/299$37c3-talk-12074

Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles oder https://chat.rc3.world/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!

Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles or https://chat.rc3.world/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!

======================================================================

[Music]
the next talk is called Apple's iPhone 15 under the sea and it will be presented by Stack smashing which is a rather well-known YouTuber with his uh account on YouTube about uh security reverse engineering and Hardware hacking and we will learn from thas Ro about uh the differences between the previous iPhone generations and the new iPhone generation especially what changed with USBC on the pursuit of rout access so take it away for Tomas road yeah hey uh welcome to my talk probably the worst pun on the far plan today um I will talk about the iPhone 15 and the USBC port on the iPhone 15 and what we can do in terms of Hardware hacking uh on it so first off about myself my name is Thomas Roth I'm probably better known nowadays under my pseudonym stack smashing I'm a security researcher and Hardware hacker um I run a small YouTube channel called St mhing and you can find me on Twitter at gidr ninja um I also together with life overflow have a small training platform called hex.io so if you're interested in that kind of stuff um now before we start there are with each talk and each talk about the iPhone this list gets longer but basically there always a lot of people whose work this is based on Whose work I took into account who I talked to who helped me out and so on and so I want to start by just saying thank you to people such as car Maran who was my partner in crime on the lightning stuff yisa who helped me a lot with who actually was the initial motivation for of this too um Caro Fabian loo sense Lily John lampda concept all these these folks did really amazing work and on the USBC S I want to thank seusa t812 def team Mark ZJ um OE of thunderbold Petra and also the whole asah luk team without a lot of this this stuff would not have been possible now before we start a couple of of clarifications I will not talk about jailbreaking today this is not a jailbreak this is not you know um a part of a jailbreak no j breaking today there will also be no exploits or no vul
nerabilities at least that was my initial plan until during you know uh doing all this I accidentally found a couple of vulnerabilities and so while I can't drop those today um they will be out hopefully somewhat soon depending on triage and so on what this talk will be about however is Hardware exploration so we will take a look at the hardware on the iPhone 15 how it works how it Compares with you know know the past of the iPhone and so on and so forth now if you go back over 10 years um this is how iPhone and iPhone connectivity looked you had this 30 pin dock connector which was awful and we will not mention it today because there will be retro Computing already but after lightning came H sorry after the dock connector came lightning um a proprietary connector by Apple that had the the awesome feature of being rever verble much more Compact and also less prone to just randomly breaking now lightning is you know your your typical phone connector right and so it can do USB audio video and obviously you can charge your phone with it um but those are not the interesting use cases of lightning for for me as a hardware hacker so if you go on on AliExpress and other Pages you can find different cables for the iPhone so for example the dcsd cable which will actually give you a Serial port on the iPhone and so if you plug this in you can see the serial boot lock um on certain devices which is not particularly useful on the normal circumstances but it's still pretty interesting and then another very interesting cable is the so-called cany cable this cable is an apple internal cable that they use for debugging the iPhone and so it gives you access to jtech and swd on pre-production so engineering or development iPhones and this one is pretty interesting and they sometimes pop up on like the gray to Black Market I guess um but they are not easily accessible luckily for us a company called lampda concept built their own canany cable and so they used an fpj I think in an stm3
2 and they built a custom cable they call the bonobo cable which allows you to do jte and swd on certain devices now I was talking about all of this with Yar Classen and she mentioned that the issue is that basically she can't buy a Cy cable because the univers University will not reimburse her for you know a black market invoice um and she can't buy the bonable cable because uh it was out of stock for quite a while at that point in time now I'm a hardware hacker and so my Creator was obviously uh we will just build our own and so at 3:00 a.m. after a couple of G tonics we got out the logic analyzer and an iPhone 7 and we started uh looking at the signal now lightning is pretty pretty simple if you take a look into the lightning connector after removing all the lint from your pocket you can see eight golden contacts and these are all the contacts there are and so while the connector has 16 pins the plug only has eight pins that is unless you have that one special iPad