- Видео 41
- Просмотров 122 498
jiska
Германия
Добавлен 28 дек 2020
Wireless security, hardware hacking, iOS, Frida and more :)
Demo: iPhone Satellite Testbed Setup
This demo shows a simulation-based testbed for satellite communication on non-satellite iPhones. Various Frida hooks enable "connecting" to a satellite and sending emergency messages, without actually causing an emergency.
Here, the demo runs on an iPhone 13 mini on iOS 16.3. The testbed requires the iPhone to be jailbroken with Dopamine 2 or having Frida running on an SRD.
Here, the demo runs on an iPhone 13 mini on iOS 16.3. The testbed requires the iPhone to be jailbroken with Dopamine 2 or having Frida running on an SRD.
Просмотров: 246
Видео
Demo: Sending Text Messages via Find My Location Sharing over Satellite
Просмотров 128Месяц назад
This demo shows sending a custom text message over satellite on a jailbroken iPhone, by replacing the Find My Friends location shared with the text message. All friends of that user can then receive the shared message. Source code available on github.com/seemoo-lab/satellite-messenger.
iOS Inactivity Reboot Timelapse
Просмотров 38 тыс.Месяц назад
For detailed reverse engineering of this feature, see naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivity.html.
[0x0f] Reversing Shorts :: Hotdog or not hotdog? Machine learning reverse engineering on iOS
Просмотров 1 тыс.Месяц назад
The SeeFood app is real! Let's look into an app that classifies food into hotdog vs. not hotdog. Learn how to figure out how a machine learning model is used, which capabilities it has, and change the SwiftUI text labels such that the app can detect pizza vs. not pizza. Full playlist of reversing shorts: ruclips.net/p/PLkOopkYm0fCV45i_n8z5LSUL3QBXNAP2G Links: bagbak: github.com/ChiChou/bagbak R...
BlackHat Europe 2024 Training [Advertisement]
Просмотров 4703 месяца назад
This training provides you with a comprehensive toolkit for analyzing apps, system daemons, the XNU kernel, firmware, and system logs on Apple's mobile devices. It caters to beginner, intermediate, and advanced reverse engineers. More details on reversing.training! Book via www.blackhat.com/eu-24/training/schedule/index.html#practical-ios-app-user kernel-space-and-firmware-reverse-engineering 3...
[0x0e] Reversing Shorts :: Decoding Apple's OSLog
Просмотров 8366 месяцев назад
In this video, we take a look into how Apple's clang compiler handles os_log internally. While the source code looks very readable, some compiler builtins ruin our day! Let's take a look into how to recover this mess. Full playlist of reversing shorts: ruclips.net/p/PLkOopkYm0fCV45i_n8z5LSUL3QBXNAP2G os_log.js: github.com/seemoo-lab/frida-scripts/blob/main/scripts/os_log.js Apple's clang source...
[0b00] Reversing 101 :: Hacking Closed-Source Firmware
Просмотров 5 тыс.Год назад
Useful tips on firmware reverse engineering I wish I had known earlier. Follow my journey of learning how to reverse engineer by staring on a Fitness tracker and Bluetooth chip firmware! Check out my channel for more reverse engineering videos: @jiskac CCC conference talk by Daniel and me on hacking Fitbit firmware: ruclips.net/video/ccbwtrrB4lk/видео.html REcon conference talk by Dennis and me...
[0x0d] Reversing Shorts :: Real-World Tutorials 🤓
Просмотров 1,9 тыс.Год назад
Want to learn reverse engineering, but there's way too many tutorials to pick a good one? I'll show you my top recommendations to get started with beginner and advanced reverse-engineering tutorials. Links to the tutorials in the description below! Full playlist of reversing shorts: ruclips.net/p/PLkOopkYm0fCV45i_n8z5LSUL3QBXNAP2G Hacking Windows Minesweeper: www.begin.re/ BlackHoodie: blackhoo...
