iOS 10 update

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

iOS 10 update

Postby backendbilly » Tue Jun 14, 2016 2:01 am

Hey J,

Can you shed some light on your latest findings from iOS 10? I noticed from Twitter you've been having various heart beats with new discoveries. I'm also hoping to know if trolls with respect to: an unlockable boot loader, rootfs will come decrypted, etc. are actually true. Any info on the security features would be great.

Thanks

Billy
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: iOS 10 update

Postby morpheus » Tue Jun 14, 2016 3:30 am

The heartbeat was sarcastic, because the WWDC keynote was SO disappointing. But then, the other heartbeat was very, very real.

Per your questions:

- an unlockable boot loader: Fake. Apple ain't that stupid, are they? Don't believe just anything you hear from German sources.

- rootfs will come decrypted: True. Maybe Apple IS that stupid? Honestly, that's not the biggy. The biggy is kernelcache. And KPP.

- Any info on the security features would be great: KPP is now wide open. Sandbox, AMFI enhanced plenty. Lots of hardening.

I'll post a followup on my past two years "notes from" series. Let me digest this. Needless to say it's all going to be in MOXiI. Note also updated announcement at http://NewOSXBook.com/2ndUpdate.html
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: iOS 10 update

Postby rohitwas » Tue Jun 14, 2016 5:42 am

Hi J,
Could you add a little bit more to this KPP thing-> secure monitor/hyperv/watchtower?? macho offset within the kernelcache where,among other things, there was KPP enforcement. I am kind of confused by all the different terms. My understanding is a macho within the kernelcache runs in a different arm trustzone level and enforces KPP?

Also, I know this isnt the proper thread for this but just wanted to quickly point out since we are talking about things iOS 10. I decompressed the kerenlcache using lzssdec and then ran joker on it (compiled May 3rd 2016) and it segfaulted :\

I ran " joker decompressed_kernelcache.release.n61" (the kernelcache decompressed correctly cz jtool works perfectly and doesn't complain)

I think it has to do with the following line from the source

Code: Select all
if (!sysent && is64)
   {
      struct section_64 *segDC = MachOGetSection((unsigned char *) "__DATA.__const");    [b]// MachOGetSection an internal/closed source call?? Anyway it returns 0 for some reason, i didnt RE MachOGetSection cz i didnt knw if it was ok or not![/b]
      int offset = (is64 ? segDC->offset : segDC->offset); //[b]segDC->offset causes a dereferences of the above null return [/b]


thanks!
Rohit

p.s- super excited about the upcoming book! :) Thanks for the #$%$%#^ng amazing work!
rohitwas
 
Posts: 6
Joined: Thu Dec 17, 2015 11:06 pm

Re: iOS 10 update

Postby morpheus » Tue Jun 14, 2016 5:54 am

It's super late, and I've done enough iOS reversing for the day .. but:

A) Your joker version is super old. I don't check if there is a __DATA.__const because all kernels at that point had one.
B) there's no __DATA.__const in the iOS 10/OS X 1012. kernel. Nowadays it's different segments used in OSX and iOS.
C) Obviously, joker is need of an update - fear not - a major one was just waiting for an opportune time. Expect Joker 3.0 over the next couple of days.

As for KPP, it is correct - common to what some believe (that SEP enforces it), it is merely a Mach-O which loads into EL3. That it is a Mach-O is for purposes of loading. Particularly,

