[benzinschleuder]

Amazing. Did they need to jailbreak or physically open the phone to find all this stuff? They talk about reversing binary images and using their "Legilimency" toolkit; I wonder if a vanilla phone was enough to research all this and propagate through Wi-Fi.

[0x0]

I'm guessing there must be other jailbreaks involved to be able to observe and experiment on the ios kernel side of things while developing the wifi chip exploit; going in all blind from the wifi side only sounds impossible. The question now is, are they sitting on 0day jailbreaks for current iOS versions or did they have to do all the tests on legacy iOS versions?

[xoa]

It looks like that setup work for their research environment was all covered in part 1 (all the parts are really interesting and worth a read if anyone hasn't already incidentally). Specifically, the reason they mention at the end of part 3 that

>The exploit has been tested against the iPhone 7 running iOS 10.2 (14C92).

was because iOS 10.2 has a known kernel exploit developed by Ian Beer [1], and they used that as part of the basis of subsequent research. Presumably they either found some iPhones still running 10.2 (which stopped being signed a long while back) or like many well funded researches just keep a set of different iPhones loaded with major iOS versions so they're ready to go for research if an exploit is found after signing stops (dedicated jailbreakers sometimes to the same thing if they can). And of course security patches themselves are handy for reverse engineering old exploits from whatever bugs Apple fixes.

In part one read under "Kernel Memory Analysis Framework".

----

1: https://googleprojectzero.blogspot.co.uk/2017/04/exception-o...

[rasz]

most likely this research is a result of Project Zero playing with PCIe interception/injection hardware toolset