Pro Yearly is on sale from $80 to $50! »

Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7

0c988f4618b436b14ce6ddcecd52d11d?s=47 DC7499
February 10, 2018

Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7

0c988f4618b436b14ce6ddcecd52d11d?s=128

DC7499

February 10, 2018
Tweet

Transcript

  1. None
  2. iPhone NVM NAND Vladimir Putin & Oleg Kupreev

  3. Research plan 1. PIN + SWD = Debug 2. Native

    driver code 3. iBoot and iOS drivers 4. Own driver development. Donor wanted. 5. OSX driver: C++ derived class. Super class. Driver dependency loading. 6. Linux drvier: patch standard driver to allocate DMA buffer 7. What is hacking and reverse engineering? 8. Bonus – iBoot bug hunting success story
  4. NAND PINOUT

  5. Board @key2fr reverse

  6. Board @key2fr bugfix BUGFIX

  7. SWD DEBUG

  8. OpenOCD (git version)

  9. Thunderbolt time Sonnet echo board bought from underground store… …

    to run NVMe under OSX. Main idea: NVMe controller for MacBook NAND is the same.
  10. Thunder NAND • Sonnet Echo • @Key2fr NAND board

  11. Driver for scratch buffer allocation

  12. Use C++ to deriver the class

  13. Enforcing system to use our driver

  14. Success! • sdfsfsdfs

  15. Dump time

  16. Strings…

  17. Linux driver story Code for Macbook 7,1 support is already

    in the kernel
  18. Linux driver story • Scratch buffer allocation

  19. Linux driver story • Mem allocation failure 8(. Still some

    research to do…
  20. Reverse Engineering = HardwaRE + SoftwaRE 1.Hardware analysis 2.SWD debug

    3.Existing driver code analysis 4.Own driver development 5.iBoot dump 6.iBoot reverse 7.Platform attack
  21. iBoot source code recovery OpenSSL used for Linux compatibility

  22. AFL to fuzz’em all

  23. BUG triggered!

  24. BUG up to source code Exists in iBoot up to

    iOS 8.xx NULL pointer dereference – non exploitable
  25. … Questions?