Code: Select all
Zephyr:iOS10 morpheus$ jtool -l kpp
LC 00: LC_SEGMENT_64          Mem: 0x4100000000-0x4100008000   __TEXT
   Mem: 0x4100001000-0x4100007300      __TEXT.__text   (Normal)
   Mem: 0x4100007300-0x41000073e2      __TEXT.__const   
   Mem: 0x41000073e2-0x41000074fd      __TEXT.__cstring   (C-String Literals)
LC 01: LC_SEGMENT_64          Mem: 0x4100008000-0x4100014000   __DATA
   Mem: 0x4100008000-0x41000131e8      __DATA.__common   (Zero Fill)
   Mem: 0x41000131f0-0x4100013460      __DATA.__bss   (Zero Fill)
LC 02: LC_SEGMENT_64          Mem: 0x4100014000-0x4100014000   __IMAGEEND
   Mem: 0x4100014000-0x4100014000      __IMAGEEND.__dummy   
LC 03: LC_SEGMENT_64          Mem: 0x4100014000-0x4100014000   __LINKEDIT
LC 04: LC_SYMTAB             
   Symbol table is at offset 0x0 (0), 0 entries
   String table is at offset 0x0 (0), 0 bytes
LC 05: LC_UUID                  UUID: 35324088-001A-383E-976E-C4EBD990F3A8
LC 06: LC_SOURCE_VERSION        Source Version:          273.0.0.0.0
LC 07: LC_UNIXTHREAD            Entry Point:             0x4100001834


and right from the entry point one sees:

Code: Select all
Zephyr:iOS10 morpheus$ jtool -d main kpp | head -5
Warning: companion file ./kpp.ARM64.35324088-001A-383E-976E-C4EBD990F3A8 not found
Disassembling from file offset 0x1834, Address 0x4100001834  to next function
  4100001834   MOVZ   X9, 0x631            ; ->R9 = 0x631
  4100001838   MSR    SCR_EL3, X9                       ; NS,SIF,RW   
  410000183c   MOVZ   X10, 0x8000, LSL #16      ; ->R10 = 0x80000000
  4100001840   MSR    HCR_EL2, X10                      ; RW


and yes, you saw that right, jtool (and disarm) can now handle MSR and other ELx instructions, showing you which flags are set :-)

Anyway, more to follow over the next couple of days. The events of today will ricochet for many more months, if not years.

And I'm sure you'll be super excited when you see what's IN the upcoming book. I promise an unprecedented surprise.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: iOS 10 update

Postby rohitwas » Tue Jun 14, 2016 6:49 am

wow thats quite cool with jtool handling all that functionality!
Sorry about the bother, i didn't in fact check the latest one but turns out the latest joker available at http://newosxbook.com/tools/joker.tar (compiled May 2014) also crashes with same issue.
But as you mentioned i'll await the joker 3.0 release :)
Thanks for you patience Jonathan!

-Rohit
rohitwas
 
Posts: 6
Joined: Thu Dec 17, 2015 11:06 pm

Re: iOS 10 update

Postby vtan » Tue Jun 14, 2016 10:29 am

Hey Jonathan,

May I know where did you extract kpp from? Also is there a way to extract img4p files?
vtan
 
Posts: 11
Joined: Fri Jun 26, 2015 10:14 pm

Re: iOS 10 update

Postby morpheus » Tue Jun 14, 2016 11:18 am

Rohit - that's my bad in that I didn't update that tar. But I'm fixing joker for v3.0 now (good news - it works even better when it's a kernelcache and not a dump :-) so expect it soon.

vtan: IM4P is just der. And to get kernelcache out you just use lzssdec -o .. (like the good old days).

KPP: https://twitter.com/qwertyoruiopz/statu ... 6440240128 - 'nuff said :-)
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: iOS 10 update

Postby vtan » Tue Jun 14, 2016 3:06 pm

Ah, ok. I'm parsing the IM4P files. Just wondering if you have any idea if they are encrypted or not? I tried dumping the iBoot and sep-firmware IM4P files, but they can't be disassembled with IDA.
vtan
 
Posts: 11
Joined: Fri Jun 26, 2015 10:14 pm

Re: iOS 10 update

Postby morpheus » Tue Jun 14, 2016 4:12 pm

iBoot and SEP are. Not sure IDA can handle IM4P/DER, btw. A good way to figure out if any file is encrypted or not is just look for strings. If you see any strings past the IM4P standard fields, that suggests decrypted. AFAIK, logos, kernelcache, and rootfs (dmg, not IM4P) are all unencrypted. I myself have been working off of OTA.

Big detail on KPP to be posted on site, in book, or both.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests