Jevin Sweval Apple Presentation
Jevin Sweval Apple Presentation
Jevin Sweval Apple Presentation
Jevin Sweval
For Apple Inc.
2018-12-06
About Me
• Worked at Arxan Technologies for six years
• Research Team
• I use LIEF in this example but wrote a freestanding Mach-O and ELF
parser in C++ at Arxan that avoided heap allocations and never left
the target symbols as plaintext in memory
😈
A Fun Heisenbug
• Customer reports protected app rebooting phones
• Instrumenting app with logging and tracing would usually make the issue disappear
• Nothing found by digging around LLVM source, even Apple FOSS releases
• Using Xcode clang to assemble asm xes the issue. Di erences in bitcode between
FOSS and Xcode determined not to matter
• Further reversing reveals that the above transformation is the complete erratum
workaround
• Still not part of open source LLVM/Clang releases today. Unsure if App Store
checks ever started looking for this DoS.
fl
fi
ff
Tegra Bootrom Exploitation
// If this is asking for the DEVICE's status, respond accordingly.
if(setup_packet.recipient == RECIPIENT_DEVICE) {
status = get_usb_device_status();
size_to_tx = sizeof(status);
}
// Otherwise, respond with the ENDPOINT status.
else if (setup_packet.recipient == RECIPIENT_ENDPOINT){
status = get_usb_endpoint_status(setup_packet.index);
size_to_tx = length_read; // <-- This is a critical error!
}
• Ported Tegra X1 bootrom exploit originally developed for Nintendo Switch to Denver
(Nexus 9), 3 (Nexus 7, Honda CRV, Tesla Model S), 2 (Asus TF101, WIP)
• Debugging di cult, lack of UART, use reboot to signal success, store values in
always-on PMGR registers and SRAM that survive reset
• Teams spent much time dumping bootrom. It turns out Nvidia reused bootrom code
in miniloaders (think iBEC) that are publicly available and contain the same
vulnerability
• Working on two phased attack where the payload loaded to SRAM, bootrom
manipulated to reset SoC, then exploit the vulnerability using payload persisted in
SRAM from rst phase
• Working on Tegra support in QEMU to discover a method to reset SoC after payload
loading
ff
ff
fi
ffi
fi
Tegra Bootrom Exploitation
• Tegra uses an SBK encrypted (later encrypted + RSA signed) “warmboot
blob” to restore PLLs / DRAM peripherals after waking from deep sleep
• The warmboot blob header speci es the address for the bootrom to load
it into SRAM
• Load address is not checked! Set load address before bootrom stack
and overwrite return address to return to custom payload in blob
• NOP out SBK key disable in Asus TF101 aboot bootloader to enable
encryption of exploit warmboot blob, then overwrite original blob with
properly encrypted exploit blob
• Header contained some key but not the key fed to RC4
• Trace every instruction executed and memory accessed during that subroutine
• From traces, all code and data tables (27.5 KB total) used in whitebox were
identi ed and lifted to source form
• With a Python script to search and download encrypted art, I was able to decrypt it
using my code lifted whitebox that now ran on any platform
fi
iTunes Album Art Whitebox Crypto
iTunes Album Art Whitebox Crypto
iTunes Album Art Whitebox Crypto
• After getting hired at Arxan and learning about their whitebox
product, I became interested in extracting the normal AES keys
• Last month I revisited the topic and used the newer JeanGrey
tool to perform a DFA attack
• My 2016 CPA attempts were on the right track, the odd key
bytes were indeed correct
fi
FairPlay App Binary DRM
• As part of the ENABLE_BITCODE project at Arxan, I investigated
using Apple’s existing code signing as an alternative for requiring
a post-linker step that hashed compiled code
• Decrypted all 0 key/IV/PT with all 3 bit bit ips of all zero
scrambler bu er and recorded PTs