where they try to do USB 3 by extending the lightning connector but we don't talk about that one so basically we have eight contacts and lightning is as proprietary as you can probably make a connector so if you have a plug a lightning plug of a charging cable and you Decap it you will actually find find that there's a full microcontroller in the lightning cable and so if you connect a lightning cable to your computer and you look at the signals on a logic analyzer you will see that there's a lot of stuff going on and so the first thing that you can see is that before any USB communication starts there's this proprietary protocol going on that basically talks between the chip and the cable and the iPhone and they do stuff like say hey I'm a cable they send over the serial number of the cable and so on and so forth and only relatively late after sending a lot of data back and forth does the actual USB communication start um and so you can see takes quite a while to set all that stuff up and then eventua
lly we can see USB differential lines this protocol that is used to talk to the iPhone is called sdq or ID bus it's a pretty simple one wire protocol and what happens on the in the iPhone is basically we use this sdq or ID bus protocol to talk with a chip called TriStar and TriStar is basically multiplexer and so when we uh and so internally two TriStar there are connections to the internal serial bust so to uart to USB to JTAG and so on and so forth and when we plug in lightning cable the iPhone will ask the cable hey what do you want the lightning pins to be and then the cable will say you know if you have a charging cable please speak USB and seral and so on and this will basically change the state of a couple of pins on the ctor to be USB to be serial and so on and so forth now all of this is wonderfully documented for years and so this is not this was not new when we did it and this was you know known since like 6 years or something and it's a pretty simple protocol and so we can pretty simply implemented ourself for example on a Rasberry Pi Pico and so we just take a Pico we implement the uh the protocol there and then when we connected to a phone the phone asks who's there and we just say hey I'm totally USB serial cable and then we can we can do this and all you need to build this is a lightning extension cord from Amazon or soy connected up to your Pico and then after a couple of lines of C we had a Serial cable for the iPhone um we just invested 100 hours instead of spending $18 of on AliExpress nice um but you know Sira is relatively boring what about jte now jtech um is actually on the iPhone swd which stands for serial wire debug it's basically the jtec interface by arm that uses less wires and the way jte is generally used is that you have a debug probe which normally is you know a tiny device and you have a Target which can be a microcontroller board under most circumstances or you know a full-fledged iPhone and we connect the debug probe to the Targe
t using two wires a clock line and a data line um we call these SW CLK and swdi we won't go into too much detail but it's important to know that there are two signals that we need access to basically and using S swd we can Hal the CPU we can single step we can read memory we can read registers and so on all that interesting stuff and so we wanted to do that ourselves on the Pico without you know having to buy a Cy cable and so easy enough when the iPhone asks who's there we just say hey please speak you B you and jte to us and then two of the pins and the lightning connector will suddenly be jte um if you do this the messy way it will look like this and so if like your desk is a mess and you have a debug probe separately connected to the Pico to the iPhone and a logic analyzer to see what's up and after a couple of hours of debugging and a week of fuzzing the swd stack to figure out a missing bit we actually got jtec on the iPhone and so our probe con connected and we could do you know nothing because unfortunately swd can be locked fully or partially so basically when you buy a device of the Shelf generally the swd stack will be locked down because you don't want anyone to just you know go to your phone plug in a cable and dump memory right sounds like a bad idea and so production iPhones and production devices in general tend to have this swd or jtech interface completely locked down luckily for us uh the checkrain team found an found a vulnerability and built an exploit called Checkmate and with Checkmate which was a boot drum exploit for the iPhone uh 7 I think till X we can actually first compromise the boot drum and then we can also demote the device and demotion basically in the context of iPhones means that we make the device debuggable again and so if we do all of this we can suddenly connect to the iPhone via uh open OCD which is an open source jtech tool and we can start dumping memory um and doing all the all the the fancy stuff that you might want to do
