LightBulbOne

One bright idea after another.

  • UEFI Ninja

    As Wikipedia and its own Forum says, UEFI (Unified Extensible Firmware Interface) is a software layer situated between the operating system and platform firmware. It was developed as a replacement for the BIOS and provides an environment where developers can create applications and drivers for use before the operating system is loaded. UEFI is defined as a specification with a corresponding reference implementation named Tianocore. In order to better understand another target I am reversing it became clear that I needed to learn more about UEFI and reverse some aspects of it.

    Read more…
  • Reversing a macOS Kernel Extension

    In my last post I covered the basics of kernel debugging in macOS. In this post we will put some of that to use and work through the process of reversing a macOS kernel module. As I said in my last post, in macOS there is a kernel module named “Don’t Steal Mac OS X” (DSMOS) which registers a function with the Mach-O loader to unpack binaries that have the SG_PROTECTED_VERSION_1 flag set on their __TEXT segment.

    Read more…
  • Introduction to macOS Kernel Debugging

    In macOS there is a kernel module named “Don’t Steal Mac OS X” (DSMOS) which registers a function with the Mach-O loader to unpack binaries that have the SG_PROTECTED_VERSION_1 flag set on their __TEXT segment. Finder, Dock, and loginwindow are a few examples of binaries that have this flag set. As it turns out, this kernel module at one point played a role in the myth that Apple had included a TPM in their Mac hardware.

    Read more…
  • Analysis of the iOS Bluetooth Stack: BlueTool

    On iOS the Bluetooth stack is split into three layers as shown in Figure 1. At the top is the CoreBluetooth framework used by iOS app developers and at the bottom is the Bluetooth hardware itself. In between these two layers is a collection of daemons that implement various aspects of the Bluetooth stack. For example, most Bluetooth Low Energy (BLE) specific functionality is contained in the BTLEServer daemon. BlueTool is one of the daemons running and is primarily responsible for acting as a bridge between the rest of the Bluetooth stack and the hardware.

    Read more…
  • IDA Processor Options - Oops.

    Archive: This post is from an archive which unfortunately did not include images. So I’ve been working through the LLB code that I talked about in my last article and kept running into incorrectly decoded instructions. I knew they were wrong because (A) the output IDA was giving made no sense and (B) I manually decoded some of them myself to check it. The problem? I forgot to set the processor options when loading the LLB binary.

    Read more…
  • Reverse Engineering the iOS Boot Mechanism: Part 1

    Due to some unforeseen medical issues, my time as an elite athlete adbruptly came to an end a couple months ago and while dealing with those issues I had a lot of free time on my hands. So, naturally I finally got around to reading Mac OS X Internals: A Systems Approach by Amit Singh and Mac OS X and iOS Internals: To the Apple’s Core by Johnathan Levin in their entirety.

    Read more…
  • Snooping on CommCenter

    CommCenter is a wonderful part of iOS since it is the single point that is responsible for communication between iOS and the baseband. And with the baseband being responsible for controlling the telephony components I wanted to see what CommCenter was telling it. To do this all you need to do is create a dynamic library with a few functions then shove that in between CommCenter and the baseband. Easy, eh?

    Read more…
  • iOS Shared Cache Extraction

    Having fallen off the iOS-exploration train due to completing my Masters and other commitments, I have finally climbed back aboard in pursuit of understanding the telephony stack. Like most things in iOS that are used frequently, the vast majority of the frameworks and libraries used in the telephony stack reside in the dyld shared cache located at /System/Library/Caches/com.apple.dyld/dyld_shared_cache_armv7. In this post I am going to explain how to go about extracting this cache file so that you can then work with each library individually.

    Read more…
  • Remote Debugging With lldb

    The other day I was working on a project in Xcode and was getting fed up with it crashing and just not behaving. So I set out on a mission to figure out how to remote debug an iOS app. The secret to it all is LLDB, the LLVM Debugger. LLDB is now the default debugger in Xcode (has been for awhile) and is a pretty powerful debugger complete with scripting in Python and many other hidden gems.

    Read more…
  • Fuzzy iOS Messages!

    Awhile ago I came across a post about fuzzing with a new data flow language called Pythonect. When I read about it I thought it sounded like a pretty nifty language so I decided to try using it to fuzz the iMessage interface in the iOS Messages app. The first part of this task is to come up with a way to send messages to an iOS device using the iMessage service.

    Read more…