
Secure ROM extraction on iPhone 6S - tomstokes
http://ramtin-amin.fr/#nvmedma
======
mschuster91
Wow. That's some serious skill that went into this.

If the author is reading: how did you develop that multi-layer board? Do you
have a PCB fab that can print a board in, say, one or two days time? And how
did you assemble that PCIe inject board, given those ultra small SMD parts?
Did you order a fully-built PCB or did you do all this by hand?

~~~
potrebitel
Also, designing a FPGA board is 'half' of the job, putting a verilog or VHDL
code is a totally different thing.

The DDR3 routing, the BGA chip, everything on this board 'screams' very hard
work, probably not by a single person ( i have to admin I checked the
FPGA/board part only )

~~~
striking
This could all be done by a single person. A very talented person, sure, but
one person could do all of this.

I'm not certain about routing the DDR3 traces, but DIY soldering on a BGA chip
isn't the absolute worst thing in the world, and VHDL/Verilog aren't that bad,
especially when using the Xilinx tooling. A lot of that code is written for
you (and you usually don't have to purchase IP cores... usually)

~~~
revelation
BGA soldering difficulty seems like somewhat of a persistent myth. Sure, it's
difficult to get right if you want to solder a BGA as part of a production
line and need to get 99.9% right or it becomes too costly.

But iPhone repair technicians and others are very blase about just using hot
air guns and a ton of flux to solder all kinds of BGA chips, and they
generally seem to work just fine.

Now DDR3 and USB3 routing is very annoying, but you generally just copy the
reference design of the FPGA manufacturer and possibly adjust for your board
layup.

------
deegles
How many people on the planet are capable of doing this? What's your best
Fermi estimate?

~~~
mmastrac
I'd wager 100<n<1000\. This requires a specific skillset of low-level
reversing and hardware hacking but I wouldn't put it past anyone who is smart
and driven to understand how things work.

~~~
userbinator
It requires a skillset which IMHO is actually not so rare particularly in
parts of China and Russia, where hacking these systems is part of how all the
unofficial repair shops can survive.

In fact I wouldn't be surprised if this particular task, extracting the boot
ROM, was already done long ago by a few groups but not publicised --- Apple's
bounties may seem enticing, but these people know it's the end if they tell
Apple; they'd rather keep it secret and use those "holes" to keep
investigating and sell their results to repair shops, which may ultimately
yield far greater profit.

~~~
pawadu
I think parent is confusing the 10x engineer (which this guy obviously is)
with a one-in-a-million engineer.

Not to talk down Ramtin's achievements (I think his work is awesome), but
hardware hacking is significantly easier these days when you can buy a JTAG
dongle + software for less then $10 and order a high quality PCB with another
$10-20.

------
a2tech
Does this allow circumvention/dumping of the SecureBoot keys? Its an
impressive looking piece of kit for sure, but the English leaves me confused
as to what they were able to actually accomplish.

~~~
mikeash
I would assume that the signature scheme uses some sort of public key system,
so dumping the keys in the boot ROM wouldn't let you sign new code. Gaining
access to the bootloader code would allow you to analyze it and potentially
find vulnerabilities. There's no guarantee that vulnerabilities could be
found, but the chances are a lot better than if you were just poking at it
blind.

It looks like they did succeed in dumping the full contents of the boot ROM.
They don't appear to have done anything with that dump (yet).

------
vbezhenar
I really hope that jailbreakers will be able to downgrade iPhone 4S from iOS
9.3 to iOS 6. I stayed current when Apple released updates, even with terrible
performance, but now it's really doesn't make any sense to stay on that laggy
iOS 9, if I could use blazing fast iOS 6.

~~~
laacz
It's now only 4s. iPhone 6 is getting more and more sluggish with every major
and even minor update.

~~~
NEDM64
Source for that? My iPhone 6 is as fast as ever. It's just not the fastest
phone around anymore.

~~~
laacz
Personal perception. I am using iPhone6 for two years already. It is in no way
objective.

------
pjc50
That jig is a beautiful piece of mechanical engineering.

------
wernercd
So... when can we expect a 9.3.5 jailbreak :) This is some seriously badass
stuff going on...

------
felixfurtak
In a digital world, the analog voltmeter is a nice touch

~~~
jburgess777
The big "A" suggests it is an ammeter measuring the current, not a voltmeter.
An analog display is often quicker and easier for a human to interpret when
only a rough measurement is wanted.

------
mmastrac
If the author of the blog is reading this, the site seems to be unavailable
from my location on the Shaw Canada network. I thought it was down, but it
appears there's some sort of network error preventing my packets from making
it from here to there. This happened on the previous (and very interesting)
article as well.

archive.is link for anyone else having this issue:
[http://archive.is/bA9Ak](http://archive.is/bA9Ak)

~~~
nullpage
Thanks for the archive link, can also confirm that actual link doesn't work on
my Shaw Canada connection either.

~~~
mig39
Also on Shaw, and can't view this without a VPN. Any ideas why not? Weird.

~~~
theGimp
Back in the day I had similar problems, but I used a different Canadian ISP.
The issue was their DNS: for some reason it did not resolve some valid
domains.

Switching to Google's DNS might fix your problem. If it doesn't, it's probably
Shaw's routes.

