IPhone: 2.0 Firmware Jailbroken, 3G Taken Apart

July 10, 2008 by 6 Comments


Oh, iPhone Dev Team, you are a hoot. It isn’t that you managed to jailbreak the iPhone 2.0 firmware on the day of its release, although we can’t help but smirk at that. It isn’t even that you revealed your handiwork in a playful way. We simply love that you expertly work us into a frenzy for the new jailbreak installer with few casual images and some aloof words. Now give us the installer before we get too antsy, please.

Not to be outshined, though, iFixit has posted a full iPhone 3G teardown, stripping away the sleek casing to feast on the goodness inside. They found some interesting changes from the last model: the glass screen, for example, is no longer glued to the LCD, which will no doubt make repairs less expensive. The battery is also unsoldered, meaning you won’t have to send the phone in for repair if the only battery needs maintenance.

“Reversing Shorts” Demystify Phone Security

October 24, 2022 by 3 Comments

Ever wonder what makes a cellphone’s operating system secure, or what that app you just installed is saying about you behind your back? In a brand new video series, [Jiska] gives us a peek into different topics in smartphone software reverse engineering.

For instance, her latest video, embedded below takes us through some steps to poke at Apple’s RTKit OS, which is the realtime OS that runs inside most of their peripheral devices, including AirPods, but also on their bigger devices too.  We don’t know much about RTKit OS, but [Jiska]’s trick in this video is to get a foothold by looking through two different RTKit OS versions and noting which symbols are common — these are probably OS function names. Now you’ve got something to look for.

Each of the videos is short, to the point, and contains nice tips for perhaps the intermediate-to-advanced reverser who is looking to get into phones. Heck, even if you’re not, her demonstrations of the Frida dynamic tracing tool are worth your time.

And if you want a longer introduction into the internals of cellphones, we heartily recommend her talk, “All Wireless Stacks Are Broken“.

Continue reading ““Reversing Shorts” Demystify Phone Security”

How A Smartphone Is Made, In Eight “Easy” Blocks

May 9, 2022 by 21 Comments

The smartphone represents one of the most significant shifts in our world. In less than thirteen years, we went from some people owning a dumb phone to the majority of the planet having a smartphone (~83.7% as of 2022, according to Statista). There are very few things that a larger percentage of people on this planet have. Not clean water, not housing, not even food.

How does a smartphone work? Most people have no idea; they are insanely complicated devices. However, you can break them down into eight submodules, each of which is merely complex. What makes them work is that each of these components can be made small, at massive economies of scale, and are tightly integrated, allowing easy assembly.

So without further ado, the fundamental eight building blocks of the modern cellphone are: the application processor, the baseband processor, a SIM card, the RF processor, sensors, a display, cameras & lenses, and power management. Let’s have a look at them all, and how they fit together.

Continue reading “How A Smartphone Is Made, In Eight “Easy” Blocks”

Arduino Cable Tracer Helps Diagnose Broken USB Cables

July 18, 2021 by 31 Comments

We’ve all found ourselves swimming amongst too many similar-looking USB cables over the years. Some have all the conductors and functionality, some are weird power-only oddballs, and some charge our phones quickly while others don’t. It’s a huge headache and one that [TechKiwiGadgets] hopes to solve with the Arduino Cable Tracer.

The tracer works with USB-A, Mini-USB, Micro-USB, and USB-C cables to determine whether connections are broken or not and also to identify wiring configurations. It’s built around the Arduino Mega 2560, which is ideal for providing a huge amount of GPIO pins that are perfect for such a purpose. Probing results are displayed upon the 2.8″ TFT LCD display that makes it easy to figure out which cables do what.

It’s a tidy build, and one that we could imagine would be very useful for getting a quick go/no-go status on any cables dug out of a junk box somewhere. Just remember to WIDLARIZE any bad cables you find so they never trouble you again. Video after the break.

Continue reading “Arduino Cable Tracer Helps Diagnose Broken USB Cables”

AUTOVON: A Phone System Fit For The Military

September 9, 2020 by 55 Comments

It’s a common enough Hollywood trope that we’ve all probably seen it: the general, chest bespangled with medals and ribbons, gazes at a big screen swarming with the phosphor traces of incoming ICBMs, defeatedly picks up the phone and somberly intones, “Get me the president.” We’re left on the edge of our seats as we ponder what it must be like to have to deliver the bad news to the boss, knowing full well that his response will literally light the world on fire.

Scenes like that work because we suspect that real-life versions of it probably played out dozens of times during the Cold War, and likely once or twice since its official conclusion. Such scenes also play into our suspicion that military and political leaders have at their disposal technologies that are vastly superior to what’s available to consumers, chief among them being special communications networks that provide capabilities we could only have dreamed of back then.

As it turns out, the US military did indeed have different and better telephone capabilities during the Cold War than those enjoyed by their civilian counterparts. But as we shall see, the increased capabilities of the network that came to be known as AUTOVON didn’t come so much from better technology, but more from duplicating the existing public switched-telephone network and using good engineering principles, a lot of concrete, and a dash of paranoia to protect it.

Continue reading “AUTOVON: A Phone System Fit For The Military”

Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack

August 7, 2020 by 5 Comments

This year, at DEF CON 28 DEF CON Safe Mode, security researchers [Jiska Classen] and [Francesco Gringoli] gave a talk about inter-chip privilege escalation using wireless coexistence mechanisms. The title is catchy, sure, but what exactly is this about?

To understand this security flaw, or group of security flaws, we first need to know what wireless coexistence mechanisms are. Modern devices can support cellular and non-cellular wireless communications standards at the same time (LTE, WiFi, Bluetooth). Given the desired miniaturization of our devices, the different subsystems that support these communication technologies must reside in very close physical proximity within the device (in-device coexistence). The resulting high level of reciprocal leakage can at times cause considerable interference.

There are several scenarios where interference can occur, the main ones are:

  • Two radio systems occupy neighboring frequencies and carrier leakage occurs
  • The harmonics of one transmitter fall on frequencies used by another system
  • Two radio systems share the same frequencies

To tackle these kind of problems, manufacturers had to implement strategies so that the devices wireless chips can coexist (sometimes even sharing the same antenna) and reduce interference to a minimum. They are called coexistence mechanisms and enable high-performance communication on intersecting frequency bands and thus, they are essential to any modern mobile device. Despite open solutions exist, such as the Mobile Wireless Standards, the manufacturers usually implement proprietary solutions.

Spectra

Spectra is a new attack class demonstrated in this DEF CON talk, which is focused on Broadcom and Cypress WiFi/Bluetooth combo chips. On a combo chip, WiFi and Bluetooth run on separate processing cores and coexistence information is directly exchanged between cores using the Serial Enhanced Coexistence Interface (SECI) and does not go through the underlying operating system.

Spectra class attacks exploit flaws in the interfaces between wireless cores in which one core can achieve denial of service (DoS), information disclosure and even code execution on another core. The reasoning here is, from an attacker perspective, to leverage a Bluetooth subsystem remote code execution (RCE) to perform WiFi RCE and maybe even LTE RCE. Keep in mind that this remote code execution is happening in these CPU core subsystems, and so can be completely invisible to the main device CPU and OS.

Join me below where the talk is embedded and where I will also dig into the denial of service, information disclosure, and code execution topics of the Spectra attack.

Continue reading “Separation Between WiFi And Bluetooth Broken By The Spectra Co-Existence Attack”

DIY Dongle Breathes Life Into Broken Ventilators

July 15, 2020 by 51 Comments

We have a new hero in the COVID-19 saga, and it’s some hacker in Poland. Whoever this person is, they are making bootleg dongles that let ventilator refurbishers circumvent lockdown software so they can repair broken ventilators bought from the secondhand market.

The dongle is a DIY copy of one that Medtronic makes, which of course they don’t sell to anyone. It makes a three-way connection between the patient’s monitor, a breath delivery system, and a computer, and lets technicians sync software between two broken machines so they can be Frankensteined into a single working ventilator. The company open-sourced an older model at the end of March, but this was widely viewed as a PR stunt.

This is not just the latest chapter in the right-to-repair saga. What began with locked-down tractors and phones has taken a serious turn as hospitals are filled to capacity with COVID-19 patients, many of whom will die without access to a ventilator. Not only is there a shortage of ventilators, but many of the companies that make them are refusing outside repair techs’ access to manuals and parts.

These companies insist that their own in-house technicians be the only ones who touch the machines, and many are not afraid to admit that they consider the ventilators to be their property long after the sale has been made. The ridiculousness of that aside, they don’t have the manpower to fix all the broken ventilators, and the people don’t have the time to wait on them.

We wish we could share the dongle schematic with our readers, but alas we do not have it. Hopefully it will show up on iFixit soon alongside all the ventilator manuals and schematics that have been compiled and centralized since the pandemic took off. In the meantime, you can take Ventilators 101 from our own [Bob Baddeley], and then find out what kind of engineering goes into them.