SHAttered Dreams presented at HITBSecConf Malaysia 2013

by Joshua ‘@p0sixninja’ Hill,

Summary : WIn the past 5 years, since Apple has unleashed the iPhone to the world, there has been only 5 different BootROM exploits seen publicly in the wild. Of these few exploits, even fewer people have been involved in the discovery and exploitation of them. This is primarily due to very limited debugging possibilities, limited information exposed on how iOS BootROM works and how these vulnerabilities were discovered and exploited. If more researchers understood how the iOS BootROM worked and how past exploits were found and created then more researchers could assist in finding and exploiting new iOS BootROM vulnerabilities for newer A5 and A6 devices.
In this presentation I plan to do exactly that. We will be breaking down the inner-workings of the iOS BootROM and show how previous vulnerabilities were discovered and exploited. First we will cover how the BootROM has been dumped from iOS devices in the past. Next we’ll have a brief walk through on how the BootROM works and the different execution paths it can take. Then we will take a detail look into the previous iOS BootROM exploits, including how they were discovered, analyzed, different ideas used to attempt exploitation, and how they were eventually exploited to create the permanent exploits used in most Jailbreaking software today. Finally we’ll get into some theoretical situations and discuss how different types of vulnerabilities (if discovered) could be exploited on the device to create a unpatchable jailbreak.
This presentation will be told from a first person point of view from a person who was actually there to witness it all unfold, with first-hand experience in the subject. Finally the untold story of iOS BootROM exploitation (which has always gone on behind closed doors) will be told to the world.