DEF CON 32 - From getting JTAG on the iPhone 15 to hacking Apple's USB-C Controller

DEF CON 32 - From getting JTAG on the iPhone 15 to hacking Apple's USB-C Controller - Stacksmashing

Рет қаралды 239,726

DEFCONConference

Күн бұрын

Пікірлер: 212

@yoothmag Ай бұрын

I have absolutely no clue what I'm watching but I'm definitely here for it

@akbarudinmajid Ай бұрын

Me too 😂😂

@Raaa010 Ай бұрын

Hahaha me the same 😂 but it's fun to watch

@carlos11111926 Ай бұрын

i'm engeenier and trust me.. i don't know it either xD

@TrykyShow Ай бұрын

same here 😁😁

@pandaaa8449 Ай бұрын

real

@unsaltedskies Ай бұрын

stacksmashing has to be the highlight of any defcon

@menno763 Ай бұрын

Hardware hacking is so insanely cool, i dont even want to know how many hours this all cost.

@akashsxo Ай бұрын

have you fallen in love with someone? if yes, you don't track the time you spent with them, it's the same, he loves his art

@LoveDoveDarling Ай бұрын

@@akashsxo Could you explain to me how this is relevant to the original comment? After reading both, I see that the original comment and reply are addressing different things. If you could elaborate, that would be great. Thanks.

@barbiani Ай бұрын

So I am not telling you that it probably took all of his hours.

@akashsxo Ай бұрын

@@LoveDoveDarling your name is enough ☺

@LoveDoveDarling Ай бұрын

@@akashsxo Enough of what...?

@upmoep Ай бұрын

There do be wizards walking among us mere mortals.

@xj0ex39 8 күн бұрын

#WizardChan

@Mark-qt8fs Ай бұрын

Never been more fascinated and confused at the same time...

@JonMasters Ай бұрын

You only have to hear his name to know it’s gonna be an absolute *banger* of a talk

@Pokornz Ай бұрын

It really did sound like "sexmachine" 😂 Shows the importance of syllable stress (should have been pronounced stacksMAshing instead of stacksmaSHIng)

@xj0ex39 8 күн бұрын

#Juju

@em00k Ай бұрын

Persistence is the key! Top work!

@SalzmanSoftware Ай бұрын

This just goes to show all the work that goes into the new Jailbreak every year! But seriously, this could allow a new semi-untethered Jailbreak!

@DreamBeamz Ай бұрын

This is amazing honestly. Reminds me of the hacking of DirectV’s HU card in the early 2000’s

@MLGPRO-dx8fg 29 күн бұрын

If you can get to the chip on the iPhone, you could probably get a unpatchable jailbreak Idk the extent to how the communication works between the SoC and ACE3 on the iPhone, but if you can compromise it before/during boot, then there's nothing Apple can do about it lol

@pietrekk1 24 күн бұрын

@@MLGPRO-dx8fg this would make me come back to iPhone from android

@Abhishek__Parihar 8 күн бұрын

@@MLGPRO-dx8fg has anyone done it on newer ios versions, it's eassy to get to the chip if it's outside of sandwich board might be little tough if it's inside.

@N30_W01f 15 күн бұрын

Wow, amazing talk! And not only do you care about glitching the chip, you take extra steps to see how it could be reproduced with more commonly available hardware instead of expensive professional machines. That's amazing, and awesome for you to do that!

@lahtin3n Ай бұрын

I just watched 36 minutes of something I have absolutely 0 knowledge or understanding of. This was interesting.

@thisaintart Ай бұрын

Same 😂

@artificialpg Ай бұрын

Sameee

@doublepinger Ай бұрын

Voltage fault injection reminds me of some laptops to be re-sold, at work. The BIOS / UEFI was password protected, but they were a "higher-end" model with a "secured boot failure" feature... if the BIOS repeatedly failed to initialize, a re-flash or such would occur. By ever so slightly shorting one of the TX pins to ground while it was booting, it would reboot... to a Factory Initialization message. Haha yeah, one only need to enter the serial number printed on the laptop, and it would then "be that laptop", as well as save a password and then immediately clear it, because otherwise it was still on the flash, recalling. I recovered like 7 or 8 of 10 laptops that way.

@BillAnt Ай бұрын

Those days are over, everything is encrypted now.

@huntards Ай бұрын

Had to do this with a lot of old chromebooks

@dh2032 Ай бұрын

come you drop a story like that, and not details what laptop model it was and ping shorted out a little (did your a rissistor or something for the shorting a little part? are just paper clip? 🙂

@doublepinger Ай бұрын

@@dh2032 It was a Dell model, but it was over a year go, one of many I worked on. I just had a small metal tool, like a flathead, and I was scraping one side of what I believed to be the bios chip (tiny little 8-pin dip). If I scraped too early it wouldn't boot at all, but there was a certain part of it's LED flashing iirc, I could time it. The fan sounds would be different, and rebooting (without contact?) would boot it into the "Manufacturing" mode.

