
The bumpy road towards iPhone 5c NAND mirroring - praving5
https://arxiv.org/abs/1609.04327
======
CGamesPlay
Probably useful to mention this in the comments here: this works for the 5c,
but not the 6 and beyond, due to the addition of the Secure Enclave.

~~~
xt00
So the secure enclave must have an embedded flash inside the processor that
includes the pin code attempt counter -- meaning that writing to the external
flash would not happen at all right?

~~~
Sanddancer
From what Apple's released on how iPhone security works [1], it sounds like
such keys are still written to external flash, just in a much more low-level
way. So there may be a theoretical way to do this attack on a more recent
iphone, but you'd have to do a lot more reverse engineering to figure out a
few layers of undocumented proprietary protocols.

[1]
[https://www.apple.com/business/docs/iOS_Security_Guide.pdf](https://www.apple.com/business/docs/iOS_Security_Guide.pdf)

~~~
xt00
The basic issue with using an external memory is that you simply become a man
in the middle and control what is happening the whole way. There is not some
sort of magic "more low level way" available on flash ICs.. The flash device
on any apple device can be fully emulated either by an FPGA or a special high
speed setup that still has the flash IC attached to it. When the magic command
comes in to write the value to store how many attempts have occurred you
respond as if the value was written correctly but then don't actually write
it. Assuming the block of memory that is being written is encoded with a
particular checksum that is also including some checksum that was calculated
on the local copy inside the secure enclave then the main problem we would run
into would be that the secure enclave may store some value like that checksum
in its memory locally in flash. So when you go to attempt the next passcode it
reads the previous checksum from the external nand flash IC and sees that you
are using the correct checksum, but the value you stored for the attempt
counter does not sum up properly. So basically you would also need to reverse
engineer their checksum process to screw up some other value to make the
checksum add up properly. The alternative as I suggested is to just store the
actual attempt counter in the internal flash of the main A8 or whatever
processor in the secure enclave. That way it forces the hacker to have to be a
much more sophisticated user and take more risk to damage the chip to
basically completely remove the chip, FIB it to cut down to the proper layer--
if apple was smart they would bury the flash for the secure enclave under a
bunch of important metal routing that would be super difficult to get around,
then even a super sophisticated nation state actor would be highly challenged
to do this modification.. Desoldering the flash IC and soldering in an
interposer that has an FPC that connects to an FPGA that is purpose built for
this setup could be done in like 30 mins or less. So if apple wants to make
this scheme difficult to do, they should embed it deep inside the main
processor and not rely upon the external flash at all.

~~~
Relys
Great description. You remind me of Joe Grand (L0pht Heavy Industries), Joe
FitzPatrick (NSAPlayset), Hector Martin (fail0verflow) and Micah Scott
(scanlime). All are brilliant Electric Engineers with a security background.
Do you have an EE degree too? Anyways, thanks for the detailed explanation. :)

~~~
xt00
Ha thanks--quite a nice set of compliments there! Yea, you figured me out, I'm
an EE who grew up as a wannabe hacker.. :-)

------
ChuckMcM
Awesome that someone actually took the time to do what many engineers
suggested could be done.

------
msoad
[https://news.ycombinator.com/item?id=11199275](https://news.ycombinator.com/item?id=11199275)

------
lisper
Vindicated.

[https://news.ycombinator.com/item?id=11199093](https://news.ycombinator.com/item?id=11199093)

~~~
dogma1138
No one with the slightest technical background thought the phone was
uncrackable, maybe not directly by the FBI but by pretty much any 3rd party
contractor that does even basic flash data recovery. The FBI was looking to
set a precedent in order to be able to gain easy access to phones that could
be also used by law enforcement, a local sheriff's department is less likely
to be able to contract it out for every case and even if it would be a
commodity it would be price prohibitive at scale. Overall probably even
iPhones with a secure enclave are not "immune" to physical attacks, not as
easy as doing simple nand-mirroring but if can decap the main CPU without
destroying it you should be able to directly probe the secure enclave logic.

Also while NAND mirroring does work, there is a good chance it wasn't used in
that case, the current "theory" is that one of the patched USB DMA exploits
were used to unlock the phone, NAND mirroring was too "risky" for the FBI to
consider at the time, and it wasn't forensically secure IIRC one of the
reasons for the very high price was the non-physical attack approach that the
3rd party provider they've selected had in their toolkit.

~~~
bogomipz
Can you explain how the "USB DMA exploit" works? Also how would you run this
exploit on the phone if you were locked out of it?