[0x0c] Reversing Shorts :: 🩳🧵🪡
Просмотров 770Год назад
Reverse engineering short about how to reverse a shorts sewing pattern from ready-to-wear shorts. The one and only reversing shorts you all have been waiting for! Full playlist of reversing shorts: ruclips.net/p/PLkOopkYm0fCV45i_n8z5LSUL3QBXNAP2G Chapters: 00:00 - Introduction 00:15 - Plan: Create sewing instructions 00:54 - Create sewing pattern 03:04 - Cut pattern 03:25 - Sew inside 03:47 - B...
[0x0b] Reversing Shorts :: iOS & macOS Kernel Debug View
Просмотров 2,1 тыс.Год назад
See what's happening live inside the XNU kernel without any complicated debug and patching setup. Various places in the kernel have kernel_debug statements, which can be observed from user space with kdv (Kernel Debug View). Full playlist of reversing shorts: ruclips.net/p/PLkOopkYm0fCV45i_n8z5LSUL3QBXNAP2G kdv: newosxbook.com/tools/kdv.html Public trace codes in XNU source code: sourcegraph.co...
Wibbly Wobbly, Timey Wimey - What's Really Inside Apple's U1 Chip
Просмотров 4482 года назад
Talk about Apple's ultra-wideband (UWB) chip and ecosystem. How is distance measured? How is it reported from the chip and then used within Apple's ecosystem? How does Bluetooth integration with BLE advertisements work? As presented on DEF CON 29, but with improved captions.
[0x0a] Reversing Shorts :: Apple's Cross-Process Communication (XPC)
Просмотров 2,4 тыс.2 года назад
XPC is a mechanism on iOS and macOS that enables processes to exchange data. Especially on Apple-internal implementations, it's used excessively. Simple features are often split across daemons and apps, with components implemented separately. In this video, we'll follow XPC communication across daemons to see what happens when we play a sound on an AirTag. Full playlist of reversing shorts: ruc...
[0x09] Reversing Shorts :: iOS Bluetooth Debugging Driver Internals & Packet Logging
Просмотров 3,3 тыс.2 года назад
Let's take a look into the iOS Bluetooth stack! Logging all packets with PacketLogger is easy, but how does it work internally? How do bluetoothd and the kernel interact with each other? Full playlist of reversing shorts: ruclips.net/p/PLkOopkYm0fCV45i_n8z5LSUL3QBXNAP2G Apple's Bluetooth developer tools and information: developer.apple.com/bluetooth libimobiledevice: github.com/libimobiledevice...
[0x08] Reversing Shorts :: Apple RTKit Firmware Analysis
Просмотров 6 тыс.2 года назад
RTKitOS, also called RTKit, is Apple's most widespread operating system. Yet, nobody knows it. It runs on various Apple peripherals as well as the SoCs on the iPhone, Watch, and MacBook. Full playlist of reversing shorts: ruclips.net/p/PLkOopkYm0fCV45i_n8z5LSUL3QBXNAP2G *OS Internals books: newosxbook.com Project Zero blog post on RTKit reversing to analyse a DCP exploit: googleprojectzero.blog...
[0x07] Reversing Shorts :: iOS Device Supervision - Sniff Traffic & Defer Updates
Просмотров 6822 года назад
[0x07] Reversing Shorts :: iOS Device Supervision - Sniff Traffic & Defer Updates
[0x06] Reversing Shorts :: Weather Manipulation
Просмотров 2,4 тыс.2 года назад
[0x06] Reversing Shorts :: Weather Manipulation
[0x05] Reversing Shorts :: iOS Kernel Demystified
Просмотров 5 тыс.2 года назад
[0x05] Reversing Shorts :: iOS Kernel Demystified
[0x04] Reversing Shorts :: Finding and Backtracing Signal Messages on Android
Просмотров 1,3 тыс.2 года назад
[0x04] Reversing Shorts :: Finding and Backtracing Signal Messages on Android
[0x03] Reversing Shorts :: Out of Memory - Working around JetSam Memory Limits on iOS
Просмотров 1,2 тыс.2 года назад
[0x03] Reversing Shorts :: Out of Memory - Working around JetSam Memory Limits on iOS
[0x02] Reversing Shorts :: Backtracing Threads and Adding Symbols with Frida on iOS
Просмотров 1,7 тыс.2 года назад
[0x02] Reversing Shorts :: Backtracing Threads and Adding Symbols with Frida on iOS
[0x01] Reversing Shorts :: Finding the Signal Message Object with Frida on iOS
Просмотров 3,2 тыс.2 года назад
[0x01] Reversing Shorts :: Finding the Signal Message Object with Frida on iOS
[0x00] Reversing Shorts :: Introduction
Просмотров 2,2 тыс.2 года назад
[0x00] Reversing Shorts :: Introduction
Reverse Engineering Lab - Module 0x2.1: Java Reversing and Android VM Setup
Просмотров 5762 года назад
Reverse Engineering Lab - Module 0x2.1: Java Reversing and Android VM Setup
Reverse Engineering Lab - Module 0x2: Ghidra & Frida
Просмотров 2,8 тыс.2 года назад
Reverse Engineering Lab - Module 0x2: Ghidra & Frida
Reverse Engineering Lab - Module 0x01: Selecting a Research Target
Просмотров 2,4 тыс.2 года назад
Reverse Engineering Lab - Module 0x01: Selecting a Research Target
iOS Reverse Engineering :: Part III :: Hooking into Objective-C
Просмотров 2,3 тыс.2 года назад
iOS Reverse Engineering :: Part III :: Hooking into Objective-C
iOS Reverse Engineering :: Part I :: Dynamic Reversing and iOS Basics
Просмотров 13 тыс.2 года назад
iOS Reverse Engineering :: Part I :: Dynamic Reversing and iOS Basics
iOS Reverse Engineering :: Part II :: System Processes and Hardware Interaction
Просмотров 2,8 тыс.2 года назад
iOS Reverse Engineering :: Part II :: System Processes and Hardware Interaction
Ghost Peak - UWB Distance Shortening Demo on Apple U1 Chip
Просмотров 8293 года назад
Ghost Peak - UWB Distance Shortening Demo on Apple U1 Chip
How to do this on windows
How did you got verbose boot on your iPhone?
I mean this kinda sucks since when your device is in a BFU state the people calling wont appear as contacts but who doesnt touch their phone for 3 days in 2024 anyway
Not bad!
Bruh
Idk, every unstable system requires a reboot at least once a week. Otherwise, system performance will feel slower than usual.
Once every 7-10 days when I try to unlock my iPhone 13 on iOS 17.4.1, iOS asks me to first enter my password. Is that same as what's shown in the video i.e., BFU or is that AFU? Also, when I press the power + volume buttons together for a couple of seconds and don't shut down my iPhone, it asks for my password. Is this BFU or AFU?
Both scenarios you describe are AFU. The second one restricts some interfaces but disk stays decrypted. You can easily try that out when calling your iPhone: In BFU, no contact info is shown. In AFU, contact info from your address book is shown.
So Good.
Oh now I get it, that’s why sometimes when I’m trying to swipe up my phone it needs a passcode first because it reboots 😅😅
Not necessarily. Apple also put some other mitigations in there that require you to enter the passcode under certain conditions. In some of these cases, the iPhone didn't reboot and is still in After First Unlock state.
The fact that the reboot is in verbose mode is interesting. Apple usually *really* doesn't allow things like that on production releases of software.
That’s because it’s a research device. That iPhone is likely Apple’s property that they’re allowing devs to use for testing purposes. Inactivity reboot is going to be a normal reboot on end-users’ iPhones
Yeah, you can see the research device watermark before it turns back on
Why isn' the full iPhone visible?
Is this case quadlock?
thanks for the great article 👍
Mr might be pretty good at searching security issues to get his hand on an SRD (these kind of devices are quite rare)
why does this happen? does this happen every 3 days?
naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivity.html
0:32 looks like jailbreak
Just a dev fused device provided by apple to certified security researchers
It’s one of the security research device units provided by Apple for security research. There’s a glimpse of the label on the boot screen
its remove lock screen
is this for like re-encryption?
Yeah, in BFU state pretty much all user data is encrypted
Yup, prevents law enforcement from accessing data from your locked phone.
