Presented at
DEF CON 30 (2022),
Aug. 13, 2022, 12:30 p.m.
(20 minutes).
Apple’s Lightning connector was introduced almost 10 years ago - and
under the hood it can be used for much more than just charging an
iPhone: Using a proprietary protocol it can also be configured to give
access to a serial-console and even expose the JTAG pins of the
application processor! So far these hidden debugging features have not
been very accessible, and could only be accessed using expensive and
difficult to acquire "Kanzi" and "Bonobo" cables. In this talk we
introduce the cheap and open-source "Tamarin Cable", bringing
Lightning exploration to the masses!
In this talk we are diving deep into the weeds of Apple Lightning:
What’s “Tristar”, “Hydra” and “HiFive”? What’s SDQ and IDBUS? And how
does it all fit together?
We show how you can analyze Lightning communications, what different
types of cables (such as DCSD, Kanzi & co) communicate with the
iPhone, and how everything works on the hardware level.
We then show how we developed the “Tamarin Cable”: An open-source,
super cheap (~$5 and a sacrificed cable) Lightning explorer that
supports sending custom IDBUS & SDQ commands, can access the iPhone’s
serial-console, and even provides a full JTAG/SWD probe able to debug
iPhones.
We also show how we fuzzed Lightning to uncover new commands, and
reverse engineer some Lightning details hidden in iOS itself.
Presenters:
-
Thomas Roth / stacksmashing
- Hacker
as stacksmashing
stacksmashing is a security researcher with a focus on embedded devices: From hacking payment terminals, crypto-wallets, secure processors or Apple AirTags, he loves to explore embedded & IoT security. On his YouTube channel he attempts to make reverse-engineering & hardware hacking more accessible. He is known for trying to hack everything for under $5, which is probably related to him living in the stingiest part of Germany.
Links:
Similar Presentations: