back

KTRW: The journey to build a debuggable iPhone

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration: 00:54:51
Language: English
Abstract: Development-fused iPhones with hardware debugging features like JTAG are out of reach for many security researchers. This talk takes you along my journey to create a similar capability using off-the-shelf iPhones. We'll look at a way to break KTRR, a custom hardware mitigation Apple developed to prevent kernel patches, and use this capability to load a kernel extension that enables full-featured, single-step kernel debugging with LLDB on production iPhones.

This talk walks through the discovery of hardware debug registers on the iPhone X that enable low-level debugging of a CPU core at any time during its operation. By single-stepping execution of the reset vector, we can modify register state at key points to disable KTRR and remap the kernel as writable. I'll then describe how I used this capability to develop an iOS kext loader and a kernel extension called KTRW that can be used to debug the kernel with LLDB over USB.

Talk ID: 10806
Event:: 36c3
Day: 2
Room: Ada
Start: 8:50 p.m.
Duration: 01:00:00
Track: Security
Type of: lecture
Speaker: Brandon Azad
Talk Slug & media link: 36c3-10806-ktrw_the_journey_to_build_a_debuggable_iphone

: KTRW iOS kernel debugger for A11 iPhones

English

0.0%

24.5%

75.5%

Work on this video on Amara!

This talk has a pad for the transcript, please use this instead of the amara editor: Etherpad
Shortcut to the video files: CDN Video Link or YouTube Video Link use this with otranscribe.com

KTRW: The journey to build a debuggable iPhone

Work on this video on Amara!

Please check: