Apple is known for a lot of things, but opening up their platforms to the world isn’t one of those things. According to a recent Google post by [Brandon Azad], there do exist special iPhones that are made for development with JTAG ports and other magic capabilities. The port is in all iPhones (though unpopulated), but is locked down by default. We don’t know what it takes to get a magic iPhone, but we are guessing Google can’t send in the box tops to three Macbook Pros to get on the waiting list. But what is locked can be unlocked, and [Brandon] set out to build a debuggable iPhone.
Exploiting some debug registers, it is possible to debug the A11 CPU at any point in its execution. [Brandon’s] tool single steps the system reset and makes some modifications to the CPU after key instructions to prevent the lockdown of kernel memory. After that, the world’s your oyster. KTRW is a tool built using this technique that can debug an iPhone with a standard cable.
The name is a play on KTRR which is the Kernel Text Readonly Region. The work follows the example of some earlier exploits that did similar things. Those methods, though, didn’t have the flexibility that KTRW offers.
Honestly, we don’t really care about debugging the iPhone but the cat and mouse story of how to work around all the Apple protection is a pretty good read. Of course, it really is cat and mouse. KTRW doesn’t work on A12 devices. Curiously, [Brandon] thinks other people already knew this or similar methods to compromise the phone, but didn’t publish it to discourage Apple closing the door that lets them in.
Apple phones have a reputation as being safe, but they do get hacked. And if you want to just disable some of them, you only need a kid’s balloon.
If anybody else has a bit of deja vu, that’s because this was also mentioned on “This Week In Security”: https://hackaday.com/2019/11/01/this-week-in-security-project-zeros-iphone-bbc-the-onion-rooting-androids-and-more/
I have Deja vu, but I didn’t read that….. i feel like this was posted with instead of ‘Google’, it named the person doing it.
With the new Checkm8 exploit, all iphones can be demoted, and debugged with a speial jtag adapter via the lightning port.
Checkm8? Learn to play Chess with your wings chimp.
You have no value.
Not all iPhones, it doesn’t work on the new iPhone 11 (or the XS/XR/XS Max)
“We don’t know what it takes to get a magic iPhone, but we are guessing Google can’t send in the box tops to three Macbook Pros to get on the waiting list.”
You win, I spit up my coffee.
I don’t care about debuggable (is this a word?) Iphones. How about a smartphone-infrastructure that does not send every bit of my life to analytics.google.com or facebook or …?
This isn’t going to get any better until app developers stop too.