@@akashsxo Could you explain to me how this is relevant to the original comment? After reading both, I see that the original comment and reply are addressing different things. If you could elaborate, that would be great. Thanks.
Voltage fault injection reminds me of some laptops to be re-sold, at work. The BIOS / UEFI was password protected, but they were a "higher-end" model with a "secured boot failure" feature... if the BIOS repeatedly failed to initialize, a re-flash or such would occur. By ever so slightly shorting one of the TX pins to ground while it was booting, it would reboot... to a Factory Initialization message. Haha yeah, one only need to enter the serial number printed on the laptop, and it would then "be that laptop", as well as save a password and then immediately clear it, because otherwise it was still on the flash, recalling. I recovered like 7 or 8 of 10 laptops that way.
come you drop a story like that, and not details what laptop model it was and ping shorted out a little (did your a rissistor or something for the shorting a little part? are just paper clip? 🙂
@@dh2032 It was a Dell model, but it was over a year go, one of many I worked on. I just had a small metal tool, like a flathead, and I was scraping one side of what I believed to be the bios chip (tiny little 8-pin dip). If I scraped too early it wouldn't boot at all, but there was a certain part of it's LED flashing iirc, I could time it. The fan sounds would be different, and rebooting (without contact?) would boot it into the "Manufacturing" mode.
@@doublepinger I have a similar story with one of my previous PC builds. PC froze while updating BIOS during first setup, seemed to be fully bricked. Looked online, turned out only option is to go ahead with a return. Which would suck as I was just setting up a new build after waiting on the parts for quite a while. One user described a similar issue on a different motherboard model, and he was able to short two pins to get the DUALBIOS thing to kick in and un-do the brick. The issue was that they had a different mobo, and schematic of the pins from the manual they attached didn't correspond to the chip on my motherboard. Had to go to my boards manual, find the chip on my board, look up the model, look up the chips specs, look at the routing of the pins and compare to the chip the other user posted. I remember the pins were named differently, so that required some deep diving into the docs to find that XYZ on my boards chips corresponds to ZYX on the other boards chip. Once I was sure which of the pins to short, I was like 49% sure it would go up in flames, 49% sure I get electrocuted, and 2% sure it would work. Insulated myself from the paperclip I was using, and was shaking quite a bit while trying to only touch the 2 of the 8 pins required lol But I went ahead... AND IT WORKED! Shorting the 2 pins unbricked the BIOS brick, and I was able to proceed with the updates without any other issues. Felt like I'm a wizard & it was amazing that I didn't have to RMA a new motherboard that got bricked during a bios update. One of my fave PC troubleshooting stories as a 'normal PC user' / someone not working in the hardware/PC sector.
If you can get to the chip on the iPhone, you could probably get a unpatchable jailbreak Idk the extent to how the communication works between the SoC and ACE3 on the iPhone, but if you can compromise it before/during boot, then there's nothing Apple can do about it lol
@@MLGPRO-dx8fg has anyone done it on newer ios versions, it's eassy to get to the chip if it's outside of sandwich board might be little tough if it's inside.
Wow, amazing talk! And not only do you care about glitching the chip, you take extra steps to see how it could be reproduced with more commonly available hardware instead of expensive professional machines. That's amazing, and awesome for you to do that!
What he is talking about and doing is amazing. It’s even more incredible to think that somewhere there is a group of engineers that thought about all of this and incorporated it.
This has to take the cake for most impressive presentation at this year’s DEFCON. Granted, it’s the first one I’ve so far seen, but still. It’s got everything, multiple zero-days, responsible disclosure, Apple being jerks, refusal to address disclosed vulnerabilities (we just released a new chip thats not affected. Wanna be secure? Buy the new $3,000 computer), SPITE…engaged, whacky hacky shenanigans, no information, just spite, somehow convert pure spite into actual information, still tho no way this actually works, no fucking way, spite wins, it’s to the buzzer but spite wins somehow, all this, plus what’s got to be one of the most technically impressive h/w hacks of the year. Bravo! Unfortunately, there’s absolutely going to be some serious blowback from all this. I think it just convinced me to buy a Mac. I finally get it. It’s not the aesthetic or some “ecosystem” that draws ppl to Apple. It’s the spite. That’s not a computer. It’s a 3,000 dollar motivation machine. I was blind, but now I see!
i do comments very rarely, one per several years, rofl ... but ... this guy blow my mind ... i like the way he is thinking, excellent problem solving road map imagination
Ouch, $4,000 chipshouter? Glad you did it for us. Using a $4,000 glitcher and then saving money using a hackrf instead of a scope doesn't make a ton of sense to me.
