Projetos

Disponível somente no TrabalhosFeitos
  • Páginas : 19 (4547 palavras )
  • Download(s) : 0
  • Publicado : 12 de novembro de 2012
Ler documento completo
Amostra do texto
Evolution
 of
 the
 iPhone
  Baseband
 and
 Unlocks
@MuscleNerd iPhone
 Dev
 Team Hack
 in
 the
 Box,
 Amsterdam May
 24,
 2012

1
Thursday, May 24, 2012

My
 background
• Member
 of
 iPhone
 Dev
 Team
• http://blog.iphone-­‐dev.org
 (133
 million
 visits
 to
 date!)

• Initially
 just
 interested
 in baseband,
 but
 now
 also
 

maintain
 and
 extend
 “redsn0w”
 jailbreak
 utility
• Tech
 editor
 for
 iOS
 Hacker’s
 Handbook
 by
 Miller,
 
• custom
 ramdisks,
 blob
 stitching,
 downgrades,
 etc

Blazakis,
 DaiZovi,
 Esser,
 Iozzo,
 Weinmann
 (2012) •
2
Thursday, May 24, 2012

General
 BB environment
Communication
 with
 BB
 is
 via
 UART,
 internal
 USB
  or
 cellular
  • There’s
 little
 independent
 monitoring
 and
 control
  of
 its
 embedded
 OS
 in
 production
 mode
 -­‐-­‐
 can
 be
  hard
 to
 trigger,
 detect,
 and
 analyze
 crashes

• Similar
 to
 exploiting
 bootrom
 in DFU
 mode,
 when
 direct
 



However,
 as
 the
 BB
 is
 crashing,
 it
 saves
 a
 limited
  crash
 report
 into
 its
 NVRAM
 which
 can
 be
  retrieved
 after
 the
 subsequent
 reboot
3

feedback
 is
 limited
 or
 delayed

Thursday, May 24, 2012

3G/3GS
 BB
 crash
 log
System Stack:0x406AE300 0x00000008 0x40245C90 0x40322284 0x40442F00 . . . . . . . . . 0x4032180C 0x2014E055 Date: 18.06.2011 Time: 06:49 Register: r0: 0x00000000 r3: 0x00000001 r6: 0x35353535 r9: 0x00000000 r12: 0xFFFFFDF8 r15: 0x50505050 SPSR: 0x40000013

r1: r4: r7: r10: r13: DFAR:

0x00000000 0x34343434 0x50505050 0x406AD320 0x406AE318

r2: r5: r8: r11: r14:

0xFFFF2318 0x35353535 0x000000000x406B3320 0x201C0A75

0xFFFFFFDF DFSR: 0x00000005
4

Thursday, May 24, 2012

iPhone4
 BB
 crash
 log
Trap Class: 0xBBBB (HW PREFETCH ABORT TRAP) Date: 27.06.2010 Time: 21:21:09 Magic: 55809 Task name: atc:1 System Stack: 0x00000000 0x00000000 0x00000000 0x0009D0A8 0x00000002 0x00000001 . . . . . . . . . 0x00000000 0x00000000 Fault registers: DFAR: 0x00000000 IFAR: 0x50505050

r15:0x5050504C

CPSR: 0x400001D7

FIQ Mode registers: r8: 0x90B0C9A1 r9: 0x9D0C8303 r11: 0x918ABD44 r12: 0x428206C4 r14: 0x970583DF SPSR: 0x00000010 SVC Mode registers: r13: 0x72883C50 r14: IRQ Mode registers: r13: 0xFFFF2F20 r14:

r10: r13:

0x44309330 0x60BDDE10

0x601DBFED

SPSR: 0x20000053

DFSR: 0x00000000 IFSR: 0x00000005

0x601EA118

SPSR: 0x60000053

Abort Mode registers:r13: 0x0009B9C0 r14:

0x50505054

SPSR: 0x40000053

System/User Mode registers: r0: 0x00000000 r1: 0x00000000 r3: 0x00000001 r4: 0x34343434 r6: 0x35353535 r7: 0x50505050 r9: 0x00000000 r10: 0x72881000 r12: 0x601AF047 r13: 0xFFFF3B00

r2: r5: r8: r11: r14:

0x00000000 0x35353535 0x00000000 0x00000000 0x6CB91B48

5
Thursday, May 24, 2012

General
 BB
 environment


Large portions
 of
 BB
 are
 executed
 from
 flash
 addresses
• Those
 code
 segments
 are
 not
 modifiable
 while
 BB
 is
 running
 

(simply
 by
 virtue
 of
 being
 flash,
 which
 requires
 erase
 cycles) • There’s
 no
 need
 for
 ASLR,
 or
 W^X
 checks
 in
 flash
 space • Much
 smaller partitions
 of
 BB
 flash
 are
 writeable
 (nvram
 and
  secpack)
 but
 that's
 for
 data,
 not
 code


Scatter
 loading
 relocates
 various
 code+data
 up
 to
 RAM
• Especially
 code
 that’s
 called
 frequently
 (reduces
 execution
 

time
 due
 to
 lower
 latency
 of
 RAM
 vs...
tracking img