Notices by jiska 🦄:fairydust: (jiska@chaos.social)

Firmware memory access through HCI was never considered a threat, since an attacker requires at least code execution in the Bluetooth daemon/driver for getting code execution in the Bluetooth firmware.

This threat model changed slightly when we showed further privilege escalation, in particular code execution in the WiFi firmware via Bluetooth. Now, this interface is only available until Bluetooth firmware patches were applied at driver/daemon initialization.

https://arxiv.org/pdf/2112.05719

Tarlogic found a "backdoor" in the ESP32 chips: https://social.lansky.name/@hn100/114127956134801350

Broadcom and Cypress chips have the same HCI "backdoor" allowing to write to the Bluetooth chip's RAM. This feature is used for firmware patches.

We didn't request CVEs for that 9 years ago. Instead, we built the InternalBlue Bluetooth research framework: https://github.com/seemoo-lab/internalblue

@LaF0rge Apple uses a custom variant of QMI where even 1/3 of their services are proprietary 🥲 but except from that, the working principle is quite similar.

@LaF0rge feel free to ping me at CCC, I'll bring some setup. :)

Might be possible via QMI modification/injection.

How does the new iOS inactivity reboot work? What does it protect from?

I reverse engineered the kernel extension and the secure enclave processor, where this feature is implemented.

https://naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivity.html

Apple added a feature called "inactivity reboot" in iOS 18.1. This is implemented in keybagd and the AppleSEPKeyStore kernel extension. It seems to have nothing to do with phone/wireless network state. Keystore is used when unlocking the device. So if you don't unlock your iPhone for a while... it will reboot!

In the news: "Police Freak Out at iPhones Mysteriously Rebooting Themselves, Locking Cops Out"
https://www.404media.co/police-freak-out-at-iphones-mysteriously-rebooting-themselves-locking-cops-out/

iOS version diffs to see yourself:
https://github.com/search?q=repo%3Ablacktop%2Fipsw-diffs%20inactivity_reboot&type=code

OH: "ASN.1 is JSON for boomers."

Wanted to charge my MacBook with a power bank. Worked well. Once the power bank was discharged, my MacBook started charging the power bank 🤡🤡🤡

?????

@neingeist konnte in Onkel Jeff's Buchladen nicht finden :(

@neingeist The Shop schickt sie dir schon per Drohne bevor du sie bestellt hast

Gerade gelernt, dass es nicht "Regalbrettmetallnupsies" heißt, sondern "Bodenträger" 🤔