The hitchhacker’s guide to iPhone Lightning & JTAG hacking

Presented at DEF CON 30 (2022), Aug. 13, 2022, 12:30 p.m. (20 minutes)

Apple’s Lightning connector was introduced almost 10 years ago - and under the hood it can be used for much more than just charging an iPhone: Using a proprietary protocol it can also be configured to give access to a serial-console and even expose the JTAG pins of the application processor! So far these hidden debugging features have not been very accessible, and could only be accessed using expensive and difficult to acquire "Kanzi" and "Bonobo" cables. In this talk we introduce the cheap and open-source "Tamarin Cable", bringing Lightning exploration to the masses! In this talk we are diving deep into the weeds of Apple Lightning: What’s “Tristar”, “Hydra” and “HiFive”? What’s SDQ and IDBUS? And how does it all fit together? We show how you can analyze Lightning communications, what different types of cables (such as DCSD, Kanzi & co) communicate with the iPhone, and how everything works on the hardware level. We then show how we developed the “Tamarin Cable”: An open-source, super cheap (~$5 and a sacrificed cable) Lightning explorer that supports sending custom IDBUS & SDQ commands, can access the iPhone’s serial-console, and even provides a full JTAG/SWD probe able to debug iPhones. We also show how we fuzzed Lightning to uncover new commands, and reverse engineer some Lightning details hidden in iOS itself.

Presenters:

  • Thomas Roth / stacksmashing - Hacker   as stacksmashing
    stacksmashing is a security researcher with a focus on embedded devices: From hacking payment terminals, crypto-wallets, secure processors or Apple AirTags, he loves to explore embedded & IoT security. On his YouTube channel he attempts to make reverse-engineering & hardware hacking more accessible. He is known for trying to hack everything for under $5, which is probably related to him living in the stingiest part of Germany.

Links:

Similar Presentations: