Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
stacksmashing Profile picture
@ghidraninja
May 7, 2021 20 tweets 6 min read Read on X
Scrolly
Continuing the tweet-chain of @colinoflynn on AirTag hacking, we will look at the flash contents now!
Similar to most Apple embedded devices, the AirTags also seem to run RTKit... And this is where it gets interesting: It's a DEBUG build - debug builds have more functionality, and sometimes more logs & co - this is good news!

/cc @naehrdine Image
Also looks like the firmware for the U1 DSP is on the flash, as you can find a ton of AArch64 instructions Image
Next step: Dump the rkos images contained in the firmware...
Using ftab-dump (github.com/19h/ftab-dump) it's as simple as this 😀 Image
Looks like both rkos are identical - maybe a recovery/fallback version? Image
Ohhh, what do we have here? This looks a lot like it might be an nRF52 firmware, which is the microcontroller used on the AirTag! Image
Hmm too bad, looks like it's just a reset vector, not actual firmware :)
Also here's the entropy graph of the whole thing, looks like nothing is encrypted :) Image
I still remember when I first saw this Apple note - in the firmware images of my 3rd generation iPod when I just got started with hardware/firmware reversing 😀 Image
Well hello there, nRF52 firmware🥸 Image
(If someone close to Stuttgart has too many AirTags and can spare one.. hit me up 👀)
Found a SHA256 implementation in the firmware, slowly trying to get an overview Image
For those playing along at home: Loaded the firmware starting at 0x28D000 into Ghidra, loading offset seems to be 0x1c000 - guessing that there's a bootloader in front of that?!

Then used SVD-Loader to load an nrf52 SVD I found - it's not super detailed but gets the job done
Looks like this is the function that generates the "I found a tag" URL: Image
Sweet, picking some tags up in an hour, that should be fun😬
That raw talent: Buy something and IMMEDIATELY brick it -.- Image
ImageImage
And found the SoftDevice firmware used on the AirTag - thanks for the hint that it's at the beginning of the flash @JAlDhalemi :) Image
As so often I’m stuck in writing tools: this time a dual SPI analyzer that gives me the data in the format I need :)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with stacksmashing

stacksmashing Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ghidraninja

stacksmashing Profile picture
Aug 8, 2024
Let's talk about some of the security features of the new @Raspberry_Pi RP2350, because they are 🔥🧵
1.) Glitch Detectors

The RP2350 has 4 embedded glitch detectors, with configurable sensitivity. These will respond to voltage & EM fault-injection attempts, and reset the chip.

In our testing we found that they are quite effective at capturing most glitches. Image
2.) The RCP - Redundancy Coprocessor

The RCP protects the bootrom against fault-injection (and other) attacks by generating randomized stack canaries (in hardware!), providing boolean value validation based on bit-patterns, etc. Image
Read 9 tweets
stacksmashing Profile picture
Mar 5, 2024
One of my neighbours seems to have a smart toilet - and it looks like I can connect to it 👀 Image
According to the website I can remote control the bidet functionality 😂 Image
Can someone figure out the part number of the control board? Can't seem to find it as a replacement part :D
Read 6 tweets
stacksmashing Profile picture
Oct 12, 2023
So I was trying to sniff the BitLocker TPM key on an old laptop of mine - it has this great debug port that exposes most of the TPM (Low Pin Count Bus) signals, but it’s missing the clock signal. Image
So I could either hunt for the clock signal on the backside - or build a "clockless" LPC analyzer! And after a bit of coding I built a @saleae LA analyzer that doesn't need a clock signal - and was able to decode the whole TPM communication! Image
Then I wrote a couple of simple scripts to extract the VMK (Volume Master Key) from my recorded traffic! Image
Read 9 tweets
stacksmashing Profile picture
Sep 23, 2023
Let’s gooo Image
Off to a good start - let the jankiness begin Image
First good news, the amazing Asahi macvdmtool works with the iPhone 15! So you can reboot etc the phone via USB-C :)

(Ignore the error)
Image
Image
Read 16 tweets
stacksmashing Profile picture
Jul 13, 2023
Ever wondered what makes a secure element secure?

A part of it is this pattern: Image
This is a (not-so-great😅) die shot of the upper side of an ATECC608A secure element. As you can see, the upper layer looks like it's all metal - but if we zoom in, we get the above pattern Image
This pattern is there to prevent invasive attacks such as microprobing, and also makes it necessary to delayer the chip to start even seeing any of the actual logic (though you can just look at it from the backside using IR).

(Picture by TU München: ) https://t.co/TtL7UNgsqece.cit.tum.de/en/eisec/resea…
Image
Read 5 tweets
stacksmashing Profile picture
Aug 16, 2021
Bought one of those small 7” field monitors for filming…

Turns out it drains its battery with 72mA - while turned off 😐
I’m sure my NP-F550 batteries really like to get discharged to absolute zero 🥲
Is that a debug header? 👀 Backside of a device, showing a tiny connector
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(