iOS Dual Booting Demystified

Presented at Black Hat Asia 2019, March 28, 2019, 2:15 p.m. (60 minutes).

In this talk, we will investigate and present on the ways in which to boot a custom firmware image on an iOS device. In order to show this, we will detail how the secure iOS boot process functions, including many of the details of how the low level component verification works as well as the loading and running of processes at boot time. It's known that iOS devices tightly integrate their software and hardware components in order to secure the system, but how is this done in practice?

We will answer this question and others by focusing on one of these integrations, specifically the boot process for modern iOS devices. The iOS boot process is a critical part of a device's system security as it helps to ensure that each component of the device can be trusted before it is used by the system. Each step of the iOS boot process contains components that are cryptographically signed by Apple to ensure their integrity and verify the chain of trust before allowing the device to continue booting. The chain of trust for iOS includes the system bootloader, XNU kernel, kernel extensions, SEP, Wi-Fi, and the baseband firmware.

From our detailed understanding and explanation of how the boot process functions for iOS we will then discuss ways in which researchers can take these learnings to create and load a custom iOS firmware image on a device, including a custom XNU kernel and system disk image side by side with the device's original iOS firmware image.


Presenters:

  • Max Bazaliy - Offensive Security Architect, NVIDIA
    Max is doing offensive security at NVIDIA. He has more than dozen years of experience in areas as reverse engineering, software security, vulnerability research and exploitation. Before joining NVIDIA, Max served as a Staff Security Researcher at Lookout (ex Bluebox Security), where he leads vulnerability research of mobile operating systems. Max's most known publications are Apple Watch jailbreak, Apple boot chain internals and Pegasus exploits paper. In the past few years, Max was a frequent speaker at security conferences, such as Black Hat, Chaos Communication Congress, DEF CON, Ruxcon, beVXCon and BSides. Currently, he is working on a Ph.D. dissertation in Information Security field.

Links:

Similar Presentations: