Apple’s Secure Enclave Processor (SEP) Firmware Decrypted

The decryption key for Apple’s Secure Enclave Processor (SEP) firmware Posted Online by self-described “ARM64 pornstar” [xerub]. SEP is the security co-processor introduced with the iPhone 5s which is when touch ID was introduced. It’s a black box that we’re not supposed to know anything about but [xerub] has now pulled back the curtain on that.

The secure enclave handles the processing of fingerprint data from the touch ID sensor and determines if it is a match or not while it also enables access for purchases for the user. The SEP is a gatekeeper which prevents the main processor from accessing sensitive data. The processor sends data which can only be read by the SEP which is authenticated by a session key generated from the devices shared key. It also runs on its own OS [SEPOS] which has a kernel, services drivers and apps. The SEP performs secure services for the rest of the SOC and much more which you can learn about from the Demystifying the Secure Enclave Processor talk at Blackhat

[xerub] published the decryption keys here. To decrypt the firmware you can use img4lib and xerub’s SEP firmware split tool to process. These tools make it a piece of cake for security researchers to comb through the firmware looking for vulnerabilities.

WiFi Mapping with a smartphone

map

Not so long ago, mapping WiFi required a laptop, GPS, a big antenna and Kismet/NetStumbler. Today’s smartphones have replaced even this task. For those of us running a GPS and WiFi equipped Windows Mobile phone, WiFiFoFum is an excellent and simple solution, as well as a great companion for installing an AP. Continue reading “WiFi Mapping with a smartphone”

iPhone 3.0 adds custom protocol support for addons

iphone301

In middle of all the adding features that should have been available day-one, Apple announced something really interesting for the hardware hacking community. The new iPhone 3.0 OS will support application communication over bluetooth or through the dock connector using standard or custom protocols. From Engadget’s coverage:

10:19AM “They talk over the dock, and wirelessly over Bluetooth. Things like playing and pausing music, getting artwork — or you can build your own custom protocols.”
10:19AM “Now here’s a class that we think will be really interesting — medical devices.” Scott’s showing off a blood pressure reader that interfaces with the iPhone — wild.
10:18AM “Here’s an example — an FM transmitter. With 3.0, the dev can build a custom app that pairs up with it, and automatically finds the right station and tunes it in.”
10:18AM “With 3.0, we’re going to enable accessory developers to build custom apps that talk directly to that hardware.”

No solid connection specification has been published yet. We’re excited about the prospect of developing our own accessory hardware, but we wonder what sort of hoops you’ll have to jump through. Apple doesn’t have the best track record when it comes to approvals. Just this week they denied MSA Remote client App Store entry; it’s a multitouch client that uses the standard TUIO protocol. Prepare for similar roadblocks in the future.

[via adafruit]

25C3: Hacking the iPhone

As promised in their yellowsnow demo, [pytey], [MuscleNerd], and [planetbeing] from the iphone-dev team presented at 25C3 on their work Hacking the iPhone. The team originally formed in 2007 and this is the most comprehensive presentation on how the iPhone was compromised to date. You can find the full talk embedded above.

Continue reading “25C3: Hacking the iPhone”

Flash for jailbroken iPhones

flashiphone

Hackers are continuing to outpace Apple with feature additions. The team at iMobileCinema has created a flash plugin for the Mobile Safari browser. It’s a beta release and still a bit buggy. This app is only available to people who have jailbroken their iPhones. You just need to add d.imobilecinema.com to your sources in Cydia to get the package to appear. While it can crash from time to time, it’s certainly better than no support at all.

[via Gizmodo]

iPhone controlled dog treat dispenser

[Stephen Myers] has been toying around with some beta ioBridge hardware. He decided to build a remote control dog treat dispenser. ioBridge‘s hardware is built specifically to make web enabling projects easy. The main controller board has four I/O channels that speak to addon modules. It has an ethernet port on the main board and an easy to configure website.

[Stephen] used a servo addon board for his project. The dispenser is built from a scrap CD spindle attached to a servo. He can issue commands from his iPhone, which shows live video of the kennel. He’ll be building several other automation projects based on this system.

[via TUAW]