Is this the same encryption as with a factory reset?
this resets the phone from an AFU (after first unlock) state to BFU (before first unlock) state, part of this meaning encryption keys are purged from memory and you must use your pin/password instead of just biometrics to unlock the first time. this makes it more difficult for law enforcement or other phone thieves in general to access the data on the phone, because they need to get the encryption keys, there are no potential bypasses, memory-related or otherwise
is that jailbreak on ios 18???????
No.
That’s an SRD, specially modified iPhone that allow for deep security research
I first time see the "Security Research Device" WTH
They give that to Apple Security researchers to find bugs
Very nice article
Hi all :) I've added some answers to all your questions at the end of my blog post. naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivity.html
Interesting article and a very good read!
how did you enable verbose boot?
It's an Apple Security Research Device. Apple loans you a phone (which isn't for personal use) It's used to find, test, validate, verify, and confirm a vulnerability
It's a security research device, part of one of Apple's programs. It has it enabled by default
-v
@@ImSkyebro you can’t just change boot args
@ sure you can, you can temporarily set them via usb debugging.
good video!
cool, it even comes with a console blurred for privacy.
Nah, I think the blur is an overlay. Look how the notch is also blurred.
@@bryanmartin_ r/woooosh
@@bryanmartin_ no that's a feature of the console
@@ethancarter-0ridQ38That wasn't even a joke idiot
It’s clearly edited in post prod
Does it erase all data on the phone and did apple allow debugging openly
This is an SRD, a modified iPhone for security research sent by Apple to experts
No, by rebooting the device, it's now in "before first unlock" mode, where all user data is encrypted.
Great video ty
2:03 😂
Short and direct. Great video.
thx, j!
Great video. Keep it up.
Awesome content! Any github link with the script? Many thanks
Hi :) You can find some of the scripts here: github.com/seemoo-lab/airtag
Calouscardtywaretybruntyuntyhymertyfrunsityangertycunectyretiustyvacuitybrentysistertygretsyrapstyinsatertyvetyrutyvatchynevergety
Frechklertyhastybuty
Vertaslousytustyratsynthertygairustyretsyskythertycalistytendruntycelustyinty
Whstyfrustcashervautyastyartydestyclearestycleanucthust
Goldertyponkysupertypinktectysatertyhustertydatyfruenstydatyfrunstyhumpertyrubertyferusastertycarouselisutyrexpouty
Andtheyaskquestyiknowanswertybutchangesmidmyrehastysaysayshuishuitalkertysertyburtyfruistyblertydryetycursetysaysayhurtyburtytouchrtynurckhtysayohthereismoretolifethanhannahshelfemptyornot
Theheataghertystrapstablertytrentyairuesptylapertytustyburiesutygravertysautycubertusduscasthybchutyacustyreisucty
Soididwhaticouldandobutheysayseeidohaveallineedorneedyourstoosowhyouwatchmeatyourfoodihavesoitismine
Loltheymakemeguessinmysleepfrompastdeathsolikeieitherliveitbadnextdeathereagainorrrrrrrrrtheymertymuneirtysunertygidertylasoertyfrustyvutysalertyvetyacertylifertdetychuctyrastymastyveluvxty
Carethenuncaretypayseecarefindvertyfruityhendsuichty
Sotheywantwaterdiamundcrustbeltandcroygasjertyhusredtyjiustyfurhtybutertyfretymochtyrepityhuestyvedertyrapertybertyiustylivertyastyertyfruitydyertyromusty
Wayertymerewtygravertysinguirty
,
Chandeliervampirediariesimmortalidolvampireservictyopertydedghuouakstyghuoilstertyfustyfutsuiy
Gravertyfruistygavserustyvaaxtylightbulbyistyfruityastuidbutylamluseroutybrightybrukertyfurtyseftytheyfertyrusteftrbcuty
Suiayeasyuesbahscsacashcfaaxasfacheipshavjekiwschustterbbaitnnsotyhastycousty
Theyatemyquadswhichpartwhensaygravytertytendertyluiontyseraachastyrestypickluertustygresaxtydextertyfruitycalestertyfruitycucumbertylimesayfruitybaredty