About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Reverse Engineering iOS 18 Inactivity Reboot- 1541

cat /dev/brain Posted 1 Year Ago
  • iOS 18 contains a new security feature—an inactivity reboot. This feature was widely discussed in the media, with the potential for a wireless component, with other iOS phones communicating with it as well. So, the author decided to investigate how the feature worked.
  • There are two important states of an iPhone for this post: before first unlock (BFU) and after first unlock (AFU). BFU requires the passcode, not Face ID, to unlock the phone. This is because the user data is encrypted with the PIN. Once it's unlocked for the first time, the user data is decrypted, giving access to much more functionality and attack surface. The AFU state is much more susceptible to attacks than the BFU state as a result.
  • Apple code contains a lot of DEBUG strings. A quick search shows a string called inactivity_reboot on Github. After reverse engineering some logs and kernel drivers, they came to the Secure Enclave Processor (SEP) as the source of this reboot happening from. Recently, the firmware keys for this were leaked, allowing for reverse engineering of the code via binary ninja. Unfortunately, there are no symbols and very few debug strings.
  • The rumor is that the reboot happens after 72 hours. So, the author searched for the constant in seconds and milliseconds. Sadly, optimizations are made, but binary ninja knows how to undo these optimizations to search for the values still! Crazy! They found a series of values that corresponded to 3 days, 2 days, 1 day, and 2.5 hours as an enum in the code. Neat!
  • They didn't look much deeper than this. But, they did find out that there is nothing to do with phones communicating with each other to do this - it's all just an internal timer.
  • This was an interesting dive into a new security feature by Apple. Law enforcement doesn't seem happy with this change but it also acts as a major improvement against theft. Good writeup!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed