“Bumpy Road” to Success

FBI and Apple clash over unlocking the iPhone 5c belonging to the San-Bernardino shooter went in headlines earlier this year. Apple refused to unlock the phone, while FBI declared, it is technically impossible. But Cambridge Professor Sergei Skorobogatov, graduate of MIFI, Moscow, Russia, brilliantly solved the problem. Surprisingly, it took him only $100 of equipment, most of it, including iPhone 5c spare parts, he bought on eBay.

“Bumpy Road” to Success:

Cambridge Professor Cracked Apple Password Retry Limitations

With that he managed to clone the NAND memory that houses the attempt retry counter thus making the number or attempts limitless. According to his words, “a full scan of all possible 4-digit passcodes will take about 40 hours or less than two days.” That would be enough in most cases, as many owners of hand held devices use 4-digit passcodes: dates or years of their birthdays or years of purchase. So, we strongly recommend you to revise your iPhone passcode now in the light of Professor Skorobogatov’s discovery.

But it was a challenging task to fulfill, not one you can repeat at home unless you have the same expertise in the field.

As iPhone users know, you have just 10 attempts while entering the passcode. After 5 consecutive wrong entries a short waiting time of 5 seconds is added. The waiting time will increase with every next mistake reaching as long as 60 minutes before all the data is erased with no chance or restoring. The UID key to calculate the passcode is the part of CPU firmware and can’t be hacked Hollywood style with just a computer and a keyboard.

So, the crucial task was to back up the data so that it won’t be damaged with entering wrong passcodes. Professor disassembled the iPhone 5c and cloned the NAND memory used for storage. That was a tricky process, because, fist, the parts were not only soldered but glued with a strong epoxy compound and second, simply cloning the NAND memory won’t work with iPhone 5C. iTunes refused to restore the phone and reported unknown errors 14 and 4013.

Part of the problem was the nature of NAND memory itself. NAND memory has cells to write the data in. Additional cells are allocated for error correction data. Faulty blocks are marked as unusable or replaced with fresh one. Apple uses Perfect Page New (PPN) technology for that.

While being cloned, the data is rearranged and written in other cells, and Apple CPU firmware couldn’t ‘find’ it in proper places. It’s like arranging items in your desk drawers or garage shelves. You got used to placing, say, your drill on a shelf by the door and now it’s on the floor in a box. Or your pencil sharpener has moved from top to bottom drawer. A bit irritating, isn’t it?

Other part of the problem is, NAND memory can sustain only limited number of writing cycles. So, you’ll have to get not one but several NAND clones to replace them while trying a passcode.

For more eleborate technical details, we invite our readers to click the footnote.

The issues with NAND memory cloning solved, the procedure of hacking the retry counter looks as the following. You got to have a test board, plugged to a PC with logic analyzer, a number of cloned NAND modules, a disassembled iPhone. You plug the clones in turn into the disassembled iPhone, power it up and attempt to enter a passcode. After 6 wrong entries you power the smartphone down, wait about 10 seconds for the power to be taken from NAND, swap the NAND clone and then repeat.

Here’s the video, posted by Sergei Skorobogatov to illustrate the whole process:

The experts see absolutely no problems with applying this technology to iPhone 6 and iPhone 7 hacking. What does in mean for us, end-users? First, as we have mentioned above, reconsider your passcode length. It must be at least 8-digits long. Second, try not to leave your iPhone unattended. If you lost your iPhone or it was stolen from you, follow Apple guide and, if you fear that your password isn’t hack proof enough, erase the phone distantly. For that case, don’t forget to back up the data on your smartphone regularly. Then call your wireless carrier and ask them to block your account.

nand_mirroring

Links

Comments

So empty here ... leave a comment!

Leave a Reply

Your email address will not be published. Required fields are marked *

Sidebar