@Noam3k Ай бұрын

@@doublepinger I have a similar story with one of my previous PC builds. PC froze while updating BIOS during first setup, seemed to be fully bricked. Looked online, turned out only option is to go ahead with a return. Which would suck as I was just setting up a new build after waiting on the parts for quite a while. One user described a similar issue on a different motherboard model, and he was able to short two pins to get the DUALBIOS thing to kick in and un-do the brick. The issue was that they had a different mobo, and schematic of the pins from the manual they attached didn't correspond to the chip on my motherboard. Had to go to my boards manual, find the chip on my board, look up the model, look up the chips specs, look at the routing of the pins and compare to the chip the other user posted. I remember the pins were named differently, so that required some deep diving into the docs to find that XYZ on my boards chips corresponds to ZYX on the other boards chip. Once I was sure which of the pins to short, I was like 49% sure it would go up in flames, 49% sure I get electrocuted, and 2% sure it would work. Insulated myself from the paperclip I was using, and was shaking quite a bit while trying to only touch the 2 of the 8 pins required lol But I went ahead... AND IT WORKED! Shorting the 2 pins unbricked the BIOS brick, and I was able to proceed with the updates without any other issues. Felt like I'm a wizard & it was amazing that I didn't have to RMA a new motherboard that got bricked during a bios update. One of my fave PC troubleshooting stories as a 'normal PC user' / someone not working in the hardware/PC sector.

@Shamboopy_ 28 күн бұрын

What he is talking about and doing is amazing. It’s even more incredible to think that somewhere there is a group of engineers that thought about all of this and incorporated it.

@xj0ex39 8 күн бұрын

That was one “intelligent” group of field engineers there bruh.

@wyron1160 8 күн бұрын

My University professor showed this video to me. It is absolutely fascinating. I feel so confused yet so motivated. Amazing stuff!

@NKCSS Ай бұрын

This has to be one of my favorite defcon vids so far. Awesome stuff!

@shapes4893 26 күн бұрын

So far from Defcon 32, this has been the most impressive video of reverse engineering released

@jjoonathan7178 Ай бұрын

Wow! Brilliant and next level persistent!

@dogbog99 Ай бұрын

Like all good hackers

@YoutubeHandlesAreDumb67 16 күн бұрын

Quite interesting. It's crazy seeing Fabian being mentioned everywhere after taking one of his courses.

@R2_D3 Ай бұрын

35:45 The; ''And it's not super difficult'' part cracked me up!!! 😂

@almc8445 Ай бұрын

Commenting for the algorithm, this is awesome af!

@mangatmangat6520 6 күн бұрын

This is totally another world technology and skills. Man you are an Alien.

@samuelolaegbe2747 23 күн бұрын

I know about hardware but this is so cool to watch! Someday I’ll understand all this.

@Nordkrafts Ай бұрын

So now you can get a 60$ pico instead of a 130$ fancy charging cable. Props.

@hahahuhu628 Ай бұрын

i do comments very rarely, one per several years, rofl ... but ... this guy blow my mind ... i like the way he is thinking, excellent problem solving road map imagination

@williambrasky3891 28 күн бұрын

This has to take the cake for most impressive presentation at this year’s DEFCON. Granted, it’s the first one I’ve so far seen, but still. It’s got everything, multiple zero-days, responsible disclosure, Apple being jerks, refusal to address disclosed vulnerabilities (we just released a new chip thats not affected. Wanna be secure? Buy the new $3,000 computer), SPITE…engaged, whacky hacky shenanigans, no information, just spite, somehow convert pure spite into actual information, still tho no way this actually works, no fucking way, spite wins, it’s to the buzzer but spite wins somehow, all this, plus what’s got to be one of the most technically impressive h/w hacks of the year. Bravo! Unfortunately, there’s absolutely going to be some serious blowback from all this. I think it just convinced me to buy a Mac. I finally get it. It’s not the aesthetic or some “ecosystem” that draws ppl to Apple. It’s the spite. That’s not a computer. It’s a 3,000 dollar motivation machine. I was blind, but now I see!

@Crazy1793 Ай бұрын

I don't understand nothing but i warched everything and learned something

@Office3 Ай бұрын

Thanks asahi for the 206

@jakobfindlay4136 Ай бұрын

Gotta love when someone does it with 8k of equipment then makes it work on 60$ of equipment

@FOM_extras Ай бұрын

he deserves literally so much

@felipecarlin8540 Ай бұрын

This is just wild.