as you can see we see all the CPU cores the memory APS and so on and so forth so we did all that um and we put that all into into the Pico so we put the full debug probe into the Pico uh we put the sdq bridge in there to actually talk the lightning signals and so on and in the end we were left with this small setup where you have a lightning extension and you can actually debug the iPhone 72x using this or you can read memory and so on and so forth um this was apparently helpful to a couple of people which was was really nice and now obviously this needs a name now all these cables that you can buy are named after apes and so we have the Ki cable the Kong cable the chimp or chimpanzee cable the bonabo cable but luckily for us they didn't yet choose the the best monkey which is the Tam monkey because it has this super impressive mustage and so we called ours The Tamarind cable and this is all open source um you can find it on GitHub we also did some Hardware at some point but chip shortage kind of got in the way and so now we mainly given that lightning is uh on the way out we we are not uh producing any hardware or so it's fully open source it gives you a Serial console s probe you can do reset dfu and so on and it supports iPhone iPad Apple watch now too thanks to uh Teamster and it costs roughly $10 to build awesome uh work done um but then you know something happened which kind of got in the way of you know making my work useful and basically with the iPhone 15 so we're bringing USBC to iPhone 15 it enables charging transferring data playing audio and video all that work for nothing basically so Tamarind is dead and what's even worse in this presentation they didn't mention all the other interesting stuff you can hopefully do via USBC such as JTAG um and seral so now if you look at the technical aspects of USBC USBC has a lot of pins and so given what we just saw was possible on Lightning iPhones I was hopeful that maybe we can somehow map our swd on some of the
se right like I mean we have enough pins should be possible and they still need to debug the iPhone somehow and so hopefully for us there are ways to do exactly that now the iPhone 15 is not the first USBC device by Apple right the MacBook has been USBC for years the iPad has been USBC and so on but I never looked at any of those I didn't really I don't really have had a lot of interest I would say until the iPhone 15 mainly because after I published Tamarind I got a lot of messages well what about USBC this that and so on and it turns out that other people actually took a look at USBC on these devices and so for example the t812 team actually analyzed the type-c port controller that the uh that Apple users in their MacBooks and so on all the inter MacBooks they actually dumped the firmware of this type-c controller um this is a photo that was nicely shared by by home user and this still works on Modern M1 MacBooks right like you can still dump the firmware using a debug probe in system and so this is pretty cool because it allows you to exactly analyze what's going on on this type-c controller versus on the TriStar we never actually had a firmware to analyze what was actually possible at least I hadn't now what they found out is that basically USBC uses something called configuration channels and this configuration channel is basically used for USB power delivery negotiation and so when you plug in a charger into your MacBook the charger will send a message to the MacBook saying hey I can offer you know 5 volts 9 volts 20 volts whatever and then the Macbook will say oh yeah give me 20 volts and 3 m and then you know the power supply will say all right and then turn on the power supply and mention to the device that it's ready and all of this is done via these configuration channels and that's not done like on USB 2 with like random resistor values and whatever but instead we have a full protocol a full B directional protocol going on there that basically uses manch
est coding and so on and so forth and one of the features if you read the USB PD uh specification is called vdm which stands for vendor defined messages basically a vendor can take the USBC um Power delivery communication and add custom commands to it and the t812 team found that Apple did exactly that and so they called it apple vdm and they were able to reverse engineer the firmware and found out that for example there's an action hex 10 that when you send it to the iPhone or sorry to the MacBook at the time will reply with a list of supported actions and we can send those actions to the MacBook and to this chip and see you know what happens by just analyzing what's going on around the US B port on MacBooks um the port on the left versus away from you is the most powerful Port because it contains a lot of additional debugging uh interfaces and so on and on the inside we basically have the MacBook we have the type-c controller in the MacBook directly in front of the the USBC port and we call that controller Ace um that's just a string that's in the firmware and there are different versions of Ace and So currently we know of Ace one ace2 and ace3 and Ace is basically the Gateway from USBC to the system on the chip in the iPhone and so uh Ace does the USB or Thunderbolt negotiation it also can provide a Serial console and much more and so this Ace chip can basically be used to map different functionality onto certain pins on the USBC connector so for example if we send vdm action 306 we get serial on our USBC Port so very very similar to what we saw on Lightning iPhones just you know um a tad more on USBC but how can we actually send vdms so this is not something you can just do using lip USB or that you can just do from user space normally um but the awesome folks from aaii Linux um found out that they can write a tool called MEC vdm tool that is based on another tool by o called therol Patcher that allows them to send from a Mac to another Mac these vdm commands an
