Tweet
stacksmashing - The hitchhacker’s guide to iPhone Lightning & JTAG hacking
stacksmashing, Hacker, He/him
Presentation Title: The hitchhacker’s guide to iPhone Lightning & JTAG hacking
Length of presentation: 20 minutes
Demo, Tool
Apple’s Lightning connector was introduced almost 10 years ago - and
under the hood it can be used for much more than just charging an
iPhone: Using a proprietary protocol it can also be configured to give
access to a serial-console and even expose the JTAG pins of the
application processor! So far these hidden debugging features have not
been very accessible, and could only be accessed using expensive and
difficult to acquire "Kanzi" and "Bonobo" cables. In this talk we
introduce the cheap and open-source "Tamarin Cable", bringing
Lightning exploration to the masses!
In this talk we are diving deep into the weeds of Apple Lightning:
What’s “Tristar”, “Hydra” and “HiFive”? What’s SDQ and IDBUS? And how
does it all fit together?
We show how you can analyze Lightning communications, what different
types of cables (such as DCSD, Kanzi & co) communicate with the
iPhone, and how everything works on the hardware level.
We then show how we developed the “Tamarin Cable”: An open-source,
super cheap (~$5 and a sacrificed cable) Lightning explorer that
supports sending custom IDBUS & SDQ commands, can access the iPhone’s
serial-console, and even provides a full JTAG/SWD probe able to debug
iPhones.
We also show how we fuzzed Lightning to uncover new commands, and
reverse engineer some Lightning details hidden in iOS itself.
stacksmashing is a security researcher with a focus on embedded
devices: From hacking payment terminals, crypto-wallets, secure
processors or Apple AirTags, he loves to explore embedded & IoT
security. On his YouTube channel he attempts to make
reverse-engineering & hardware hacking more accessible. He is known
for trying to hack everything for under $5, which is probably related
to him living in the stingiest part of Germany.
https://youtube.com/stacksmashing
https://twitter.com/ghidraninja
REFERENCES:
- Nyansatan’s Lightning Post: https://nyansatan.github.io/lightning/
- Lambda Concept’s Bonobo Cable:
http://blog.lambdaconcept.com/post/2...bootrom-debug/
- Ipwndfu: https://github.com/axi0mX/ipwndfu
- Kanzi Cable Thread:
https://mobile.twitter.com/1nsane_de...56941139337216
- stacksmashing’s SDQAnalyzer: https://github.com/nezza/SDQAnalyzer
[]
stacksmashing, Hacker, He/him
Presentation Title: The hitchhacker’s guide to iPhone Lightning & JTAG hacking
Length of presentation: 20 minutes
Demo, Tool
Apple’s Lightning connector was introduced almost 10 years ago - and
under the hood it can be used for much more than just charging an
iPhone: Using a proprietary protocol it can also be configured to give
access to a serial-console and even expose the JTAG pins of the
application processor! So far these hidden debugging features have not
been very accessible, and could only be accessed using expensive and
difficult to acquire "Kanzi" and "Bonobo" cables. In this talk we
introduce the cheap and open-source "Tamarin Cable", bringing
Lightning exploration to the masses!
In this talk we are diving deep into the weeds of Apple Lightning:
What’s “Tristar”, “Hydra” and “HiFive”? What’s SDQ and IDBUS? And how
does it all fit together?
We show how you can analyze Lightning communications, what different
types of cables (such as DCSD, Kanzi & co) communicate with the
iPhone, and how everything works on the hardware level.
We then show how we developed the “Tamarin Cable”: An open-source,
super cheap (~$5 and a sacrificed cable) Lightning explorer that
supports sending custom IDBUS & SDQ commands, can access the iPhone’s
serial-console, and even provides a full JTAG/SWD probe able to debug
iPhones.
We also show how we fuzzed Lightning to uncover new commands, and
reverse engineer some Lightning details hidden in iOS itself.
stacksmashing is a security researcher with a focus on embedded
devices: From hacking payment terminals, crypto-wallets, secure
processors or Apple AirTags, he loves to explore embedded & IoT
security. On his YouTube channel he attempts to make
reverse-engineering & hardware hacking more accessible. He is known
for trying to hack everything for under $5, which is probably related
to him living in the stingiest part of Germany.
https://youtube.com/stacksmashing
https://twitter.com/ghidraninja
REFERENCES:
- Nyansatan’s Lightning Post: https://nyansatan.github.io/lightning/
- Lambda Concept’s Bonobo Cable:
http://blog.lambdaconcept.com/post/2...bootrom-debug/
- Ipwndfu: https://github.com/axi0mX/ipwndfu
- Kanzi Cable Thread:
https://mobile.twitter.com/1nsane_de...56941139337216
- stacksmashing’s SDQAnalyzer: https://github.com/nezza/SDQAnalyzer
[]