Thomas Roth (stacksmashing)

Inside Apple’s Lightning: JTAGging the iPhone for Fuzzing and Profit

Abstract

If you've been around the iPhone hacking scene you probably heard about the mysterious cables named after different monkeys: Kanzi Cable, Kong Cable, Bonobo Cable - all these cables allow you to get JTAG debugging capabilities on the iPhone, however they are also very difficult to get on the regular market. Last year we released the first open-source iPhone JTAG cable: The Tamarin Cable, a firmware for the Raspberry Pi Pico that allows building a $10 iPhone JTAG adapter.

Since then, we've worked on utilizing Tamarin and Lightning to automate certain tasks for low-level fuzzing of the iPhone.

In this talk we will:

  • Dive into the hardware (Tristar) and protocol (SDQ/IDBUS) details of Lighting
  • Show how we implemented our own SDQ/IDBUS adapter
  • Demonstrate our Lightning-Fuzzer: A fuzzer to find new Lightning commands
  • Dive into implementing SWD for the iPhone and how to use with checkm8ble devices

After this, we will look at using Lightning to implement a low-level fuzzer for the iPhone:
Thanks to some undocumented Lightning commands we can utilize Lightning to quickly (and automatically) reset the iPhone - and get it into DFU mode. This allowed us to build low-level fuzzers for parts of the iPhone that so far very only very difficult to test.

Our fuzzers (and fuzzing results) will be made public with this presentation.

BIO

Thomas Roth, also known as @ghidraninja, is a security researcher with focus on embedded systems. His published research includes research on vulnerabilities in microcontrollers, hardware wallets, industrial systems, TrustZone and mobile devices. He is also well known for publishing educational material on his YouTube channel “stacksmashing”, and released a lot of open-source hardware security tools, such as the chip.fail glitcher and the Tamarin Cable.