iOS Dual Booting Demystified presented at BlackHatAsia2019 2019

by Max Bazaliy,

Summary : In this talk, we will investigate and present on the ways in which to boot a custom firmware image on an iOS device. In order to show this, we will detail how the secure iOS boot process functions, including many of the details of how the low level component verification works as well as the loading and running of processes at boot time. It's known that iOS devices tightly integrate their software and hardware components in order to secure the system, but how is this done in practice?We will answer this question and others by focusing on one of these integrations, specifically the boot process for modern iOS devices. The iOS boot process is a critical part of a device's system security as it helps to ensure that each component of the device can be trusted before it is used by the system. Each step of the iOS boot process contains components that are cryptographically signed by Apple to ensure their integrity and verify the chain of trust before allowing the device to continue booting. The chain of trust for iOS includes the system bootloader, XNU kernel, kernel extensions, SEP, Wi-Fi, and the baseband firmware.From our detailed understanding and explanation of how the boot process functions for iOS we will then discuss ways in which researchers can take these learnings to create and load a custom iOS firmware image on a device, including a custom XNU kernel and system disk image side by side with the device's original iOS firmware image.