Apple are really something they designed everything very well also protected it with almost no vulnerabilities grt. I thought making a laptop would b easy just put parts but no they hv put some serious work in it🎉
I’m from Turkey and if you want to buy an iphone you have to pay 3000$ dollars, 1k for the phone and other 2k for the government, and i wish this guy can create a tool to change the imei number on the phone so i can use phones bought from abroad 😂
In newer iPad Pros, air, and MacBooks, the CD chip is paired to the small ROM chip. If I need to replace the CD chip because it turned out to be bad, I cannot install a new one. I need to pull a pair of cd + rom from another donnor motherboard. Do anyone have an idea how to re write the rom chip to the new CD?
Eeprom programmer, either spi or i2c. But if it has the security measures like this (ACE3), a simple reprogram won't be enough. Basically you need to glitch like in the video, get past security, dump and patch internal flash to accept other CRC. I'm sure it's currently out of your reach. Also not too fast or reliable on one chip, not to talk about shops that replace multiple a day. Your easiest option is to replace CD, and flash its own rom, but reading/writing takes longer than swapping it out too.
in the EU, until you use it for commercial purposes, yes. (He's not selling reverse engineered products from the firmware dumps, at least I'm not aware)
I have absolutely no clue what I'm watching but I'm definitely here for it
Me too 😂😂
Hahaha me the same 😂 but it's fun to watch
i'm engeenier and trust me.. i don't know it either xD
same here 😁😁
real
stacksmashing has to be the highlight of any defcon
Hardware hacking is so insanely cool, i dont even want to know how many hours this all cost.
have you fallen in love with someone? if yes, you don't track the time you spent with them, it's the same, he loves his art
@@akashsxo Could you explain to me how this is relevant to the original comment? After reading both, I see that the original comment and reply are addressing different things. If you could elaborate, that would be great. Thanks.
So I am not telling you that it probably took all of his hours.
@@LoveDoveDarling your name is enough ☺
@@akashsxo Enough of what...?
There do be wizards walking among us mere mortals.
#WizardChan
Never been more fascinated and confused at the same time...
My University professor showed this video to me. It is absolutely fascinating. I feel so confused yet so motivated. Amazing stuff!
Voltage fault injection reminds me of some laptops to be re-sold, at work. The BIOS / UEFI was password protected, but they were a "higher-end" model with a "secured boot failure" feature... if the BIOS repeatedly failed to initialize, a re-flash or such would occur. By ever so slightly shorting one of the TX pins to ground while it was booting, it would reboot... to a Factory Initialization message. Haha yeah, one only need to enter the serial number printed on the laptop, and it would then "be that laptop", as well as save a password and then immediately clear it, because otherwise it was still on the flash, recalling. I recovered like 7 or 8 of 10 laptops that way.
Those days are over, everything is encrypted now.
Had to do this with a lot of old chromebooks
come you drop a story like that, and not details what laptop model it was and ping shorted out a little (did your a rissistor or something for the shorting a little part? are just paper clip? 🙂
@@dh2032 It was a Dell model, but it was over a year go, one of many I worked on. I just had a small metal tool, like a flathead, and I was scraping one side of what I believed to be the bios chip (tiny little 8-pin dip). If I scraped too early it wouldn't boot at all, but there was a certain part of it's LED flashing iirc, I could time it. The fan sounds would be different, and rebooting (without contact?) would boot it into the "Manufacturing" mode.
@@doublepinger I have a similar story with one of my previous PC builds.
PC froze while updating BIOS during first setup, seemed to be fully bricked.
Looked online, turned out only option is to go ahead with a return. Which would suck as I was just setting up a new build after waiting on the parts for quite a while.
One user described a similar issue on a different motherboard model, and he was able to short two pins to get the DUALBIOS thing to kick in and un-do the brick.
The issue was that they had a different mobo, and schematic of the pins from the manual they attached didn't correspond to the chip on my motherboard.
Had to go to my boards manual, find the chip on my board, look up the model, look up the chips specs, look at the routing of the pins and compare to the chip the other user posted.
I remember the pins were named differently, so that required some deep diving into the docs to find that XYZ on my boards chips corresponds to ZYX on the other boards chip.
Once I was sure which of the pins to short, I was like 49% sure it would go up in flames, 49% sure I get electrocuted, and 2% sure it would work.
Insulated myself from the paperclip I was using, and was shaking quite a bit while trying to only touch the 2 of the 8 pins required lol
But I went ahead... AND IT WORKED!
Shorting the 2 pins unbricked the BIOS brick, and I was able to proceed with the updates without any other issues.
Felt like I'm a wizard & it was amazing that I didn't have to RMA a new motherboard that got bricked during a bios update.
One of my fave PC troubleshooting stories as a 'normal PC user' / someone not working in the hardware/PC sector.
You only have to hear his name to know it’s gonna be an absolute *banger* of a talk
It really did sound like "sexmachine" 😂 Shows the importance of syllable stress (should have been pronounced stacksMAshing instead of stacksmaSHIng)
#Juju
I just watched 36 minutes of something I have absolutely 0 knowledge or understanding of. This was interesting.
Same 😂
Sameee
This just goes to show all the work that goes into the new Jailbreak every year! But seriously, this could allow a new semi-untethered Jailbreak!
This is amazing honestly. Reminds me of the hacking of DirectV’s HU card in the early 2000’s
If you can get to the chip on the iPhone, you could probably get a unpatchable jailbreak
Idk the extent to how the communication works between the SoC and ACE3 on the iPhone, but if you can compromise it before/during boot, then there's nothing Apple can do about it lol
@@MLGPRO-dx8fg this would make me come back to iPhone from android
@@MLGPRO-dx8fg has anyone done it on newer ios versions, it's eassy to get to the chip if it's outside of sandwich board might be little tough if it's inside.
Wow, amazing talk! And not only do you care about glitching the chip, you take extra steps to see how it could be reproduced with more commonly available hardware instead of expensive professional machines. That's amazing, and awesome for you to do that!
Persistence is the key! Top work!
This is totally another world technology and skills. Man you are an Alien.
What he is talking about and doing is amazing. It’s even more incredible to think that somewhere there is a group of engineers that thought about all of this and incorporated it.
That was one “intelligent” group of field engineers there bruh.
This has to be one of my favorite defcon vids so far. Awesome stuff!
35:45 The; ''And it's not super difficult'' part cracked me up!!! 😂
This has to take the cake for most impressive presentation at this year’s DEFCON. Granted, it’s the first one I’ve so far seen, but still. It’s got everything, multiple zero-days, responsible disclosure, Apple being jerks, refusal to address disclosed vulnerabilities (we just released a new chip thats not affected. Wanna be secure? Buy the new $3,000 computer), SPITE…engaged, whacky hacky shenanigans, no information, just spite, somehow convert pure spite into actual information, still tho no way this actually works, no fucking way, spite wins, it’s to the buzzer but spite wins somehow, all this, plus what’s got to be one of the most technically impressive h/w hacks of the year. Bravo! Unfortunately, there’s absolutely going to be some serious blowback from all this. I think it just convinced me to buy a Mac. I finally get it. It’s not the aesthetic or some “ecosystem” that draws ppl to Apple. It’s the spite. That’s not a computer. It’s a 3,000 dollar motivation machine. I was blind, but now I see!
So now you can get a 60$ pico instead of a 130$ fancy charging cable. Props.
I don't understand nothing but i warched everything and learned something
Commenting for the algorithm, this is awesome af!
I know about hardware but this is so cool to watch! Someday I’ll understand all this.
Gotta love when someone does it with 8k of equipment then makes it work on 60$ of equipment
Wow! Brilliant and next level persistent!
Like all good hackers
So far from Defcon 32, this has been the most impressive video of reverse engineering released
Quite interesting. It's crazy seeing Fabian being mentioned everywhere after taking one of his courses.
i do comments very rarely, one per several years, rofl ... but ... this guy blow my mind ... i like the way he is thinking, excellent problem solving road map imagination
he deserves literally so much
Thanks asahi for the 206
The Central Scrutiniser.. first time I've seen a Frank Zappa reference in a hacking tool. Listen to Joe's Garage, it's a great album
Ouch, $4,000 chipshouter? Glad you did it for us. Using a $4,000 glitcher and then saving money using a hackrf instead of a scope doesn't make a ton of sense to me.
What do you think a good scope costs? Do you think he paid full price for the other device? Could it be an academic exercise to do it the cheap way?
