Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7

DC7499
February 10, 2018

Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7

DC7499

February 10, 2018
Tweet

More Decks by DC7499

Other Decks in Research

Transcript

  1. iPhone NVM NAND
    Vladimir Putin & Oleg Kupreev

    View full-size slide

  2. Research plan
    1. PIN + SWD = Debug
    2. Native driver code
    3. iBoot and iOS drivers
    4. Own driver development. Donor wanted.
    5. OSX driver: C++ derived class. Super class. Driver dependency loading.
    6. Linux drvier: patch standard driver to allocate DMA buffer
    7. What is hacking and reverse engineering?
    8. Bonus – iBoot bug hunting success story

    View full-size slide

  3. Board @key2fr reverse

    View full-size slide

  4. Board @key2fr bugfix
    BUGFIX

    View full-size slide

  5. OpenOCD (git version)

    View full-size slide

  6. Thunderbolt time
    Sonnet echo board bought
    from underground
    store…
    … to run NVMe under OSX.
    Main idea: NVMe controller
    for MacBook NAND is the
    same.

    View full-size slide

  7. Thunder NAND
    • Sonnet Echo
    • @Key2fr NAND board

    View full-size slide

  8. Driver for scratch buffer allocation

    View full-size slide

  9. Use C++ to deriver the class

    View full-size slide

  10. Enforcing system to use our driver

    View full-size slide

  11. Success!
    • sdfsfsdfs

    View full-size slide

  12. Linux driver story
    Code for Macbook 7,1 support is already in the kernel

    View full-size slide

  13. Linux driver story
    • Scratch buffer allocation

    View full-size slide

  14. Linux driver story
    • Mem allocation failure 8(. Still some research to do…

    View full-size slide

  15. Reverse Engineering = HardwaRE + SoftwaRE
    1.Hardware analysis
    2.SWD debug
    3.Existing driver code analysis
    4.Own driver development
    5.iBoot dump
    6.iBoot reverse
    7.Platform attack

    View full-size slide

  16. iBoot source code recovery
    OpenSSL used for Linux compatibility

    View full-size slide

  17. AFL to fuzz’em all

    View full-size slide

  18. BUG triggered!

    View full-size slide

  19. BUG up to source code
    Exists in iBoot up to iOS 8.xx
    NULL pointer dereference – non exploitable

    View full-size slide


  20. Questions?

    View full-size slide