Ever so slowly, the main storage in our computers has been moving from spinning disks, to SSDs over SATA, to Flash drives connected to a PCI something or other. The latest technology is NVMe — Non-Volitile Memory Express — a horribly named technology that puts a memory controller right on the chip. Intel has a PCI-based NVMe drive out, Samsung recently released an M.2 NVMe drive, and the iPhone 6S and 6S Plus are built around this storage technology.
New chips demand a reverse engineering session, and that’s exactly what [Ramtin Amin] did (Internet Archive). He took a few of these chips out of an iPhone, created a board that will read them, and managed to analyze the firmware.
Any reverse engineering will begin with desoldering the chip. This is easy enough, with the real trick being getting it working again outside whatever system it was removed from. For this, [Ramtin] built his own PCIe card with a ZIF socket. This socket was custom-made, but the good news is you can buy one from ITEAD. Yes, it is expensive — that’s what you get with a custom-made ZIF socket.
With the chip extracted, a custom PCIe card, and a bit of work with the NVMe implementation for Linux, [Ramtin] had just about everything working. Eventually, he was able to dump the entire file system on the chip, allowing anyone to theoretically back up the data on their iPhone or MacBook Air. Of course, and especially for the iPhone, this data is encrypted. It’s not possible to clone an iPhone using this method, but it is a remarkably deep dive into the hardware that makes our storage tick.
 
            
 
 
    									 
    									 
    									 
    									 
			 
			 
			 
			 
			 
			 
			 
			 
			 
			
“Analize” – word of the day/year :)
Freudian slip, clearly shows exactly what Brian Benchoff has been thinking of lately!
Since the proper spelling is “Analyze” it doesn’t change anything as far as Freudian slips go.
“within English, -ize, is added to adjectives and nouns to form transitive verbs with the general senses βto render, makeβ ( actualize; fossilize;…”
Trying to actuality the anal.
Actualize* stupid auto-correct.
“Volitile” as well – must be the the influence of the “iDevices”.
Hahaha! +1
Best joke I’ve seen this week.
Me wants a t-shirt with that.
No really Benchoff surely test outsourcing overseas this article writing
It works either way on a hacking forum.
NVMe β Non-Volitile Memory Express
I’m honestly surprised that Apple didn’t go with iMEMORY.”
It’s not an Apple technology, it’s from the NVMe workgroup and had someone from Intel chairing it. First release was 2011. Read all about it on wikipedia.
This article makes it sound like it’s brand new technology which it isn’t but it’s mostly been in use in high end PCs and servers so maybe not everyone’s heard of it.
When has that ever stopped Apple from re-branding something?
It’s actually been in use for far more than that. Pretty much any x86 tablet has been using that for a while, as well as a lot of small computers. M.2 is a rather common form factor for a while.
M.2 and NVMe is not the same.
“iNVMe”
iMEMBER drives store your data in clusters. Yeaaa, I member!
Spicy meme, bro.
Nice to see some people really trying out interfacing these new memories.
Some months ago, I got a Galaxy S6 for Data resurrection.
As it was basically bricked I already started to collect all information I could get about the UFS 2.0 bus architecture.
Hopefully next project to see here is a UFS 2.0 breakout board :)
If you think you might be able to amortize across a couple of devices you might want to check out http://www.dediprog.com/pd/ufs-emmc-solution/nuprog-e
Can some tell more about where to buy custom ZIF sockets?
Would it be possible to ‘recycle’ broken 6S and 6S Plus phones into DIY PCIe storage cards with something like this (minus the expensive custom socket)?
my thought exactly!
what confuses me in this writeup is mention of 25 MHz PCIe clock. PCs run at 100 MHz and afaik you cant change it, so how did he make it work?
usually you just div 4 the 100mhz signal
wait, does that mean those Apple chips run with x100 PLL multiplier? that would make sense
Probably not. Apple is viciously against any sort of extended use or reuse of any of their devices. They want you to buy something, use it for 2 years tops, TOPS, and then have no other choice but to buy whatever new garbage their slinging. They don’t even want you to reuse complimentary headphones or chargers. Apple executives have a pretty substantial appetite for high class hookers and cocaine, they would spit on an AIDS baby’s face if they caught one trying to teeth on an old iphone 4. They think you and the rest of their customers are stupid, and will throw money every time they whip out their dicks and helicopter it on a stage. And they aren’t entirely wrong.
OK, Apple might be against it, but go to Shenzhen and see what they’ll do with an iAnything (or samsung, or …yeah) in the markets there. Milling chips off boards to upgrade them, board-level rework while you wait, books with the schematics and PCB layouts in… seriously extreme recycling.
Broken phones are likely to be more valuable for parts or refurb/repair. It could be a fun hack, but not much more than that.
are the NVMe chips soldered or removable?
soldered
there goes my buying the an iphone 6s 32 gig model and buying an iphone 128gb card on ebay and swapping to stick it to the old man.
Some shops do just this – replace the iPhone NVMe chips for bigger ones!
seven-figure security bounties have anything to do with such extent of work?
“Eventually, he was able to dump the entire file system on the chip, allowing anyone to theoretically back up the data on their iPhone or MacBook Air.” Unfortunately, for “anyone” doing so would require first de-soldering the chip off their device. Sure wish we had a backup for that!
By anyone I think he meant anyone with a good enough reason to go through the trouble, ie government agencies and other state actors. Me and you? Nope, not likely.
since the chip is soldered can the chip be removed and put into something so it can be used on pc and then wipe the chip and install it back in the phone to get rid of the user locks on the phone such as the icloud lock?
Me too ππ
site’s been down for a while! me and my friend were looking for info on this, and friend’s found these archive.org links:
https://web.archive.org/web/20200217151015/http://ramtin-amin.fr/nvmepcie.html
https://web.archive.org/web/20200217151824/http://ramtin-amin.fr/nvmedma.html