back

The One Weird Trick SecureROM Hates

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:38:51
Language
English
Abstract
Checkm8 is an unfixable vulnerability present in hundreds of millions of iPhones' SecureROM. This is a critical component in Apple's Secure Boot model and allows security researchers and jailbreakers alike to take full control over the application processor's execution.

This talk will detail how we built an iOS jailbreak from the ground up - quite literally - by using an use-after-free in Apple's SecureROM. This is key code which is designed to bring up the application processor during boot but also exposes a firmware update interface over USB called DFU.
By abusing this vulnerability it is possible to unlock full control of the application processor, including enabling debugging functionalities such as JTAG, helping security researchers look for security vulnerabilities in Apple devices more effectively.
We will analyse the root-cause and techniques used for exploitation, as well mention some of the hurdles we encountered while trying to turn this into a reliable jailbreak and plans for the future of this project.

Talk ID
11238
Event:
36c3
Day
3
Room
Ada
Start
8:50 p.m.
Duration
00:40:00
Track
Security
Type of
lecture
Speaker
qwertyoruiop
Talk Slug & media link
36c3-11238-the_one_weird_trick_securerom_hates
English
0.0% Checking done0.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
100.0% Nothing done yet100.0%
  

Work on this video on Amara!

English: Transcribed until

Last revision: 10 months, 3 weeks ago