Why on earth would you have a heap in a zero-stage-burned-into-chip bootloader, not to mention a USB stack. It's just self-inflicted harm at this point.
Also DFU is not the world's best protocol, I am surprised Apple didn't just roll their own. It isn't exactly hard to replace DFU with something simpler that gets the job done.
I'm sure the choice was made by a small team back when iPhone was still a carefully guarded secret inside the company, and it's stuck around since then.
> Either all the senior engineers and PhDs working for Apple are idiots, or it’s harder than you think.
I was part of a team that rolled our own firmware update mechanism at Microsoft . (I didn't work on the replacement myself, the engineer sitting next to me did.)
And deeply embedded USB stacks w/o a heap aren't exactly uncommon, considering malloc is forbidden in a large % of firmware.
It's entirely possible that it was a "good enough for now" decision, and that the next bootrom will include additional hardening based on this attack.
As has been well documented, while Apple the organization may have practically unlimited resources, specific teams within Apple do not, so a lot of stuff is sort of "if it ain't broke" mode until the CADT model kicks in and they do a total rewrite and close all the old bugs.
One slide says for some roms:
No crash is triggered whatsoever as the ROM is deterministic enough that the buffer is reallocated in the same place every time upon USB stack initialization.
We aren't looking at the code, but "deterministic reallocation" or just static storage class? Seems like dynamic memory allocation was introduced recently into this rom. And why is a good question.
Wow, it's really cool to read how things like this happen.
While we're here, is there anything I can use to remove the alphanumeric passcode from an iPad 4 (A6X chipset, no Secure Enclave) that I've forgotten the password to?
For a 4 digit unlock code, the device would enter them sequentially starting from 0000 and ending at 9999 [1]. Because there is a delay of 6 seconds between each attempt (on iOS 7.xx) it would take just over 16 and a half hours to try all codes.
Right now with these tools you are just playing passcode roulette to recover your device if you forgot the code and you enabled factory wipe after N tries.
Out of these retries, at least 1/N correct passcode attempts are needed, so such tools are close to useless if your care about retrieving your data with factory wipe enabled.
It was weird to see people from the jailbreak scene (easily recognisable because they all have names l1ke th1s) in such an exploit... turns out SecureROM is also something from iPhone
lol The title is technically against HN guidelines (clickbait), but since it's so blatantly obvious that it's tongue-in-cheek/sarcastic, it's probably fine.
22 comments
[ 4.8 ms ] story [ 70.9 ms ] threadIs that the same Cellebrite?
Also DFU is not the world's best protocol, I am surprised Apple didn't just roll their own. It isn't exactly hard to replace DFU with something simpler that gets the job done.
This same heuristic can be applied all across the HN front page with good results.
Nothing to do with idiot engineers or the task being hard. They could be idiots _and_ the task easy. Some things just don't need to be done.
I was part of a team that rolled our own firmware update mechanism at Microsoft . (I didn't work on the replacement myself, the engineer sitting next to me did.)
And deeply embedded USB stacks w/o a heap aren't exactly uncommon, considering malloc is forbidden in a large % of firmware.
As has been well documented, while Apple the organization may have practically unlimited resources, specific teams within Apple do not, so a lot of stuff is sort of "if it ain't broke" mode until the CADT model kicks in and they do a total rewrite and close all the old bugs.
One slide says for some roms: No crash is triggered whatsoever as the ROM is deterministic enough that the buffer is reallocated in the same place every time upon USB stack initialization.
We aren't looking at the code, but "deterministic reallocation" or just static storage class? Seems like dynamic memory allocation was introduced recently into this rom. And why is a good question.
While we're here, is there anything I can use to remove the alphanumeric passcode from an iPad 4 (A6X chipset, no Secure Enclave) that I've forgotten the password to?
[1] https://www.fonefunshop.com/ip-box-iphone-password-unlock-to...
Out of these retries, at least 1/N correct passcode attempts are needed, so such tools are close to useless if your care about retrieving your data with factory wipe enabled.
I came to this post anticipating a nostalgic trip about some ancient DRM and a stupidly simple way to break it.
Got confused when it was about Apple phone OS.
It was weird to see people from the jailbreak scene (easily recognisable because they all have names l1ke th1s) in such an exploit... turns out SecureROM is also something from iPhone