Post

How to get URL link on X (Twitter) App

On the Twitter thread, click on or icon on the bottom
Click again on or Share Via icon
Click on Copy Link to Tweet
Paste it above and click "Unroll Thread"!
More info at Twitter Help

stacksmashing

@ghidraninja

May 8, 2021 • 6 tweets • 2 min read • Read on X

@colinoflynn

Yesss!!! After hours of trying (and bricking 2 AirTags) I managed to break into the microcontroller of the AirTag! 🥳🥳🥳

/cc @colinoflynn @LennertWo

Dumped the firmware and some important areas😀(am I missing any other important ones from the nRF52?)

@colinoflynn

Thanks to @colinoflynn for the test point mapping (and nerdsniping me with the AirTags in the first place), and also for listening to my rambling/cursing/etc :)

And confirmed that we can re-flash the microcontroller! Woohoo.

Built a quick demo: AirTag with modified NFC URL 😎

(Cables only used for power)

And with that it’s time for me to get some sleep :) This was a ton of fun!

(Also, can I now claim I was first to “hack” an Apple device?!)

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @ghidraninja

stacksmashing

@ghidraninja

Aug 8, 2024

Let's talk about some of the security features of the new @Raspberry_Pi RP2350, because they are 🔥🧵

1.) Glitch Detectors

The RP2350 has 4 embedded glitch detectors, with configurable sensitivity. These will respond to voltage & EM fault-injection attempts, and reset the chip.

In our testing we found that they are quite effective at capturing most glitches.

2.) The RCP - Redundancy Coprocessor

The RCP protects the bootrom against fault-injection (and other) attacks by generating randomized stack canaries (in hardware!), providing boolean value validation based on bit-patterns, etc.

Read 9 tweets

stacksmashing

@ghidraninja

Mar 5, 2024

One of my neighbours seems to have a smart toilet - and it looks like I can connect to it 👀

According to the website I can remote control the bidet functionality 😂

Can someone figure out the part number of the control board? Can't seem to find it as a replacement part :D

Read 6 tweets

stacksmashing

@ghidraninja

Oct 12, 2023

So I was trying to sniff the BitLocker TPM key on an old laptop of mine - it has this great debug port that exposes most of the TPM (Low Pin Count Bus) signals, but it’s missing the clock signal.

So I could either hunt for the clock signal on the backside - or build a "clockless" LPC analyzer! And after a bit of coding I built a @saleae LA analyzer that doesn't need a clock signal - and was able to decode the whole TPM communication!

Then I wrote a couple of simple scripts to extract the VMK (Volume Master Key) from my recorded traffic!

Read 9 tweets

stacksmashing

@ghidraninja

Sep 23, 2023

Let’s gooo

Off to a good start - let the jankiness begin

First good news, the amazing Asahi macvdmtool works with the iPhone 15! So you can reboot etc the phone via USB-C :)

(Ignore the error)

Read 16 tweets

stacksmashing

@ghidraninja

Jul 13, 2023

Ever wondered what makes a secure element secure?

A part of it is this pattern:

This is a (not-so-great😅) die shot of the upper side of an ATECC608A secure element. As you can see, the upper layer looks like it's all metal - but if we zoom in, we get the above pattern

This pattern is there to prevent invasive attacks such as microprobing, and also makes it necessary to delayer the chip to start even seeing any of the actual logic (though you can just look at it from the backside using IR).

(Picture by TU München: ) https://t.co/TtL7UNgsqece.cit.tum.de/en/eisec/resea…

Read 5 tweets