
The One Weird Trick SecureROM Hates [pdf] - 1on0
http://iokit.racing/oneweirdtrick.pdf
======
commandersaki
TIL SecureROM != SecuROM.

I came to this post anticipating a nostalgic trip about some ancient DRM and a
stupidly simple way to break it.

Got confused when it was about Apple phone OS.

~~~
ndzig
Same.

It was weird to see people from the jailbreak scene (easily recognisable
because they all have names l1ke th1s) in such an exploit... turns out
SecureROM is also something from iPhone

------
Scoundreller
Cellebrite is listed under whoareus, but with a bunch of pseudonyms.

Is that the same Cellebrite?

~~~
saagarjha
Yes.

------
HeWhoLurksLate
Wow, it's really cool to read how things like this happen.

While we're here, is there anything I can use to remove the alphanumeric
passcode from an iPad 4 (A6X chipset, no Secure Enclave) that I've forgotten
the password to?

~~~
userbinator
There's a device called "IP box" which may be able to do that, it's not cheap
but a mobile repair/unlocking store would probably have one.

~~~
MuffinFlavored
How does it work?

~~~
arthurfm
For a 4 digit unlock code, the device would enter them sequentially starting
from 0000 and ending at 9999 [1]. Because there is a delay of 6 seconds
between each attempt (on iOS 7.xx) it would take just over 16 and a half hours
to try all codes.

[1] [https://www.fonefunshop.com/ip-box-iphone-password-unlock-
to...](https://www.fonefunshop.com/ip-box-iphone-password-unlock-tool.html)

~~~
rvz
Right now with these tools you are just playing passcode roulette to recover
your device if you forgot the code and you enabled factory wipe after N tries.

Out of these retries, at least 1/N correct passcode attempts are needed, so
such tools are close to useless if your care about retrieving your data with
factory wipe enabled.

------
stefan_
Why on earth would you have a heap in a zero-stage-burned-into-chip
bootloader, not to mention a USB stack. It's just self-inflicted harm at this
point.

~~~
sneak
USB stack is because one of the rom bootloader’s primary functions is DFU mode
so that you can reflash a bricked device.

~~~
com2kid
A heap isn't needed, it is just super helpful.

Also DFU is not the world's best protocol, I am surprised Apple didn't just
roll their own. It isn't exactly hard to replace DFU with something simpler
that gets the job done.

~~~
nikanj
Either all the senior engineers and PhDs working for Apple are idiots, or it’s
harder than you think.

This same heuristic can be applied all across the HN front page with good
results.

~~~
com2kid
> Either all the senior engineers and PhDs working for Apple are idiots, or
> it’s harder than you think.

I was part of a team that rolled our own firmware update mechanism at
Microsoft . (I didn't work on the replacement myself, the engineer sitting
next to me did.)

And deeply embedded USB stacks w/o a heap aren't exactly uncommon, considering
malloc is forbidden in a large % of firmware.

------
stakhanov
_lol_ The title is technically against HN guidelines (clickbait), but since
it's so blatantly obvious that it's tongue-in-cheek/sarcastic, it's probably
fine.

