Projetos
@MuscleNerd iPhone Dev Team Hack in the Box, Amsterdam May 24, 2012
1
Thursday, May 24, 2012
My background
• Member of iPhone Dev Team
• http://blog.iphone-‐dev.org (133 million visits to date!)
• Initially just interested in baseband, but now also
maintain and extend “redsn0w” jailbreak utility
• Tech editor for iOS Hacker’s Handbook by Miller, • custom ramdisks, blob stitching, downgrades, etc
Blazakis, DaiZovi, Esser, Iozzo, Weinmann (2012) •
2
Thursday, May 24, 2012
General BB environment
Communication
with BB is via UART, internal USB or cellular • There’s little independent monitoring and control of its embedded OS in production mode -‐-‐ can be hard to trigger, detect, and analyze crashes
•
• Similar to exploiting bootrom in DFU mode, when direct
•
However, as the BB is crashing, it saves a limited crash report into its NVRAM which can be retrieved after the subsequent reboot
3
feedback is limited or delayed
Thursday, May 24, 2012
3G/3GS BB crash log
System Stack: 0x406AE300 0x00000008 0x40245C90 0x40322284 0x40442F00 . . . . . . . . . 0x4032180C 0x2014E055 Date: 18.06.2011 Time: 06:49 Register: r0: 0x00000000 r3: 0x00000001 r6: 0x35353535 r9: 0x00000000 r12: 0xFFFFFDF8 r15: 0x50505050 SPSR: 0x40000013
r1: r4: r7: r10: r13: DFAR:
0x00000000 0x34343434 0x50505050 0x406AD320 0x406AE318
r2: r5: r8: r11: r14:
0xFFFF2318 0x35353535 0x00000000