tag:blogger.com,1999:blog-4838136820032157985.post1909814015992101563..comments2024-03-18T03:20:01.345-07:00Comments on Project Zero: Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple DevicesUnknownnoreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4838136820032157985.post-63394870881472063512018-02-19T02:22:07.419-08:002018-02-19T02:22:07.419-08:00This comment has been removed by the author.ExcelisInAnimehttps://www.blogger.com/profile/12561518431818674626noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-40101403729830894372017-12-06T23:03:32.389-08:002017-12-06T23:03:32.389-08:00This comment has been removed by the author.ExcelisInAnimehttps://www.blogger.com/profile/12561518431818674626noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-57553240359270755192017-10-10T05:44:24.484-07:002017-10-10T05:44:24.484-07:00Thank you for the kind wordsThank you for the kind wordsGal Beniaminihttps://www.blogger.com/profile/01234036203079051373noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-47959714782284013022017-10-08T16:12:30.166-07:002017-10-08T16:12:30.166-07:00dear gal your research is amazing but what more am...dear gal your research is amazing but what more amazing is that your sharing it with us , so thank you much man<br />zactaylorhttps://www.blogger.com/profile/01542123233548790209noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-41729564245989290162017-10-08T10:06:04.741-07:002017-10-08T10:06:04.741-07:00This comment has been removed by the author.zactaylorhttps://www.blogger.com/profile/01542123233548790209noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-14709303826261242862017-10-03T12:02:34.837-07:002017-10-03T12:02:34.837-07:00Thank you!Thank you!Gal Beniaminihttps://www.blogger.com/profile/01234036203079051373noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-50167146923199201242017-09-30T16:37:45.646-07:002017-09-30T16:37:45.646-07:00Yes, you are right, privileged access is required ...Yes, you are right, privileged access is required at least to execute the /usr/libexec/wifiFirmwareLoader program to load the firmware from a given location and to send ioctls to the firmware. However, as long as a jailbreak exists for a certain iOS version, the Nexmon approach should always work to modify the firmware, reload it and extract the ROM. Nevertheless, the downside of this approach is, that addresses of structs may change when we allocate memory on the heap.Matthias Schulzhttps://www.blogger.com/profile/17475541062685374588noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-71679938953471181702017-09-30T04:23:56.763-07:002017-09-30T04:23:56.763-07:00This has been an amazing read! Congratulations!
I...This has been an amazing read! Congratulations!<br /><br />I'll admit that I am a massive Apple fan and my knee-jerk reaction was negative, as to almost judge your intent, but after reading the article, I'm extremely happy you've made all this effort! Not only that, you've maintained a neutral bias throughout.<br /><br />Thank you! :)Anonymoushttps://www.blogger.com/profile/17618197733318308818noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-87560563030708833982017-09-29T09:42:54.391-07:002017-09-29T09:42:54.391-07:00Hi Matthias,
Thank you for the kind words! I am a...Hi Matthias,<br /><br />Thank you for the kind words! I am aware of the technique above, however, to utilise it you need privileged access to switch the firmware file (or am I missing something?). Once you have code execution on the chip (either by patching the RAM file itself or by patching RAM via the TCM), the rest is similar (hook a function and use it to extract the ROM).<br /><br />All the best,<br />Gal.Gal Beniaminihttps://www.blogger.com/profile/01234036203079051373noreply@blogger.comtag:blogger.com,1999:blog-4838136820032157985.post-67782186771507332892017-09-29T06:36:36.780-07:002017-09-29T06:36:36.780-07:00Very nice work, as always ;-)
However, there is a...Very nice work, as always ;-)<br /><br />However, there is an easier way to extract the ROM from the Wi-Fi chip. As soon as, you have the RAM firmware file, you can patch it with the Nexmon Firmware Patching Framework (see https://nexmon.org) to hook the reference to the wlc_ioctl function that handles ioctls in the firmware. Hooking this function allows you to add new ioctls, for example some that can read from arbitrary memory locations, including the ROM. To send ioctls to the firmware, they have to be packed into an APPLE80211_IOC_CARD_SPECIFIC ioctl to the Wi-Fi interface as demonstrated by the monmob developers (see https://github.com/tuter/monmob/blob/master/tools/iOS/server/ioctl.py). On 64-bit devices, the apple80211req structure changed a bit so that it needs to be adjusted in tools sending this ioctl. For the Nexmon project, we created nexutil to send arbitrary ioctls to the firmware and also compiled it for iOS 10 (see https://github.com/seemoo-lab/nexmon/tree/master/ios_utilities/nexutil) using theos (see https://github.com/theos/theos). Equipped with nexutil and the extended RAM firmware, you can simply extract the ROM of your Wi-Fi chip. Currently, we only created the rom extraction project (see https://github.com/seemoo-lab/nexmon/tree/master/patches/bcm43451b1/7_63_43_0/rom_extraction) for the Wi-Fi chip of the iPhone 6, but we could also port it for the iPhone 7 if required.Matthias Schulzhttps://www.blogger.com/profile/17475541062685374588noreply@blogger.com