1. InfoconDB
  2. DEF CON
  3. DEF CON 32 (2024)
  4. ACE up the Sleeve: From getting JTAG on the iPhone 15 to hacking into Apple's new USB-C Controller

ACE up the Sleeve: From getting JTAG on the iPhone 15 to hacking into Apple's new USB-C Controller

Presented at DEF CON 32 (2024), Aug. 10, 2024, 2:30 p.m. (45 minutes).

With the iPhone 15 & iPhone 15 Pro Apple switched their iPhone to USB-C - and introduced a new proprietary USB-C controller: The ACE3. But the ACE3 does more than just handle USB power delivery: It's a full microcontroller running a full USB stack connected to some of the internal busses of the device, and we even managed to access JTAG on the iPhone 15 through it. It also provides access to UART, the internal SPMI bus, etc. Previous variants of the ACE, namely the ACE2 found in MacBooks, could easily be dumped and analyzed using SWD - and even be persistently backdoored through a software vulnerability we found. On the ACE3 however, Apple upped their game: Firmware updates are personalized, debug interfaces seem to be disabled, and the external flash is validated and does not contain all the firmware. However using a combination of reverse-engineering, RF side-channel analysis and electro-magnetic fault-injection it was possible to gain code-execution on the ACE3 - allowing dumping of the ROM, and analysis of the functionality. This talk will show how to use a combination of hardware, firmware, reverse-engineering, side-channel analysis and fault-injection to gain code-execution on a completely custom chip, enabling further security research on an under-explored but security relevant part of Apple devices. - AsahiLinux USB-PD Documentaiton - [link](https://github.com/AsahiLinux/docs/wiki/HW%3AUSB-PD) - AsahiLinux macvdmtool - [link](https://github.com/AsahiLinux/macvdmtool) - ACE Controller Secrets (for ACE/ACE2) - [link](https://blog.rickmark.me/ace-controller-secrets/) - Marc Zyngier's Central Scrutinizer - [link](https://kernel.googlesource.com/pub/scm/linux/kernel/git/maz/cs-hw/)

Presenters:

  • Thomas Roth / stacksmashing as Thomas "stacksmashing" Roth
    Thomas Roth aka stacksmashing is a security researcher mostly focused on hardware and firmware. His work includes hardware attacks on processors, microcontrollers and cryptocurrency wallets, building cheap JTAG tooling for the iPhone, and attacking a wide variety of embedded devices. He also runs a YouTube channel called stacksmashing about security, reverse engineering and hardware hacking.

Similar Presentations: