Max Bazaliy

iOS dual booting demystified

Abstract

In this talk I will cover iOS boot process in detail, and demo a dual boot implementation on a modern iPhone hardware. I will show low level details of firmware modifications, that required to boot second system. Dualboot of jailbroken iOS 12.1 will be shown on a demo.

In this talk, we will investigate and present on the ways in which to boot a custom firmware image on an iOS device. In order to show this, we will detail how the secure iOS boot process functions, including many of the details of how the low level component verification works as well as the loading and running of processes at boot time. It's known that iOS devices tightly integrate their software and hardware components in order to secure the system, but how is this done in practice?

We will answer this question and others by focusing on one of these integrations, specifically the boot process for modern iOS devices. The iOS boot process is a critical part of a device's system security as it helps to ensure that each component of the device can be trusted before it is used by the system. Each step of the iOS boot process contains components that are cryptographically signed by Apple to ensure their integrity and verify the chain of trust before allowing the device to continue booting. The chain of trust for iOS includes the system bootloader, XNU kernel, kernel extensions, SEP, Wi-Fi, and the baseband firmware.

From our detailed understanding and explanation of how the boot process functions for iOS we will then discuss ways in which researchers can take these learnings to create and load a custom iOS firmware image on a device, including a custom XNU kernel and system disk image side by side with the device's original iOS firmware image.

BIO

Max is an offensive security researcher with more than ten years of experience in areas as reverse engineering, software security, vulnerability research and software exploitation. Currently focusing on boot chain attacks, iOS exploitation, and reverse engineering. Max was a lead security researcher at Pegasus iOS malware investigation. In the past few years, Max was a speaker at various security conferences, including Black Hat, CCC, DEF CON, Ruxcon, RSA, and BSides. Max holds a Masters degree in Computer Science and currently is a Ph.D. student at the National Technical University of Ukraine "Kyiv Polytechnic Institute" where he is working on a dissertation in code obfuscation and privacy area.