.3.2 jailbreak

Slide #3 image

keen Pwn2Pwn

Hacked Apple Safari browser in Pwn2Pwn competition


iOS 11.1.1 Jailbreak released with Keen IPA.

About Keen Team

Keen Security lab is established in 2016 and transformed from famous Keen Team. The team attends on advanced security research such as PC / mobile operating systems, applications, cloud computing, IOT smart devices etc. As well Keen Security Lab widely focuses on Tencent products and technologies.

Liang Chen

Marco Grassi
Senior Security

James Fang
Senior Security

Wu Shi
Senior Security

Sen Nie
Security Researcher

Qidan He (Edward Flanker)
Security Researcher

Di Shen
Security Researcher

Security Researcher


Winner for iOS category in Mobile Pwn2Own 2013.
OS X category in Pwn2Own 2014.
Led the team united with Tencent PC Manager team to win the Master of Pwn title in Pwn2Own 2016.
Lifetime Achievement Award nomination to Wushi for his 10-year continuous contribution to worldwide security research community.
2 Best Privilege Escalation Award nominations for achievements on Windows TTF and Ping Pong Root.

Proud Speakers for:

Ongoing projects:

The keen team demonstrated iOS 11 Jailbreak as well as iOS 10.3.2 jailbreak at The Mobile Security Conference 2017 (MOSEC).Our Special thanks to Pangu team and PoC who organized this conference.

  • iOS Exploit - Keen team is attending to iOS 11 Jailbreak
  • The keen team successfully exploited vulnerabilities in iOS 11 beta 2 running on iPhone 7. Apple improves the kernel security in iOS more than its previous releases. The keen team focused our research about iOS vulnerability, mechanism and exploitation mitigations since a long time. As a result of that, overcome the iOS 11 jailbreak. At the mean time, Apple released iOS 11 beta 4. Looking forward to until iOS 11 final version releases. Hopefully, it is possible to complete this project in September. Awaiting to dig the final version of iOS 11. Without Final version, cannot get the aspire output.

  • iOS Exploit - Keen Lab is attending for iOS 10.3.X Jailbreak
  • Further, Keen Lab accomplishes iOS 10.3.2 jailbreak using iPhone 6 and iPhone 7. Next challenge exploits the iOS 10.3.X version. Apple releases 10.3.3 recently and enhances the security features in every single update. Our highly qualified dev team focuses on releasing stable jailbreak tool for iOS 10.3.X Jailbreak.

Projects done :

  • Car Hacking Research - Hack Tesla Model S with Remote Attack
  • Tesla Motors is considered to be one of the most comprehensive cyber-security automakers in the world. Last couple of months Keen team inspections about the Tesla car and identified various security vulnerabilities and successfully implemented both physical connections or the Parking and Driving Mode of the Tesla Model S. Proud to say that we used an unmodified car with the latest firmware to demonstrate the attack.

  • Complete OSX Privilege Escalation
  • Keen Lab use the Blitzard kernel error to avoid the Safari renderer sandbox, existing in the blit operation of graphics pipeline for pwn2own. We used own Exploitation method with The IGVector add function, add Drivers function and mainly with kalloc.48 and kalloc.4096.

  • Rooting Every Android From Extension To Exploitation
  • Keen Lab focused on kernel exploit mitigations appeared on Android for the recent 2 years. Discovered implementation of mitigations/ bypassing techniques/Android WEXT attack surface analysis & details of three rooting exploits once affected most Android devices.

  • Pwn of Microsoft Edge
  • Pwn of Microsoft Edge comprises both Browser Remote Code Execution and browser sandbox bypass. Browser RCE succeed by exploiting a Java script vulnerability. Browser sandbox avoid by logical sandbox escape or Escalation of Privilege through kernel vulnerabilities. Used loops are D3DKMT Present with overflowing fields set in the buffer, D3DKMT Present with overflowing fields set in the buffer from multiple threads and BitBlt from another multiple threads.

  • WindowServer
  • The privilege chameleon on macOS

    Consisting history of windowserver, basic concepts, architecture, CVE-2014-1314 design flaw and details of the pwnie nomination bug: CVE-2016-1804, which we used to inscribe the latest OS X El Capitan remotely with a browser exploit and improve to root access. Resolves several issues discovered by Part 1 still existing in Window Server. Finally Exploited CVE-2016-1804 with full remote root by chaining with Safari exploit. Exploited both userland graphics and kernel graphics.