Posts

Always-on Processor magic: How Find My works while iPhone is powered off

Image
Update: We wrote a paper with even more technical details :) iOS 15.0 introduces a new feature: an iPhone can be located with Find My even while the iPhone is turned "off". How does it work? Is it a security concern? I saw this feature rather early on one of my iPhones with an iOS 15 beta. Here's a screenshot I took in July. The user interface changed a little bit since then. It took a bit longer until the public realized this feature exists. One needs to update to iOS 15.0, use an iPhone that has location services enabled, a logged in user account, participates in the Find My network, etc. And the weirdest thing nobody does these days: One has to turn the iPhone off. But once Twitter found out, this took off. And so did the rumors how this was implemented. Apple's Always-on Processor (AOP) There's only little public documentation about the AOP. All chips and various embedded devices Apple manufactures run a real-time operating system, called RTKitOS. The AOP on

Hunting Ghosts in Bluetooth Firmware: BrakTooth Meets Frankenstein

Image
There's a new Bluetooth vulnerability collection, called BrakTooth . PoCs are under NDA until end of October. Are these bugs real? Do they affect more than the Cypress dev kit, for example, iPhones and MacBooks? Jan, who developed the Frankenstein emulator for Cypress chips and discovered the BlueFrag vulnerability within Android, joined my efforts in reproducing these bugs. All tooling we used is already public, as well as the BrakTooth vulnerability descriptions. We will not publish our own BrakTooth PoCs until the BrakTooth NDA ends to protect end users. Link Management Protocol If you're reading this and already have a background on Bluetooth, continue reading on the next section. Everyone else still needs to get familiar with an over 3k page long nightmare, called "Bluetooth Specification". All page numbers refer to version 5.2, even though version 5.3 was released recently. As of now, there's no 5.3 chip available. The Link Management Protocol (LMP) negoti

Bluetooth → Wi-Fi Code Execution & Wi-Fi Debugging

Image
 If you ever looked into one of Broadcom's combo chip datasheets, you might have noticed a feature called "WLAN RAM Sharing". In the following, I will explain how to use it to get controlled code execution on Wi-Fi via Bluetooth, which can be helpful in a couple of scenarios: Hack around in Wi-Fi firmware during runtime without disabling SELinux on Android ( Nexmon requires kernel patching with disabled SELinux). Indirect Wi-Fi firmware hacking support on platforms that are not supported by Nexmon (iOS, macOS, etc.). Reaching states in the Wi-Fi driver one could not reach over-the-air (💥💥💥). WLAN RAM Sharing?! Francesco and me looked into so-called coexistence features. If you want more details on this, watch our DEF CON or Black Hat talk from last year :) In short, despite running on different ARM cores, Broadcom and Cypress BT/Wi-Fi have coexistence features, which include a unidirectional RAM sharing feature. This feature is shown in some leaked datasheets in the