d this Mac vdm Tool even supports serial and so you can actually use your Mac as a serial console for another Mac um it supports rebooting the device and it even supports putting it into dfu using these custom vdm commands and so my Hope was I mean if it works on the other devices and it works on the iPad and so on maybe this works on the iPhone 15 too and so I pre-ordered the iPhone 15 um and on the day where I got back from holidays the iPhone 15 finally arrived and I could give this a try and it turns out it's the same on the iPhone 15 we can use vdm to reconfigure the USBC port to do interesting things such as getting the serial boot output of the iPhone now using Mac vdm Tool for me as a hardware hacker not in general has a couple of disadvantages so first off because it's Mac to Mac it only supports serial dfu and reboot basically and I need an additional breakout to access the other USBC pins to to work with anyway all also enabling the serial console requires disabling uh system Integrity protection and customizing the kernel and so after I did that on the next upgrade my kernel didn't boot anymore and I had to do like figure out how to to restore that and so on which is easy but it's not particularly comfortable then I found out that somebody else F felt the same way and so marks and J AKA Mets at kernel.org um designed the central scrutinizer basically a piece of Hardware that is a hardware serial adapter for these MacBooks and so it's it does this whole USB power delivery uh negotiation and then turns the Mac into into the mode where it speaks serial and you know basically very similar to Tamarind it also uses the Pico and so it uses the fusb 302 to speak power delivery and then enables level shifters to speak serial now I was very hopeful that I could just use this board modify it a bit and you know be be ready to debug the the iPhone but unfortunately it didn't work and so when I hooked it up I can plug it in and you know um I can see some activity but
it didn't work and so I started measuring I at that point in time I wasn't particularly familiar with power delivery and you know just filling around sounded better than reading a 600 page specification and so I just started measuring and I found out that basically the charging voltage or the 5 volt rail of the USBC plug was dropping down when you plugged in the iPhone and so I modified the sentral scrutinizer added a small USB switch to provide Power did some very minor firmware modification and suddenly it worked sometimes is and so I could basically use the central scrutinizer which gives me access to all the interesting pins um to reboot the iPhone and I could even you know get serial on my logic analyzer and so on and so on but again right like now we just have serial like like big [ __ ] we just had serial you know using Mac vdm Tool too but on the aai Linux VII there's a huge article about usb power delivery on the iPhone uh sorry on the MacBooks and they found a lot of different commands there and so they for example they found actions that let you reboot the device they found actions that let you you know go into dfu debug U debug USB uh they even found some ice s sea buses that you can map to there at the very bottom of the page was this small sentence here o26 weak good chance this is swd exactly what we looking for right and so I modified the central scrutinizer firmware to send that command over connected my debug probe and after debugging this for again a couple of hours um I got successful I could connect with my debug probe and we can see that it says found debug port with ID 4ba 02477 which indicates that yes we are talking jte to the iPhone 15 awesome finally unfortunately this found swdp is the only good thing in the entire lock because the rest are errors um so we can't debug obviously because it's a production device right like we we didn't really expect this to work I just wanted to see if it can be done and so well basically wasted a lot of ti
me right so or did we um so uh it turns out that basically in the device there's a debug port and we can connect to this debug Port using S swd and this debug port in turn gives us access to the other access ports in the device and so there might be Memory access ports there might be internal memory buses or jte APS and so on and so forth and you know while we can't do anything useful on the on the iPhone we can still explore the APS and so for example can quickly let's try to do a hardware demo on stage great idea and so for example I have an iPhone here connected to some some hardware and we can see it says communication initialized and so I'm going to go into uh jte mode it says jtech mode enabled and now I can just use open OCD uh using the interface tamran and the target iPhone 15 and we can actually connect to this and for example uh I tested this demo before and for example read certain memory of the debug interface this is not particularly useful and we can even like enumerate all the um whoops we can even enumerate all the other access ports and we can see that there are only two access ports available one M AP which is basically just something of the debugging hardware and then also an additional jte AP this is not particularly useful right and so we got jte but unfortunately it's completely useless uh on the iPhone 15 um somebody else told me that it actually works to debug on the on the MacBooks with T2 but you know that's not something that I'm I'm particularly interested in and so at this point I wasted a ton of time and a ton of hours to basically get essentially nowhere however um in the documentation there showed earlier there were also other buses mentioned right and so if we look at the at the Vicki we can for example see that on MacBooks there are two commands that map I squ se buses onto the USBC connector and so let's explore the other buses but for that I needed slightly different Hardware because I didn't want to fiddle around with like havin
g a very rough setup every time and so instead I I reached out to Mark and I asked hey man I did this Tamarind in the past do you mind if I do a central scrutinizer is device and call it Tamarind C and so on and he was a no please go and so I designed a board I call tamarine C which basically um uses Four B directional level shifters and so we get access to all interesting pins that we can get through a USB uh C cable it has a USB power switch and so while we do this we can actually charge the iPhone because you know on Max you you have enough USB ports to also just plug in a power supply but on the iPhone we only have a single port and it also has a full swd probe integrated as you just saw um hardware and software will be fully open source later today uh I even have some pcbs to give away and basically with Taran C I'm now able to do the same as with Mac vdm I can for example uh reboot the device and then it will enter the serial console and we get the serial boot output of the iPhone 15 but we want to explore the other buses and so it turns out that using vdms we can map three different function functionalities onto the USBC Port so we can map things onto the sideband use pins which require usb3 cable we can map them on the upper pair which is never connected by cable and so we would have to put a plug onto our device and we can map stuff to the lower differential pair and so we can map three different things at the same time time to investigate and so basically uh I hooked up a logic analyzer to all pins that we can map things to I connected Tamarind to my computer and then I started by looking at what actions are actually available on the iPhone and so we saw this earlier that tad2 team reverse engineered a couple of the actions and the iPhone is nice enough that there's actually um there's actually functionality whoops to there's actually functionality to get the supported actions and so for example in tamarine using the firmware you can just press F and this
will retrieve all these supported vdm actions it will also tell you which ones we already know about and which ones we may not know about yet that we can investigate and So based on that um I started the logic analyzer and started recording what's going on on the device when it boots and so um we can see there's a bit of activity on the different buses that we have mapped and a couple of these are fairly interesting so the first one that we can look at is this one up here which is some 6 mahz B rate uart which oops which I've never seen anywhere else and then we also have this other weird signal here and this signal is is kind of interesting because it doesn't it looks like I squ C on the first look or SPI or so but it actually isn't and the first question when you see a protocol is where does it come from which part of the device does it actually uh causes it to come and I talked to Y and explained to her hey I have no idea where the signal comes from do you have an idea how I can figure it out and she mentioned that on the iPhone you have a tool called CIS diagnose and with CIS diagnose you can test all the hardware in the phone and will generate a lock file that you can then analyze on your computer and so I could potentially correlate that and so I built a small app that shows the current kernel time started the analysis and sniff the entire thing on the logic analyzer and eventually I could see some data traffic on the lines I was interested in and I could basically figure out the point in time where the interesting stuff happened now funnily enough this works best with a gaming monitor because you have a higher refresh rate and so your time stamp gets much more precise so um if you need an ex used to buy a 144 Herz Monitor and then um I analyzed the lock this took a bit of time and I eventually found that the activity happens every time that a tool called HPM diagnose is started or terminated and HPM diagnos is also available on Apple silicon Macs and so there
