The content of the article
The iPhone 5c is Apple's latest smartphone to be powered by a 32-bit processor. At the same time, the iPhone 5c is an iconic model that became widely known after the incident in San Bernardino. Five years ago, the hacking of the iPhone 5c of a San Bernardino terrorist became a stumbling block and the cause of a heated debate between Apple and the FBI. Today, such a device can be hacked quickly and quite simply.
What is interesting about the iPhone 5c, by any measure – a seriously outdated phone? At least two things. From a technical point of view, this is the latest iPhone model that does not have a Secure Enclave coprocessor, which allows you to get full access to its contents, including all encryption keys without exception. Hacking the iPhone of this model is, in fact, the last remaining opportunity to dig into the insides of the iOS security subsystem, which in newer models becomes unavailable due to hardware protection.
But this model is interesting not only from a technical, but also from a political point of view. It was this model that became a stumbling block and a point of collision of interests between Apple and the Federal Bureau of Investigation.
Essentially a walk-through budget model, the iPhone 5c became infamous after the San Bernardino terrorist attack in December 2015. The telephone of this model, which belonged to the shooter's employer, was blocked by a four-digit password unknown to either the employer or the special services. Moreover, the device was configured to destroy all data after ten unsuccessful attempts to guess the password. Convulsive throwing led to hasty actions. The terrorist's employer changed the iCloud password, which made it impossible to create a fresh cloud backup. The work of the special services has stalled; a lock code was needed to retrieve information from the phone.
There were no technical means for hacking such devices in those years. The Federal Bureau of Investigation has demanded that Apple create software that would allow the FBI to unlock the terrorist's iPhone 5c. Apple refused to create such software (although technically they could do it without straining). A court hearing was scheduled. However, the day before, the prosecution demanded a postponement, claiming the existence of a third party capable of helping to unblock it. A few days later, it was announced that the FBI had managed to unlock the device. The hearing did not take place and the lawsuit was dropped.
It is still not officially known what method the FBI used to obtain the password and who developed it. However, we do know the approximate amount paid to hack the device: FBI Director James Comey said in an interview that hacking the phone cost the FBI more than $ 1.3 million. However, the name of the contractor was never made public. Some anonymous sources claim that the contractors were Israeli company Cellebrite, which has neither denied nor confirmed this fact. However, The Washington Post reported that, according to yet another anonymous "people familiar with the matter," the FBI paid "professional hackers" to exploit an unpublished vulnerability in iPhone software.
There are several alternatives to our proposed method for jailbreaking iPhone 5c. First of all, of course, it is necessary to mention the purely commercial products and services of Cellebrite. These solutions are available exclusively to law enforcement agencies, and not in every country, and their cost is tens of thousands of dollars.
At one time, it was possible to sort through the blocking codes using a hardware "black box" IP-BOX and its clones. The main disadvantage of all these devices is that they do not work with modern versions of iOS: only iOS versions up to and including iOS 8.1 are supported. The second drawback is the low search speed: about 6 seconds for an attempt, 17 hours for cracking a four-digit PIN-code.
Another attempt was the solution authored by Sergei Skorobogatov. In his project "Security Analysis of Apple iPhone 5c" Sergey demonstrated an attack that allows him to find the lock code for the iPhone 5c. The method proposed by Sergei also has disadvantages. Firstly, the phone will need to be disassembled, which not everyone can do. The second drawback is the same as that of IP-BOX: the brute-force speed does not exceed one password in 5 seconds. Sergey himself claims that it is possible to crack a four-digit access code in about a day, and busting a six-digit PIN code is completely pointless.
How it works
We have created a purely software method that allows you to start brute-force passwords directly on the device itself. A screwdriver and a soldering iron are not needed for this; a simple Lightning cable is enough. Our method is based on the well-studied exploit checkm8, which, however, is not suitable for launching a pure password attack. At the moment, we have implemented an attack only from Mac computers.
The jailbreak process for iPhone 5c is as follows.
First, we need to load our own custom ramdisk onto the device. It is from him that the password is brute-force. Loading custom (unsigned) firmware was made possible by the checkm8 BootROM exploit. To boot the device and disable all checks, follow these steps.
Step 1. We transfer the phone to DFU mode
The first step is to put the device into DFU mode. This can only be done manually; no team exists that can do this. For iPhone 5c, several options were found to switch to the desired mode. For example, this.
When using Elcomsoft iOS Forensic Toolkit, interactive instructions will be given.
The following sequence seems quite simple to us.
Initial state: the phone must be turned off and not connected to the computer.
- Press the Home button (single / central on the front panel), and while holding it, connect the Lightning cable. Let go of Home when the "Connect to iTunes" picture appears on the device screen.
- Simultaneously hold down Home and Sleep / Power (the lock button on the top of the device) and hold them for 8 seconds (the Apple logo will appear on the screen for a while).
- Release the Sleep / Power button, but continue to hold Home for another 8 seconds.
If everything is done correctly, the screen of the device will remain black, and in iTunes or Finder (depending on the version of macOS used) the phone will appear as iPhone in recovery mode.
Everything is ready for the next steps.
Step 2. Exploit DFU
At this step, we load into pwned DFU mode using the method used in the checkm8 exploit. This exploit is interesting because it exploits a hardware vulnerability in the BootROM bootloader that cannot be patched by a firmware update. On devices with Secure Enclave (all 64-bit iPhone models starting from iPhone 5s), you can jailbreak this way, but you will not be able to start a quick brute-force attack: Secure Enclave will limit the brute-force speed at the hardware level. But the iPhone 5c is a perfect candidate: there is no hardware security coprocessor, you can do almost anything.
Question: why, in this case, break the lock code? Isn't it easier to immediately extract data from the phone? Alas, without the lock code, you will get a very limited amount of information. The main data set will be encrypted, and the key is calculated based on the lock code that the user enters after booting the device. At the same time, it is also impossible to take out the search outside the iPhone; checking the lock code and calculating the encryption keys must be carried out by the processor of the device itself.
However, let's continue. As a result of the exploit, we find ourselves in a mode known under the unofficial name pwned DFU. This is still DFU mode (that is, the system is not loaded), but we now have access to the system files (so we can install the checkra1n jailbreak) and to the Ramdisk of the device.
We are now interested in Ramdisk. To launch an attack on the blocking code, we need to run our own code. However, to run an unsigned application, the exploit alone is not enough, since we must patch the signature verification at each boot stage, namely in the files from the iBSS, iBEC and kernelcache firmware.
Step 3. Disable signature verification
In this step, we will patch the signature verification in iBSS. In iBEC, not only signature verification is patched, but the following boot parameters are also set:
boot-args: "rd=md0 -v amfi=0xff cs_enforcement_disable=1"
Thanks to these parameters, we get a verbose boot and disable signature verification from the kernel.
To load the device, you need one more file – DeviceTree. It is a hierarchical description of the hardware devices that the kernel will then use. You do not need to patch this file.
Continuation is available only to members
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the "Xakep.ru" community.
Join the Xakep.ru community!
Membership in the community during the specified period will open you access to ALL Hacker's materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of "Xakep.ru"