@myfaveyoutube Ай бұрын

The Central Scrutiniser.. first time I've seen a Frank Zappa reference in a hacking tool. Listen to Joe's Garage, it's a great album

@Dave-McRae Ай бұрын

What a legend! 🎉

@FernandoGranco Ай бұрын

Amazing work!

@KG4JYS Ай бұрын

Ouch, $4,000 chipshouter? Glad you did it for us. Using a $4,000 glitcher and then saving money using a hackrf instead of a scope doesn't make a ton of sense to me.

@MiesvanderLippe Ай бұрын

What do you think a good scope costs? Do you think he paid full price for the other device? Could it be an academic exercise to do it the cheap way?

@BillAnt Ай бұрын

It only takes one researcher to work out the signal, now you can do the same with a $60 PICO board.

@fred3965 Ай бұрын

He said he wants to make it more accessible not everyone has that much to spend on specialised hardware

@grant-is Ай бұрын

Did you watch to the end?

@KGIV Ай бұрын

@@grant-is Of course not. Many such cases.

@Cambeast123 Ай бұрын

Cool use of the hackRF!! Love mine

@BHBalast Ай бұрын

Impressive, just impressive!

@sudo_Ibiza Ай бұрын

I am proud of you guys!...keep up doing the good work.

@FelixHartmann Ай бұрын

at least thump up for this efford! congratulations :)

@procrvstinvtion8479 21 күн бұрын

This is insane. Very impressive

@Raymond23rdOBC Ай бұрын

apple engineers taking notes

@alexcrouse Ай бұрын

This is incredible. Fantastic work!

@Neo_AIO Ай бұрын

Louis Rossmann needs to hire this guy😆

@thisaintart Ай бұрын

Hah

@Einimas Ай бұрын

I once tried to reverse engineer a smart fridge, but in the proces a jtag grew on the back of my head.

@NeverGiveUpYo Ай бұрын

Amazing talk.

@alpha_pixel_ Ай бұрын

Apple security left the chat

@sk3tchimdg3t33 Ай бұрын

it's impressive like super impressive

@crlfff Ай бұрын

Absolutely insane

@m.i.b7689 16 күн бұрын

Apple are really something they designed everything very well also protected it with almost no vulnerabilities grt. I thought making a laptop would b easy just put parts but no they hv put some serious work in it🎉

@weirdmeisterinc Ай бұрын

great insights

@mactalk2871 Ай бұрын

brilliant work!

@martinshreder Ай бұрын

Impressive

@ali2naveed 12 күн бұрын

i had a dream to become a hacker and by watching this guy motivated me to quite.

@urban6989 Ай бұрын

awesome stuff!

@Avolua 3 күн бұрын

That is cool!

@Fosgen 8 күн бұрын

Excellence.

@downthecrop Ай бұрын

Badass

@gercekbko Ай бұрын

So cool.

@lovro1423 Ай бұрын

Amazing 🔥

@dr-deep8353 Ай бұрын

Music is good

@zeromant80 Ай бұрын

Amazing!

@silentninjabee2985 Ай бұрын

Thank you for your World Champion open sourcing effort! I hope you did all this research and got the MacBook refunded 😂

@andrejcupac7359 Ай бұрын

Why?

@seanys 6 күн бұрын

Meanwhile, I can’t even jailbreak my 10 year old iPad.

@zxljmvvmmf3024 Ай бұрын

lit

@mfThump Ай бұрын

23:57 an apt description of tech companies

@mojoblues66 10 күн бұрын

12:33 Apple probably doesn't consider this a security issue because it requires SIP to be disabled.

@howardalien2720 Ай бұрын

But can he center a div?🤔

@xanderplayz3446 Ай бұрын

But can he make a div slide from the right to the left of the screen and loop?

@ClosetFemboy Ай бұрын

Based

@erentr7167 Ай бұрын

craziest shit ive ever seen

@ramnikTDM 18 күн бұрын

daymn

@swagteck8925 Ай бұрын

This is awesome!

@kbwinter 29 күн бұрын

It already comes loaded with a back door…you just don’t know it yet…😢

@anuzravat 6 сағат бұрын

what can we do after getting JTAG on an iphone? i dont get the impact?

@schwellhaimbassriot2660 Ай бұрын

maestro

@imranexltd 22 күн бұрын

Ye was right. 😢

@harveyweizman 23 күн бұрын

Basically what he’s saying is don’t buy Apple products…

@GridPB Ай бұрын

The presentation is clearly not a Powerpoint, what is it made in?

@devnol Ай бұрын

Apple Keynote has some really slick templates you can build upon, it might be one of those. iWork is actually pretty darn good.

