Giving Mobile Security the Boot

Recommendations

Info

The iOS Boot Sequence iOS Boot: KernelCache • /System/Library/Caches/com.apple.kernelcaches/ • Prelinks all kernel extensions ( 内核 , 包括所有的扩展 ) • Kernel extension loading otherwise disabled • Benefits: – Speed (prelinking) – Security (kernel + kexts authenticated, no other kexts allowed) BootROM LLB iBoot Kernel (C) 2016 Jonathan Levin & Technologeeks.com - Share freely, but please cite source!
Validating components: SHSH • User updates/restores device • iBoot gets image (IPSW), parses it, generates request Key ApBoardID ApChipID ApECID ApProductionMode ApSecurityDomain UDID HostPlatformInfo Locality VersionInfo Value From IPSW From Device Exclusive Chip ID true (unfortunately) From IPSW Unique Device Identifier iTunes host OS identifier en_US, zh_CN, etc.. libauthinstall-a.b.c.d.e • iTunes POSTs to http://www.gs.apple.com • Apple signs with their private key. • iBoot stores in NAND firmware partition SCAB container https://www.theiphonewiki.com/wiki/SHSH_Protocol
Page 1 and 2: Giving Mobile Security the Boot Jon
Page 3 and 4: morpheus@Zepyhr$ whoami ( 一点
Page 5 and 6: Boot Chains of Trust (C) 2016 Jonat
Page 7 and 8: Android Boot: The BootROM • Very
Page 9 and 10: Boot Chains of Trust Android Boot:
Page 11 and 12: Boot Chains of Trust Android Boot:
Page 13 and 14: The iOS Boot Sequence iOS Boot: The
Page 15: The iOS Boot Sequence iOS Boot: iBo
Page 19 and 20: Validating components: APTicket •
Page 21 and 22: iOS 10b1: Think different • Mista
Page 23 and 24: TrustZone 技 • Hardware support
Page 25 and 26: Android uses of TrustZone • Crypt
Page 27 and 28: iOS Uses of TrustZone • 32-bit: A
Page 29 and 30: Entering TrustZone (AArch32) • SM
Page 31 and 32: Exception Handling (AArch64) EL0 Ap
Page 33 and 34: AArch64 Exception Handling 0x000 Sy
Page 35 and 36: Case Study: KPP 0x000 Synchronous C
Page 37 and 38: KPP: Kernel Side morpheus@zephyr (~
Page 39 and 40: KPP Weakness (patched in 9.2) • P
Page 41 and 42: iOS 10 changes morpheus@zeyphr(~/..
Page 43 and 44: Android & TrustZone keystore com.an
Page 45 and 46: Android & TrustZone: Samsung root@s
Page 47 and 48: disarm # disarm will automatically
Page 49 and 50: Linux Kernel Support • Generic Tr
Page 51 and 52: References • ARM TrustZone docume

Giving Mobile Security the Boot

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?