's a lot of similarity between the iPhones and the Macs and so nicely enough you actually get a man page on Mac that tells you hey this is a tool to help troubleshoot USBC issues and so I ran the same tool on my MacBook and sniffed the traffic at the same time and it turns out that on the MacBook there's this control channel that goes from the system on the chip to the ace and that one we basically Can U can see and and sniff using uh the using Tamarind on the MacBook Pro but we just saw that this signal is not iqu C it has u a clock line that's ID low which is physically not possible for i s c uh and also it has a very weird amount of bits like 13bit transmissions and so on it has this weird activity on the data line which I don't understand and so on and so forth and after a lot of Googling random things it turns out that this is actually spmi or the system power management interface I've never seen this in my life before and luckily there's a very extensive Wikipedia article that explains all the details about this it's exactly three sentences long and only tells you that spmi is specified by the MPI Alliance and that's basically it and so then you try to you know visit the MPI Alliance and are greeted by this error message insert coin to continue so to get access to this standard I would have to become a myi adopter or contributor luckily SL unfortunately I earn less than 250 million a year so it would just have been 4,000 bucks annually and so things you totally should not search is file type PDF mypi confidential
[Applause]
spmi and which unfortunately in my case totally did not give me the first version of the specification which didn't outline all uh commands but then I found this uh 58 minute video on YouTube in which someone happened to open the command sequence for myi 2.0 which we now fully have and so I could start analyzing this could take a look and it turns and uh could actually build what I believe to be the first open source logic analyzer plugin for spmi and so you will find be able to find this on giab later today and it turns out that the communication we are seeing is the communication with the ace3 in the iPhone so in my MacBook I have an ace2 which apparently speaks i s c and in the iPhone we have an ace3 which uh is this sn201 uh chip so it looks like basically the system on chip talks to the ace3 using spmi maybe I don't know because there are a couple of more interesting things in the logic trace and so for example if you look at the registers of the device it actually claims to be speaking i s c and so maybe there's some weird spmi twice quid C bridge going on um I don't know um but yeah so I decided that not everyone has logic analyzer and so I actually implemented spmi sniffer support on tamaran C including an ace3 decoder and so you're now able to analyze the ace traffic on your iPhone externally um I also test a basic Trans Receiver but I can't get it to respond via USBC um it only works system and I will publish this once I I get it fully working so now we looked at a lot of buses that we figured out we can communicate with some of them and so on and so forth and so was there anything interesting Beyond just looking at the Port well it turns out that on one device um that I will not mention today I'm actually able to I was actually able to find and also kind of exploit a vulnerability using Tamarind C by speaking to one of the the buses what I would say uh I will also say it's not the iPhone 15 and I also found one potential low to mid severity vulnerability
in uh some of the other USBC devices they're more interesting um let's say so hopefully after 90 days are are up which I think you know 85 are remaining because I had to disclose on Christmas um we we will have something interesting but still I got some stuff for you today so releases the hardware and firmware for tamaran c will be released spmi analyzer will be released the sniffer and the iqu C Trans Receiver will be released and so now you can actually experiment with USBC on the iPhone on the MacBooks in a very in in a simpler fashion it's not perfect you know it's hacker firmware it's not uh super super stable but it should work and I also saw I had a issue in my first revision and so on like the 21st of December I had to order new pcbs and so isand was nice enough to super rush these so they get to me before Christmas and they were nice enough to also give what me 100 pcbs to give away today and so if you're interested in this U feel free I have 100 pcbs with me and I also have some parts so if you plan to act something on site let me know and maybe we can I can give you a couple of parts to set this up now um before we stop there's also if you ever want to dump Ace you can actually use Tamarind now to dump the Ace in system so if you have good motor skills and are good at soldering um taming can be used for that now finally um before we go so there's also something called Cen system and so some people think that in the future USBC will not be used for debugging anymore but instead there's a debugging probe already integrated into the iPhone um you can enter that mode using vdm and there's some work out there I've not really uh looked at it but I want to encourage you all to to maybe take a look and uh and have a look at system one last fun fact the iPhone 15 is actually not the first iPhone that speaks USBC and so it turns out that when you connect a USBC to lightning cable to your iPhone then the lightning cable which will actually tell the lightning cable
to please speak USBC and then it will actually map USBC power delivery onto the lightning connector and so you can do USBC over lightning while your USBC so I mean all right and with that that's all I have for you today so thank you so much for coming
[Music]
and