HITBSecConf has posted abstracts for upcoming presentations by the iPhone 'Dream Team' of hackers on Corona, Absinthe, and Unlocking.
MuscleNerd (@musclenerd), Joshua Hill (@p0sixninja), Cyril (@pod2g), Nikias Bassen (@pimskeks), and David Wang (@planetbeing) will be presenting.
You can read the abstracts of their presentations below or hit the link to learn more about the conference that takes place May 21-25th in Amsterdam.
Read More [via MuscleNerd]
-----
Evolution of the iPhone Baseband and Unlocks
MuscleNerd (@musclenerd)
Since the first iPhone in 2007, the baseband that Apple uses for cellular communications has evolved in terms of both hardware and software. Some of the changes were minor but others were quite drastic and obviously aimed at deterring carrier unlocks. This paper details the most interesting of the changes and what effects they've had on both software-based unlocks and hardware-based SIM interposers. In addition to comparing the most recent baseband against its own earlier hardware and software incarnations, we compare it to other current Qualcomm handsets and discuss the ramifications of changes Apple has made to the traditional Qualcomm baseband boot sequence. This presentation will cover:
Baseband ROP: Overview of the role ROP plays in software unlocks like yellowsn0w and ultrasn0w. Comparison to ROP on the main Application-side CPU (jailbreaks). Why ROP wasn't even necessary on the first generation of iPhones.
Software Unlocks vs. Hardware Unlocks: How iPhone software unlocks differ from those using hardware SIM interposers. Which layers of the baseband are exposed to each, and how the exploit development environment differs. Description of even more radical hacks like baseband chipset retrofitting and what Apple has done to prevent them.
iPhone4 DEP: How Apple implemented DEP with specific hardware changes on the iPhone4 baseband, and what went wrong. How ultrasn0w was made to work despite aggressive hardware-based DEP.
Operating Systems: So far, Apple has used 3 completely different baseband operating systems in the iPhone line. Description of which parts Apple tends to customize and why. Comparison of past and present custom command parsing.
Infineon vs. Qualcomm: Discussion of the transition from Infineon baseband chipsets to Qualcomm chipsets. Comparison of the older serial-based AT interface (still used on many other handsets) to the USB-based QMI used by the iPhone4S.
Activation Tickets: Detailed description of the "activation ticket" Apple uses to authorize use with specific (or all) carriers. How activation tickets interact with the traditional PIN-based NCK codes. Contrasting activation tickets and baseband tickets.
Baseband Tickets: Details on how Apple authenticates software updates to the baseband. Comparison of baseband tickets to "ApTickets" that Apple now uses on the main Application CPU to control software changes. Why baseband tickets provide even strong protection than ApTickets. The role of nonces in both the baseband and main application CPU.
iPhone4S: What we've learned so far about the iPhone4S baseband. Overview of changes Apple has made to the original Qualcomm bootrom. How the iPhone4S baseband boot process differs from most other Qualcomm-based handsets. Which features the iPhone4S baseband has in common with other handsets and which have been removed. Description of the current attack surfaces, and comparing iPhone4 vs iPhone4S hardware-based protection mechanisms.
-----
Part 1: Corona Jailbreak for iOS 5.0.1
Joshua Hill (@p0sixninja), Cyril (@pod2g) & Nikias Bassen (@pimskeks)
GreenPois0n Absinthe was built upon @pod2g's Corona untether jailbreak to create the first public jailbreak for the iPhone 4S and iPad 2 on for the 5.0.1 firmware. In this paper, we present a chain of multiple exploits to accomplish sandbox breakout, kernel unsigned code injection and execution that result in a fully-featured and untethered jailbreak.
Corona is an acronym for "racoon", which is the primary victim for this attack. A format string vulnerability was located in racoon's error handling routines, allowing the researchers to write arbitrary data to racoon's stack, one byte at a time, if they can control racoon's configuration file. Using this technique researchers were able to build a ROP payload on racoon's stack to mount a rogue HFS volume that injects code at the kernel level and patch its code-signing routines.
The original Corona untether exploit made use of the LimeRa1n bootrom exploit as an injection vector, to allow developers to disable ASLR and sandboxing, and call racoon with a custom configuration script. This however left it unusable for newer A5 devices like the iPad2 and iPhone 4S, which weren't exploitable to LimeRa1n, so another injection vector was needed.
-----
Part 2: Absinthe Jailbreak for iOS 5.0.1
Joshua Hill (@p0sixninja), Cyril (@pod2g), David Wang (@planetbeing) & Nikias Bassen (@pimskeks)
Shortly after the release of Corona, @xvolks came to @pod2g with an interesting observation. He noticed it was possible to inject format strings into racoon through the vpn configuration in the iPhone settings app.
Unfortunately, the injection was limited to only 254 characters, and besides that racoon was also heavily sandboxed. @p0sixninja came up with the solution of injecting an 'include' command into the configuration to load commands from an outside controllable source that also conforms to racoon's sandbox restrictions. Only one file was located that is allowed by racoon's sandbox profile and is also writable from outside, in this case using the mobile backup protocol.
Now that we found a way to inject a payload of any size, our next two biggest challenges were to bypass ASLR and the sandbox. ASLR bypass was trivial, since dynamic linker cache slide is only updated once every reboot, using an otherwise useless NULL pointer dereference bug and the ability to read crashreports off the device allowed easy calculation for input to @pod2g ROP generation code.
Sandbox bypass was a little less trivial and involved new exploits deep in the bowels of the XNU kernel. The idea presented by @p0sixninja was to use the debugging system calls to attach to an outside process not contained by sandbox and get it to do our bidding. Some mach ninja from @planetbeing allowed us to inject data reliable onto another process's stack and using debugging apis we were able to jump into crafted ROP payload within that process which then proceeded to use launchctl to re-execute racoon (without ASLR and without racoon's sandbox container) to perform the mounting of our rogue HFS image and perform the final kernel exploit hassle free. After the kernel was exploited and patched, it was just a matter of moving the Corona untethered exploit files into place to be executed on each boot.
-----
MuscleNerd (@musclenerd), Joshua Hill (@p0sixninja), Cyril (@pod2g), Nikias Bassen (@pimskeks), and David Wang (@planetbeing) will be presenting.
You can read the abstracts of their presentations below or hit the link to learn more about the conference that takes place May 21-25th in Amsterdam.
Read More [via MuscleNerd]
-----
Evolution of the iPhone Baseband and Unlocks
MuscleNerd (@musclenerd)
Since the first iPhone in 2007, the baseband that Apple uses for cellular communications has evolved in terms of both hardware and software. Some of the changes were minor but others were quite drastic and obviously aimed at deterring carrier unlocks. This paper details the most interesting of the changes and what effects they've had on both software-based unlocks and hardware-based SIM interposers. In addition to comparing the most recent baseband against its own earlier hardware and software incarnations, we compare it to other current Qualcomm handsets and discuss the ramifications of changes Apple has made to the traditional Qualcomm baseband boot sequence. This presentation will cover:
Baseband ROP: Overview of the role ROP plays in software unlocks like yellowsn0w and ultrasn0w. Comparison to ROP on the main Application-side CPU (jailbreaks). Why ROP wasn't even necessary on the first generation of iPhones.
Software Unlocks vs. Hardware Unlocks: How iPhone software unlocks differ from those using hardware SIM interposers. Which layers of the baseband are exposed to each, and how the exploit development environment differs. Description of even more radical hacks like baseband chipset retrofitting and what Apple has done to prevent them.
iPhone4 DEP: How Apple implemented DEP with specific hardware changes on the iPhone4 baseband, and what went wrong. How ultrasn0w was made to work despite aggressive hardware-based DEP.
Operating Systems: So far, Apple has used 3 completely different baseband operating systems in the iPhone line. Description of which parts Apple tends to customize and why. Comparison of past and present custom command parsing.