@eLab43 Ай бұрын

In newer iPad Pros, air, and MacBooks, the CD chip is paired to the small ROM chip. If I need to replace the CD chip because it turned out to be bad, I cannot install a new one. I need to pull a pair of cd + rom from another donnor motherboard. Do anyone have an idea how to re write the rom chip to the new CD?

@bagotaitamas 19 күн бұрын

Eeprom programmer, either spi or i2c. But if it has the security measures like this (ACE3), a simple reprogram won't be enough. Basically you need to glitch like in the video, get past security, dump and patch internal flash to accept other CRC. I'm sure it's currently out of your reach. Also not too fast or reliable on one chip, not to talk about shops that replace multiple a day. Your easiest option is to replace CD, and flash its own rom, but reading/writing takes longer than swapping it out too.

@eLab43 19 күн бұрын

@ thanks you!!

@bzmgames1308 7 күн бұрын

@orcofnbu 4 күн бұрын

In summary, they were able to modify the software of the USB controller chip. which can create a possibility to develop devices that read data from what is plugged in, brick devices that are plugged in, or create fake devices to control the device itself. but they only have this possibility. The attack itself could take a lot of time to develop. Meanwhile, Apple might patch the current software, even hardware, to prevent this. but also if you have enough resources, like a government. This video proves that you can develop a small device to put into some important Apple device. that device can copy the identity of a previously connected mouse or keyboard. then mimic that identity to control the device itself. These chips are not specific to Apple. I'm pretty sure these controllers got used by other manufacturers too. So understanding hardware itself will open new possibilities to hack other manufacturers too. because most of the time device manufacturers use default firmware that is provided by the chip manufacturer.

@ViniciusMiguel1988 Ай бұрын

Louis Rossmann would like to know this

@sladeoss 26 күн бұрын

What a fucking legend

@kritikusi-666 Ай бұрын

what a smart cookie. The zapping works on kids also. They start behaving. No questions. jk (obviously).

@ErCapoAlex 20 күн бұрын

❤

@arnaudj2708 Ай бұрын

35:29 dumping unknown silicon is not super difficult Hmmm... I disagree

@Hasan_OZ 26 күн бұрын

I’m from Turkey and if you want to buy an iphone you have to pay 3000$ dollars, 1k for the phone and other 2k for the government, and i wish this guy can create a tool to change the imei number on the phone so i can use phones bought from abroad 😂

@Wierie_ 15 күн бұрын

The grass might seem greener but at the end of the day its an overpriced phone with decent build quality that runs the same apps

@DontTrip-lu5hm Ай бұрын

🎉

@NickIlVento Ай бұрын

WOW

@ja.935g67 Ай бұрын

Hello this is Tim Cook I would like to know where you live 🤣

@DMack6464 Ай бұрын

Do all these need auth or are these pwn methods as well?

@SpenceReam Ай бұрын

RSA3072… 😂

@hashfors Ай бұрын

Forced to use usb-c eyyy..

@computer_carnivore Ай бұрын

Ultra 1, I’m bugging

@ronbaer67 Ай бұрын

so does this mean jailbroke iphones are back on the menu?

@SamSayaz 24 күн бұрын

I am curious too. And don't understand the full effects of this research

@geteilt Ай бұрын

He keeps saying „you know“ but I actually have no clue. Does the audience also just.. you know… know?

@p4rk5h Ай бұрын

So basically they followed the Qualcomm way of entering Recovery (which uses Qualcomm QuickCharge negotiation process)

@nd.c.1098 20 күн бұрын

I only understands the first 5 mins...haha

@bloxycola8272 Ай бұрын

I wanna learn hardware hacking

@deoxal7947 Ай бұрын

I wish there was a way to root androids by opening it up and connecting to the jtag pins

@IDontModWTFz Ай бұрын

That's pointless seeing as they allow modification. KernelSU is possibly the easiest and safest at the moment

@deoxal7947 Ай бұрын

@@IDontModWTFz No they don't. Select phones allow unlocking the bootloader.

@deoxal7947 Ай бұрын

@@IDontModWTFz Asus charges you now. I bought a phone from them and they removed the ability to unlock it entirely. kzbin.info/www/bejne/r5vdZ6tjjtx8ZpI Samsungs only work if you get the exynos chip set which is for Europe is what I keep reading. I keep asking what phones allow bootloader unlocking besides Pixels in the US and no one ever can give me an answer.

@MuffinTastic Ай бұрын

@@deoxal7947 OnePluses like the OP12, nothing phones, several others have unlockable bootloaders. i specifically chose my OP12 because it had an overlap of essential features for me and that was one of them

@arjix8738 Ай бұрын

@@deoxal7947 don't xiaomis allow unlocking the bootloader globally?