It only takes one researcher to work out the signal, now you can do the same with a $60 PICO board.
He said he wants to make it more accessible not everyone has that much to spend on specialised hardware
Did you watch to the end?
@@grant-is Of course not. Many such cases.
at least thump up for this efford! congratulations :)
Meanwhile, I can’t even jailbreak my 10 year old iPad.
Cool use of the hackRF!! Love mine
This is just wild.
What a legend! 🎉
Amazing work!
I am proud of you guys!...keep up doing the good work.
Apple security left the chat
apple engineers taking notes
I once tried to reverse engineer a smart fridge, but in the proces a jtag grew on the back of my head.
This is incredible. Fantastic work!
Louis Rossmann needs to hire this guy😆
Hah
Impressive, just impressive!
Apple are really something they designed everything very well also protected it with almost no vulnerabilities grt. I thought making a laptop would b easy just put parts but no they hv put some serious work in it🎉
This is insane. Very impressive
i had a dream to become a hacker and by watching this guy motivated me to quite.
Amazing talk.
it's impressive like super impressive
Thank you for your World Champion open sourcing effort! I hope you did all this research and got the MacBook refunded 😂
Why?
But can he center a div?🤔
But can he make a div slide from the right to the left of the screen and loop?
Absolutely insane
brilliant work!
great insights
craziest shit ive ever seen
awesome stuff!
23:57 an apt description of tech companies
Impressive
I’m from Turkey and if you want to buy an iphone you have to pay 3000$ dollars, 1k for the phone and other 2k for the government, and i wish this guy can create a tool to change the imei number on the phone so i can use phones bought from abroad 😂
The grass might seem greener but at the end of the day its an overpriced phone with decent build quality that runs the same apps
Excellence.
Basically what he’s saying is don’t buy Apple products…
Badass
So cool.
Amazing 🔥
Music is good
what a smart cookie. The zapping works on kids also. They start behaving. No questions. jk (obviously).
Amazing!
The presentation is clearly not a Powerpoint, what is it made in?
Apple Keynote has some really slick templates you can build upon, it might be one of those. iWork is actually pretty darn good.
Based
Hello this is Tim Cook I would like to know where you live 🤣
Do all these need auth or are these pwn methods as well?
lit
What a fucking legend
It already comes loaded with a back door…you just don’t know it yet…😢
12:33 Apple probably doesn't consider this a security issue because it requires SIP to be disabled.
35:29 dumping unknown silicon is not super difficult
Hmmm... I disagree
so does this mean jailbroke iphones are back on the menu?
I am curious too. And don't understand the full effects of this research
This is awesome!
He keeps saying „you know“ but I actually have no clue. Does the audience also just.. you know… know?
In newer iPad Pros, air, and MacBooks, the CD chip is paired to the small ROM chip.
If I need to replace the CD chip because it turned out to be bad, I cannot install a new one. I need to pull a pair of cd + rom from another donnor motherboard.
Do anyone have an idea how to re write the rom chip to the new CD?
Eeprom programmer, either spi or i2c. But if it has the security measures like this (ACE3), a simple reprogram won't be enough. Basically you need to glitch like in the video, get past security, dump and patch internal flash to accept other CRC. I'm sure it's currently out of your reach. Also not too fast or reliable on one chip, not to talk about shops that replace multiple a day.
Your easiest option is to replace CD, and flash its own rom, but reading/writing takes longer than swapping it out too.
@ thanks you!!
Stacksmashing sounds like sexmachine at first
Forced to use usb-c eyyy..
Louis Rossmann would like to know this
maestro
60$? shouldve said 59.99 and weaved in some cool words like Jobs used to do :D
I only understands the first 5 mins...haha
Ultra 1, I’m bugging
I wanna learn hardware hacking
So basically they followed the Qualcomm way of entering Recovery (which uses Qualcomm QuickCharge negotiation process)
❤
daymn
Ye was right. 😢
Is this even legal ?
In Europe, yes.
in the EU, until you use it for commercial purposes, yes. (He's not selling reverse engineered products from the firmware dumps, at least I'm not aware)
🎉
Like #1337. that my level. His: another planet
RSA3072… 😂
Is that usb device that border control uses to scan your entire phone?
WOW
Wow this is so frigtned
Anyone boasting about a jailbreak on iphome 15 means nothing anymore 🤣🤣🤣