TrustZone: iBoot and KPP on iOS 9 >

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

TrustZone: iBoot and KPP on iOS 9 >

Postby rohitwas » Thu Sep 01, 2016 11:08 pm

I was reading through the slides of your excellent presentation "Giving Mobile Security the Boot" where you mention that iBoot on 64 bit devices now runs in secure mode and in EL3.

1)Theoretically then, it should not be possible to dump iBoot or KPP via the kernel unless you abusing any SMC handler bugs or some trust-zone h/w implementation flaw perhaps ? just curious because i remember someone claiming on twitter they got an iBoot dump off of ios9.

2) Are the SMC handlers themselves present in iBoot or KPP? (i did read the slide where you note that the leaked KPP seems to have the *wrong* segment names of the kernelcache hardcoded into!)

p.s - Did you get a chance to meet/talk/see @i0n1c in HITBGSEC? :P
Posts: 6
Joined: Thu Dec 17, 2015 11:06 pm

Re: TrustZone: iBoot and KPP on iOS 9 >

Postby morpheus » Fri Sep 02, 2016 12:16 am

1) Correct. But you could still get iBoot if you abused iBoot64 in 8, for example, found a vuln, got GID, and used it to decrypt iBoot 9 or even iBoot 10, for that matter.

2) SMC handlers are in KPP. That's actually in my presentation. SMC #2048, #2049, and the otherwise apparently unused (unless it's from a kext and I'm missing it) #2050.

Since then Apple leaked the "right" KPP, and and upwards were fixed to have the right segments (i.e. __TEXT_EXEC, _PLK and all that jazz).

Yeah, I met i0n1c. He gave a great talk, very methodological, organized on iOS kernel zones. Told him he's much nicer in person than on TWTR, and offered either A) collaboration B) friendship or C) just truce, wherein, at a minimum, his lies about Tg and myself personally have to stop. He has yet to reply.
Site Admin
Posts: 697
Joined: Thu Apr 11, 2013 6:24 pm

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 6 guests