37C3 - Apple's iPhone 15: Under the C
Вставка
- Опубліковано 1 чер 2024
- media.ccc.de/v/37c3-12074-app...
Hardware hacking tooling for the new iPhone generation
Hardware hacking tooling for the new iPhone generation
If you've followed the iPhone hacking scene you probably heard about cables such as the Kanzi Cable, Kong Cable, Bonobo Cable, and so on: Special cables that allow access to hardware debugging features on Lightning-based iPhones such as UART and JTAG. However with the iPhone 15, all of those tools became basically useless: USB-C is here, and with that we need new hardware and software tooling.
This talk gives you a brief history of iPhone hardware hacking through the Lightning port, and then looks at the new iPhone 15, and how - using vendor defined messages, modifying existing tooling like the Central Scrutinizer, and a bit of hardware hacking - we managed to get access to the (unfortunately locked on production devices) JTAG interface exposed on the USB-C port on the new iPhone 15.
And how you can do it using open-source tooling too.
The iPhone's Lightning connector was a proprietary beast with a lot of hidden features: By sending custom SDQ commands there, it was possible to get it to expose hardware debugging features such as JTAG and UART. For a long time, this was only easily possible using either gray and black-market cables such as the Kanzi-Cable, or proprietary tools such as the Bonobo Cable. Last year, we released an open-source tool to get access to the iPhone debugging features called the Tamarin Cable - finally allowing anyone to get JTAG and UART on the iPhone for just a couple of $ in parts.
But then the iPhone 15 came along, and with that USB-C: All previous hardware and software tooling basically became useless, but that did not stop us from trying: We knew from the Apple Silicon macs and the work of t8012-team and the AsahiLinux project that Apple uses USB-C's VDM feature - Vendor Defined Messages - to allow access to features such as the UART console, and so chances were high that we could use something similar to get access to the hardware debugging features on the iPhone 15.
So we pre-ordered the iPhone 15, a couple of PCBs, a case of Club Mate and got started: And less than 48 hours after the launch we got JTAG working on the iPhone 15.
In this talk we will start by looking at the history of iPhone and Lightning hardware hacking, and then look at how USB-C is used for debugging on Apple Silicon devices, and what we had to do to get JTAG on the iPhone 15.
We will also use this talk to release the new version of the open-source Tamarin Cable firmware: Tamarin-C. A fully integrated, open-source debugging probe for the iPhone 15 and other Apple Silicon devices. Tamarin-C is also able to give access to a DFU mode that you can't access without sending VDMs.
Note: This talk will not contain any 0days or previously unknown vulnerabilities. Production iPhones are locked, and so while we get access to some of the device's busses we can't for example access the CPU core.
This talk is about building tooling for future work.
stacksmashing
events.ccc.de/congress/2023/h...
#37c3 #Security
Hört bitte auf mit diesem Hin und Her Wechsel zwischen Speaker fullscreen und Präsi.
Lasst doch einfach den Speaker unten rechts und die Präsi groß oben links. Manchmal sieht man ganze Folien deswegen gar nicht.
Ja, was soll das?!
I watch this guy's UA-cam and I really like your content. It's really cool to see these hacks out in the wild, and not kept for select groups of hackers.
man, i wish this was a whole series... great talk
So much work compressed into 36 minutes, damn!
Great presenter, cool research ánd brings giveaway boards. Amazing!
Absolutely love this talk! This is the reason I keep looking for CCC!
i dont know how this doesnt have more views already
Loved this!
Was watching like it's a thriller!
Nice work, I hope understanding enough 😅❤
can u explain a little bit what happened here
Great talk
Very very cool! I loved it.Thanks for your work.
Interesting! I've been watching stacksmashing channel, but I had never seen his face, it's nice to put a face to those hands, probes and ghidra images 😂
Great talk. But the manufacturer should be forced to publish documentation about this by themselves, instead of people having to spend so much time to reverse engineer it.
They did back in 90’s for example TESLA Czechoslovakia there were whole documentations but now we don’t have anything it’s so sad and disgusting how people fight between each other
The SPMIAnalyzer was taken down or not yet made public?
Ich check halt absolut nichts, aber trotzem ein gutes Video.
Very interesting 🙃
*schnalz* Nice!
00:51 📱 Thomas Roth, aka Stack Smashing, discusses hardware hacking on the iPhone 15, focusing on the USBC port.
02:28 🚫 No jailbreaking or exploits discussed, but the talk centers on hardware exploration, comparing iPhone generations, and the pursuit of root access.
04:36 📲 Lightning connectors in past iPhones had unique uses, such as accessing a serial port or utilizing a specialized cable for debugging.
05:16 💡 Developing their own cable named Tamarind, Stack Smashing and team created a hardware solution for accessing JTAG and SWD on iPhones.
11:49 🔗 Tamarind cable is open source, providing a serial console, probe, reset, DFU support, costing around $10 to build.
13:01 🆕 iPhone 15 introduces USBC, rendering Tamarind cable obsolete; Stack Smashing explores the potential of USBC for hardware hacking.
18:37 🛠 Using the Mac VDM Tool and a breakout board, Stack Smashing demonstrates reconfiguring USBC on iPhone 15 for serial output, showing potential for hardware exploration.
20:27 📱 Modified "central scrutinizer" with USB switch for power, enabling access to iPhone pins for reboot and serial output.
21:40 🧩 Discovered SWD (Serial Wire Debug) on iPhone 15, allowing connection with debug probe, but faced limitations due to production device.
25:06 ⚙ Developed "Tamarind C" hardware with USB-C cable, providing access to iPhone pins and integrating SWD probe, enabling exploration of various buses.
27:14 🛠 Explored different buses using logic analyzer and Tamarind C, identifying a 6 MHz B rate UART and SPMI (System Power Management Interface).
32:45 🕵 Implemented SPMI sniffer support on Tamarind C, decoding ACE3 communication on iPhone, potentially discovering vulnerabilities.
33:54 💾 Announced release of Tamarind C hardware and firmware, SPMI analyzer, sniffer, and i2C Trans Receiver for experimentation with USB-C on iPhone and MacBooks.
35:42 🔌 Shared that iPhone 15 is not the first iPhone with USBC capabilities; using USBC to Lightning cable allows USBC power delivery over Lightning connector.
At least label your AI garbage
yes please. how to purchase?
What extensions are those at 24:36 to the left of the address bar?
i'm not done watching but why does he talk about lightning on an iphone 15 ? it's usb C
12:56 : nvm :)