~~~
dogma1138
Like any other DMA exploit through the USB host or any other DMA enabled data
connector/port.

Cellebrite has a few of them I know of a few for MediaTek chipsets that work
through the USB host and the camera connector.

This isn't any different than the DMA "skeleton keys" for PCs and Macs that
work via firewire/thunderbolt/pcie/expresscard/PCMCIA etc.

------
campuscodi
I wonder how much the entire rig cost him? Not $1 million, that's for sure!

~~~
dmitrygr
< $50 in parts (just a PIC24)

~~~
ganoushoreilly
It would have cost the agencies a lot more though (contracting fees), I highly
doubt they'd have the technical capabilities to handle this. But it just goes
to show that they didn't really _reach out_ and were simply using it as a
means to push their backdoor agenda. :(

~~~
gizmo686
What worse is that they (or at least Comey) explicitly said that NAND
mirroring does not work. When he was testifying before Congress, we was asked
by several Congress people about NAND mirroring and (if I remember correctly)
said that the technical experts had looked into it. This is either gross
incompetence or outright perjury.

~~~
dogma1138
Well for the FBI NAND mirroring might not be a solution.

In the article the author mentions that this technique can effectively damage
the flash memory because you can get effectively into a state where you are
causing wear due to writes.

In theory you can scale this up and copy the contents of memory into an FPGA
which emulates NAND (both logically and physically) or just hold multiple
copies on different chips but even the initial process is not without risk.

While it's easy to say that the FBI lied or was incompetent because they had a
motive to say set a precedent, but given the FBI's own rules for what is a
forensically accepted method of extracting data NAND mirroring can easily be
considered as something that "doesn't work".

~~~
gizmo686
Perhaps the FBI had a valid reason for not doing NAND mirror [0]. However, I
maintain that it is incompetent for the FBI director to testify before
congress on the case and not be prepared with a basic answer to why the most
obvious technical answer would not work. Similarly, with him saying in a press
conference that it would not work.

Of course, the FBI director does not need to know this level of detail about
every case, but given how much he appears to have known, he should not have
been speaking about the case beyond directing people to ask the person in
charge of the case.

[0] Although, I would argue, in cases where no alternative exists, if the FBI
policies prevent NAND mirroring, they should be revisited. Even if it has the
potential to be destructive, they would only be destroying otherwise unusable
information.

~~~
dogma1138
[0] Although, I would argue, in cases where no alternative exists, if the FBI
policies prevent NAND mirroring, they should be revisited. Even if it has the
potential to be destructive, they would only be destroying otherwise unusable
information.

Eh? no, destructive methods are a big no-no, this isn't a dichotomy.

The information ins't unusable, they can try force apple to unlock the phone,
or wait until some one else comes that can do it without using a destructive
method.

You can't destroy evidence because you can't do anything with it at the given
time.

------
phyushin
Interesting read

------
Sniffnoy
A note -- if you're linking to arXiv, it's better to link to the abstract
([https://arxiv.org/abs/1609.04327](https://arxiv.org/abs/1609.04327)) rather
than directly to the PDF. From the abstract, one can easily click through to
the PDF; not so the reverse. And the abstract allows one to do things like see
different versions of the paper, search for other things by the same authors,
etc. Thank you!

~~~
lisper
You can also see when the paper was submitted.

~~~
nickpsecurity
Oh I find it so aggravating when I don't have a date. It seems like most
academic papers I found on interesting security and programming stuff didn't
have dates. I had to pull them off Citeseerx or the school's site. You'd think
it would be a requirement in the style guides given importance of when
something was published for relevance or context. I've never heard an
explanation for why this isn't so.

I do appreciate the authors that put one on there, though. Saves much
Googling. :)

~~~
tikhonj
Conference papers include a copyright notice with the name (and year) of the
conference.

Papers that aren't published at conferences (preprints, technical reports...
etc) don't have any standard format for this. Sometimes (especially for
preprints) it's left out in expectation of adding the copyright notice in a
future version, sometimes it's left out because the document is in a very
preliminary stage and hasn't been officially published and sometimes it's left
out because people just didn't think of it and there's no standard format that
includes a date for things that aren't published to a specific venue.

~~~
lisper
You don't need a standard format. You just need to put "DRAFT - [today's
date]" somewhere in the document.

~~~
nickpsecurity
Im not saying it has to be done a certain way. Im saying my college required
the paper to have margins, a title, etc. Im surprised most of them dont
require a date of any kind on the document sonewhere. They could write the
year in Size 8 in upper-right corner in light grey and that would be better
than many in my collection. ;)

