Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7

DC7499
February 10, 2018
Research
1
430

Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7

DC7499

February 10, 2018
Tweet

More Decks by DC7499

See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
defcon
0
350
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
defcon
0
200
Anton Lopanitsyn - Initial reconnaissance of web applications.
defcon
0
230
Dmitry Volkov - Private messengers: without pain??
defcon
1
210
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
defcon
1
170
Sergey Belov - Another side of Bug Bounty programs
defcon
0
220
Dmitry Sklyarov - Intel ME: Flash file system explained
defcon
0
340
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
defcon
0
410
Sergey Golovanov - Indecent Response 2018
defcon
0
330

Other Decks in Research

See All in Research
理科教育研究のパラダイム / Paradigms in Science Education Research
unzaih
0
130
第二回 3Dなんでも勉強会
ooshita
0
100
Decarbonising Transport: Obstacles, Options and Opportunities
cutcarbon
0
150
ザキ研Elixir研究動向2023
zacky1972
0
110
zk-SPARQL: SPARQLクエリに対して検証とプライバシ保護が可能な結果を返すパーソナルRDFデータストア
yamdan
0
690
RESEARCH Conference 2023/ユーザーに価値を届け続けるためのアジャイル開発とUXリサーチ
atamaplus
2
210
カスタマーサクセス白書2023 〜営業とカスタマーサクセスの協業で実現するLTV最大化 〜
hicustomer
0
640
Win ratioとは何か?
shuntaros
0
810
資源として見る実験プログラム
hpprc
8
1.4k
Introducing "Instant Neural Graphics Primitives with a Multiresolution Hash Encoding"
daigo0927
0
150
ABEMAにおけるサムネイル検証とOPE活用
ebisawahayata
2
1.1k
最適輸送が遅すぎる(スライス法による解法)
joisino
2
1.5k

Featured

See All Featured
The Illustrated Children's Guide to Kubernetes
chrisshort
26
44k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
350
28k
Reflections from 52 weeks, 52 projects
jeffersonlam
341
18k
KATA
mclloyd
13
10k
Music & Morning Musume
bryan
37
4.8k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Designing Experiences People Love
moore
130
22k
Automating Front-end Workflow
addyosmani
1352
200k
Designing the Hi-DPI Web
ddemaree
273
33k
Thoughts on Productivity
jonyablonski
52
2.9k
Large-scale JavaScript Application Architecture
addyosmani
500
110k

Transcript

  1. View Slide

  2. iPhone NVM NAND
    Vladimir Putin & Oleg Kupreev

    View Slide

  3. Research plan
    1. PIN + SWD = Debug
    2. Native driver code
    3. iBoot and iOS drivers
    4. Own driver development. Donor wanted.
    5. OSX driver: C++ derived class. Super class. Driver dependency loading.
    6. Linux drvier: patch standard driver to allocate DMA buffer
    7. What is hacking and reverse engineering?
    8. Bonus – iBoot bug hunting success story

    View Slide

  4. NAND PINOUT

    View Slide

  5. Board @key2fr reverse

    View Slide

  6. Board @key2fr bugfix
    BUGFIX

    View Slide

  7. SWD DEBUG

    View Slide

  8. OpenOCD (git version)

    View Slide

  9. Thunderbolt time
    Sonnet echo board bought
    from underground
    store…
    … to run NVMe under OSX.
    Main idea: NVMe controller
    for MacBook NAND is the
    same.

    View Slide

  10. Thunder NAND
    • Sonnet Echo
    • @Key2fr NAND board

    View Slide

  11. Driver for scratch buffer allocation

    View Slide

  12. Use C++ to deriver the class

    View Slide

  13. Enforcing system to use our driver

    View Slide

  14. Success!
    • sdfsfsdfs

    View Slide

  15. Dump time

    View Slide

  16. Strings…

    View Slide

  17. Linux driver story
    Code for Macbook 7,1 support is already in the kernel

    View Slide

  18. Linux driver story
    • Scratch buffer allocation

    View Slide

  19. Linux driver story
    • Mem allocation failure 8(. Still some research to do…

    View Slide

  20. Reverse Engineering = HardwaRE + SoftwaRE
    1.Hardware analysis
    2.SWD debug
    3.Existing driver code analysis
    4.Own driver development
    5.iBoot dump
    6.iBoot reverse
    7.Platform attack

    View Slide

  21. iBoot source code recovery
    OpenSSL used for Linux compatibility

    View Slide

  22. AFL to fuzz’em all

    View Slide

  23. BUG triggered!

    View Slide

  24. BUG up to source code
    Exists in iBoot up to iOS 8.xx
    NULL pointer dereference – non exploitable

    View Slide


  25. Questions?

    View Slide