Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7

Transcript

1. None

2. iPhone NVM NAND Vladimir Putin & Oleg Kupreev

3. Research plan 1. PIN + SWD = Debug 2. Native

   driver code 3. iBoot and iOS drivers 4. Own driver development. Donor wanted. 5. OSX driver: C++ derived class. Super class. Driver dependency loading. 6. Linux drvier: patch standard driver to allocate DMA buffer 7. What is hacking and reverse engineering? 8. Bonus – iBoot bug hunting success story

4. NAND PINOUT

5. Board @key2fr reverse

6. Board @key2fr bugfix BUGFIX

7. SWD DEBUG

8. OpenOCD (git version)

9. Thunderbolt time Sonnet echo board bought from underground store… …

   to run NVMe under OSX. Main idea: NVMe controller for MacBook NAND is the same.

10. Thunder NAND • Sonnet Echo • @Key2fr NAND board

11. Driver for scratch buffer allocation

12. Use C++ to deriver the class

13. Enforcing system to use our driver

14. Success! • sdfsfsdfs

15. Dump time

16. Strings…

17. Linux driver story Code for Macbook 7,1 support is already

    in the kernel

18. Linux driver story • Scratch buffer allocation

19. Linux driver story • Mem allocation failure 8(. Still some

    research to do…

20. Reverse Engineering = HardwaRE + SoftwaRE 1.Hardware analysis 2.SWD debug

    3.Existing driver code analysis 4.Own driver development 5.iBoot dump 6.iBoot reverse 7.Platform attack

21. iBoot source code recovery OpenSSL used for Linux compatibility

22. AFL to fuzz’em all

23. BUG triggered!

24. BUG up to source code Exists in iBoot up to

    iOS 8.xx NULL pointer dereference – non exploitable

25. … Questions?