IPhone 5c NAND mirr...
 
Notifications
Clear all

IPhone 5c NAND mirroring

11 Posts
7 Users
0 Likes
1,005 Views
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

Article by Sergei Skorobogatov
https://arxiv.org/abs/1609.04327

This paper is a short summary of a real world mirroring attack on the Apple iPhone 5c passcode retry counter under iOS 9. This was achieved by desoldering the NAND Flash chip of a sample phone in order to physically access its connection to the SoC and partially reverse engineering its proprietary bus protocol. The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors. By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts. This is the first public demonstration of the working prototype and the real hardware mirroring process for iPhone 5c. Although the process can be improved, it is still a successful proof-of-concept project. Knowledge of the possibility of mirroring will definitely help in designing systems with better protection. Also some reliability issues related to the NAND memory allocation in iPhone 5c are revealed. Some future research directions are outlined in this paper and several possible countermeasures are suggested. We show that claims that iPhone 5c NAND mirroring was infeasible were ill-advised.

)

jaclaz

 
Posted : 16/09/2016 12:44 am
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Thanks

 
Posted : 16/09/2016 12:53 am
LANGWONDE
(@langwonde)
Posts: 19
Active Member
 

I have read the PDF ,so long and so exciting D ,impossible
but why the author Sergei Skorobogatov choice iPhone 5c to test not iPhone 5s or 6,
Is 64 bit Cpu iphone impossible to wiring or mirroring NAND chip?
Any idea?Thank you.

 
Posted : 20/09/2016 7:23 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

I have read the PDF ,so long and so exciting D ,impossible
but why the author Sergei Skorobogatov choice iPhone 5c to test not iPhone 5s or 6,
Is 64 bit Cpu iphone impossible to wiring or mirroring NAND chip?
Any idea?Thank you.

The 5c is the model made famous by the San Bernardino and specifically said (by the FBI) to be impossible to unlock via NAND mirroring.
It uses an A6, later models use an A7 and have the "secure enclave" that may well prove to be actually impossible to unlock with NAND mirroring methods, unless much further understanding of the way the data is stored (and encoded and checksummed) is achieved.
As a matter of fact the Author was not able to have the experiment work with a "full" NAND mirroring, he was able to identify a specific area of the NAND that could be mirrored and restored without issues.

jaclaz

 
Posted : 20/09/2016 7:54 pm
(@wotsits)
Posts: 253
Reputable Member
 

If my knowledge of iPhone forensics is clear, then performing this type of attack on a newer device with a secure enclave will be a completely different story and perhaps not even applicable.

This is a great but too late discovery - 6 months after the FBI paid 7 figures to another company, and 3 years after Apple started releasing intrinsically different models with a secure enclave.

 
Posted : 21/09/2016 2:28 am
(@randomaccess)
Posts: 385
Reputable Member
 

This is a great but too late discovery - 6 months after the FBI paid 7 figures to another company, and 3 years after Apple started releasing intrinsically different models with a secure enclave.

LE is commonly seeing old devices, so even research on old devices/os's/software etc is still quite useful
Investigations can taken several years, so imagine a suspect was picked up a couple of years ago and his 5c was locked, now with some work (provided you have the understanding) you can get access to the data.

 
Posted : 22/09/2016 6:16 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

I've read the article, technically it is possible the mirror some of the NAND content. Still, I have a question (also based on jaclaz's previous comment)

Is it possible to use this technology for creating a copy of non-"secure-enclave" iPhones and bruteforce the passcode of it, or not ?!

 
Posted : 22/09/2016 4:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

I've read the article, technically it is possible the mirror some of the NAND content. Still, I have a question (also based on jaclaz's previous comment)

Is it possible to use this technology for creating a copy of non-"secure-enclave" iPhones and bruteforce the passcode of it, or not ?!

Yes and no. 😯
You can make a copy, but you cannot use the copy if not as "source" to restore the original.

Since the chip (or controller or whatever) wear leveling is bypassed, when re-applying the "mirror copy" (actually in the experiment only the pages found to have been modified, as a full mirror takes 80 minutes or so) cracking by brute force a four digit PIN is relatively safe while attempting to crack by brute force a six digit PIN, set apart the much longer times involved, may need so many writes to the same fixed address to risk to simply wear down the involved memory cells.

From the article

In the presented method the original chip is always
restored to the initial passcode attempts counter state
without applying wear levelling. As a result, its Flash
memory gets worn out. Although NAND chips allow a few
thousand rewrites, no one knows how many were used
already. Hence, it could fail before the correct passcode is
found. Given six attempts per each rewrite this method
would require at most 1667 rewrites to find a 4-digit
passcode. For a 6-digit passcode it would require over 160
thousand rewrites and will very likely damage the Flash
memory storage.
From a forensics point of view modifying the original
NAND storage will be undesirable because this could
change some vital information in the device.

The real issue is the last sentence, since the Author was not capable of applying the "mirror copy" to a different chip, the only chip that you can use is the original one, and if you wear it down in the attempts, it is "game over".

In other words the "mirror" copy is probably not "complete" or not (yet) a real "clone".

Or maybe the chip has some ID (or whatever) that makes it "unique" and until it will be discovered how exactly the phone identifies/verifies it (and a way to modify such ID is found or a method to bypass the verification is devised) you are actually fiddling with something that is not replaceable.

When (if) it will be found a way to make the memory chip replaceable it will be possible to keep the original chip untouched and the six digit PIN "too many writes" issue will become just a matter of cost, you procure enough such chips and as soon one is worn down you replace it and make it a "real clone".

jaclaz

 
Posted : 22/09/2016 9:48 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Thanks for the really impressive explanation!

 
Posted : 22/09/2016 11:52 pm
(@arcaine2)
Posts: 235
Estimable Member
 

The real issue is the last sentence, since the Author was not capable of applying the "mirror copy" to a different chip, the only chip that you can use is the original one, and if you wear it down in the attempts, it is "game over".

In other words the "mirror" copy is probably not "complete" or not (yet) a real "clone".

Or maybe the chip has some ID (or whatever) that makes it "unique" and until it will be discovered how exactly the phone identifies/verifies it (and a way to modify such ID is found or a method to bypass the verification is devised) you are actually fiddling with something that is not replaceable.

When (if) it will be found a way to make the memory chip replaceable it will be possible to keep the original chip untouched and the six digit PIN "too many writes" issue will become just a matter of cost, you procure enough such chips and as soon one is worn down you replace it and make it a "real clone".

It is possible to swap chip with different one for repairs or to upgrade storage for bigger one. The process involves essentially cloning the data from old chip into the new one. Device will work, all functions, including touch ID works as well as far as i know. It's being done in China with their own hardware and recently IPBox 2 allows you to do the same, just cheaper. No idea if it can be used for locked phones to crack passwords as for such repairs or upgrades you simply don't care about user data. It might be in fact tied to chip ID (not sure if ipbox can change it) or something else, but it may be worth exploring.

 
Posted : 23/09/2016 12:20 am
Page 1 / 2
Share: