iPhone BootROM vulnerability description and threat assessment-vulnerability warning-the black bar safety net

ID MYHACK58:62201996159
Type myhack58
Reporter 佚名
Modified 2019-10-06T00:00:00


0x00-related vocabulary AP: application processor. SEP: security coprocessor. SecureROM: also known as the BootROM is cured in the iPhone the read-only area in the section of the code, the area code is to start the chain and start the chain of trust starting point, the main responsible for loading the subsequent boot of the chain, the area of the code not through the system update to update, so the area of the code once the security problems, the impact is very large, and this effect is lasting, and only through the recall device to fix the problem. About SecureROM specific functions, you can refer to the author before an article written by the SecureROM analysis notes action. GID: the GID is cured in the iPhone encryption engine AES key, all the same model device with the same key, such as: all iPhone X all have the same key. The key used to decrypt system updates the firmware. SEP are independent of the GID, and the AP is different. UID: the UID is cured in the iPhone encryption engine AES key, but each phone has a different UID, the UID is mainly used for encryption and decryption of the user-related data. SEP are independent of the UID, and the AP is different.

0x01 event causes Beijing time 9 month 28 days morning, the foreign security personnel @axi0mX via Twitter discloses a iPhone BootROM vulnerability[1], also discloses related to the use of the Code[2]. Fig. Just like @axi0mX in the tweets mentioned in[3], which are from 2010 began, 9 years, the first disclosure for the 64-bit Apple device you can use the BootROM vulnerability. We know the jailbreak community has been talking to Apple device security to do with“struggle”, with Apple constantly improving the iPhone's security, jailbreak is becoming increasingly difficult, and the BootROM exploit can not only be used to jailbreak the current latest iOS version, can also be used to jailbreak future iOS versions because the hardware vulnerability not through the system update to be patched, so the vulnerability in the jailbreak community has caused a huge stir.

0x02 the affected device Impact from iPhone 4s to iPhone X all devices, while the impact of this period of time the production of the iPad device.

0x03 vulnerability causes described @axi0mX is via a binary comparison of the discovery of this vulnerability[4], while @littlelailo independent by the code of audit also discovered the vulnerability[5]. Fig.@ littlelailo on the vulnerability of the Genesis and use of the ideas described in[6][7]. Fig. Since @littlelailo the vulnerability of Genesis has been said very clearly, here is not overdoing it, here is@littlelailo description of direct machine translation results. The following image does not mean picture, but rather refers img4 firmware file. This error in the beginning also known as Moonshine basically, I viewed all of the bootrom, there are the following errors: 1. When the usb start by dfu acquiring the image, dfu register an interface to handle all command and input and output allocation of a buffer 2. If you send data to the dfu, then set the package by the main code processing, and then bring up the interface code 3. Interface code to verify that wLength is shorter than the input-output buffer length, if this is the case, it will be used to point to the input of the output buffer pointer is updated is passed as a parameter of the pointer 4. Then return wLength, which is it to be received into a buffer of length 5. The USB Host Code and then use the length to update a global variable, and is ready to receive the data packet 6. If the received data packet, then by pass as a parameter a pointer to the write input of the output buffer, and use another global variable to keep track of already receiving how many bytes 7. If all the data is received, then called again dfu-specific code, and then continue the input and output buffer contents are copied to the later boot from the image stored in position 8. After that, the usb code will reset all the variables and continue processing new package 9. If dfu exit, then release input and output buffers, and if the image parsing fails, the bootrom to re-enter dfu To exit the dfu can be transmitted through the dfu abort packet, or by triggering the USB reset triggers the parsing to complete Problem: in Step 5, the updated global variables, and the Bootrom is ready to receive data, but using a cheap controller, you can violate the USB specification and does not send any information to the arduino host controller or something similar to it. Then, you can trigger the USB reset in order to trigger the image resolution. If the resolution fails, the bootrom will again enter dfu, but did not perform Step 8, so the global variable will still contain all values. However, the execution of Step 9, thus releasing the input of the output buffer, and in Step 3 is passed as a parameter the Pointer is still pointing to it. Therefore, you can send data to the device to easily trigger to the released buffer is written. The A8 use: 1. Will 0x40 random data is sent to the dfu, you must send the data, otherwise you will not be able to use the USB to reset the ctrlReq(bmRequestType = 0x21, bRequest = 1, and wLength = 0x40 exit dfu2. By sending ctrlReq(0x21,1,0)ctrlReq(0xa1,3,1)ctrlReq(0xa1,3,1)ctrlReq(0xa1,3,1)ctrlReq(0xa1,3,1, enable dfu is waiting for a USB reset state ipwndfu dfu.py 3.the Send only with bmRequestType 0x21 and bRequest 1 and the payload size of the wLength of a setup packet, this data packet will update the global variables 4. Sending a status packet to the tag to control the transmission end, even if the wLength is set to a value, we will skip the data stage 5. The trigger bus reset 6. Wait for the device to re-enter dfu now will release input and output buffers, and the release of the buffer assigned to the usb task 7. Sends a set configuration request ctrlReq(bmREQ_SET, the USB_REQUEST_SET_CONFIGURATION, and wLength = Payloadsize, but the payload and data phase together send bootrom to set the configuration handler ignored wLength) The payload will cover the usb task structure, and will be the usb stack after the next assignment. By positioning the USB task structure in the linked list, you can insert a forged mandate. And you can usb task stack is used as temporary storage space, because it looks like it will never write to so high. When the dfu exit and the usb task to stop, it will generate the code. Therefore, you can be in Step 7 after you send the dfu abort the data packet, and the code executes the exec of the case to control all the higher register, because of your false task will be added to the list and at a later time to run. -31.05.19 Les Los

0x04 capabilities and threat assessments Restrictions Exploit the constraints: the need for the device into DFU (Device Firmware Upgrade mode. Vulnerability and the use of currently has the ability 1, the BootROM arbitrary code execution capability. 2, open the CPU's hardware debug capability of the JTag one. 3, the use of AP GID for encryption and decryption. 4, the use of AP in the UID encryption and decryption. Arbitrary code execution capability and a CPU-level debug capabilities BootROM is iPhone start the chain of trust in the BootROM has a arbitrary code execution capabilities, means iPhone the entire boot chain of trust is broken, and eventually can be used to load a modified iOS kernel, thereby undermining the iOS based security features. This part of the ability will mainly be used to do the jailbreak where jailbreak refers to the jailbreak brings the ability to, not only refers to the escape behavior. CPU level debugging ability, this ability will mainly be used to analyze the iPhone's secure boot chain and debug-related vulnerabilities and utilize. Using the AP GID for encryption and decryption capabilities Using the AP GID for encryption and decryption of the ability mainly will be used to decrypt the iPhone firmware, the destruction of the Apple of the relevant components of the containment protection, and thus can be used to assess the relevant module of the security, the following is the use of the ability to decrypt the out of the firmware password:

[1] [2] next