With the release of iPhone XS and XS Max, Apple's implementation of Pointer Authentication Code (PAC) on the A12 SoC comes more into play for exploit mitigations. While PAC effectively makes many of our own kernel vulnerabilities unexploitable on iPhone XS/XS Max, we were able to achieve tethered jailbreaks on iPhone XS/XS Max. This talk will describe this process. Specifically, this talk will first discuss Apple's PAC implementation based on our tests, introduce an ancient bug in the XNU that is still affecting the latest official release of iOS (i.e. 12.1.4), and then elaborate how to exploit it to bypass PAC and gain arbitrary kernel read/write. Finally, this talk will explain post exploitation techniques including how to make arbitrary kernel function call based on arbitrary kernel read/write.