Infineon vs. Qualcomm: Discussion of the transition from Infineon baseband chipsets to Qualcomm chipsets. Comparison of the older serial-based AT interface (still used on many other handsets) to the USB-based QMI used by the iPhone4S.
Activation Tickets: Detailed description of the "activation ticket" Apple uses to authorize use with specific (or all) carriers. How activation tickets interact with the traditional PIN-based NCK codes. Contrasting activation tickets and baseband tickets.
Baseband Tickets: Details on how Apple authenticates software updates to the baseband. Comparison of baseband tickets to "ApTickets" that Apple now uses on the main Application CPU to control software changes. Why baseband tickets provide even strong protection than ApTickets. The role of nonces in both the baseband and main application CPU.
iPhone4S: What we've learned so far about the iPhone4S baseband. Overview of changes Apple has made to the original Qualcomm bootrom. How the iPhone4S baseband boot process differs from most other Qualcomm-based handsets. Which features the iPhone4S baseband has in common with other handsets and which have been removed. Description of the current attack surfaces, and comparing iPhone4 vs iPhone4S hardware-based protection mechanisms.
-----
Part 1: Corona Jailbreak for iOS 5.0.1
Joshua Hill (@p0sixninja), Cyril (@pod2g) & Nikias Bassen (@pimskeks)
GreenPois0n Absinthe was built upon @pod2g's Corona untether jailbreak to create the first public jailbreak for the iPhone 4S and iPad 2 on for the 5.0.1 firmware. In this paper, we present a chain of multiple exploits to accomplish sandbox breakout, kernel unsigned code injection and execution that result in a fully-featured and untethered jailbreak.
Corona is an acronym for "racoon", which is the primary victim for this attack. A format string vulnerability was located in racoon's error handling routines, allowing the researchers to write arbitrary data to racoon's stack, one byte at a time, if they can control racoon's configuration file. Using this technique researchers were able to build a ROP payload on racoon's stack to mount a rogue HFS volume that injects code at the kernel level and patch its code-signing routines.
The original Corona untether exploit made use of the LimeRa1n bootrom exploit as an injection vector, to allow developers to disable ASLR and sandboxing, and call racoon with a custom configuration script. This however left it unusable for newer A5 devices like the iPad2 and iPhone 4S, which weren't exploitable to LimeRa1n, so another injection vector was needed.
-----
Part 2: Absinthe Jailbreak for iOS 5.0.1
Joshua Hill (@p0sixninja), Cyril (@pod2g), David Wang (@planetbeing) & Nikias Bassen (@pimskeks)
Shortly after the release of Corona, @xvolks came to @pod2g with an interesting observation. He noticed it was possible to inject format strings into racoon through the vpn configuration in the iPhone settings app.
Unfortunately, the injection was limited to only 254 characters, and besides that racoon was also heavily sandboxed. @p0sixninja came up with the solution of injecting an 'include' command into the configuration to load commands from an outside controllable source that also conforms to racoon's sandbox restrictions. Only one file was located that is allowed by racoon's sandbox profile and is also writable from outside, in this case using the mobile backup protocol.
Now that we found a way to inject a payload of any size, our next two biggest challenges were to bypass ASLR and the sandbox. ASLR bypass was trivial, since dynamic linker cache slide is only updated once every reboot, using an otherwise useless NULL pointer dereference bug and the ability to read crashreports off the device allowed easy calculation for input to @pod2g ROP generation code.
Sandbox bypass was a little less trivial and involved new exploits deep in the bowels of the XNU kernel. The idea presented by @p0sixninja was to use the debugging system calls to attach to an outside process not contained by sandbox and get it to do our bidding. Some mach ninja from @planetbeing allowed us to inject data reliable onto another process's stack and using debugging apis we were able to jump into crafted ROP payload within that process which then proceeded to use launchctl to re-execute racoon (without ASLR and without racoon's sandbox container) to perform the mounting of our rogue HFS image and perform the final kernel exploit hassle free. After the kernel was exploited and patched, it was just a matter of moving the Corona untethered exploit files into place to be executed on each boot.
-----