Hacker showing smart phone with inscription Hacked. Cyber crime concept.

Security Research Device Cohort 2021

Estimated reading time: 13 minutes

Intro

Security Research Device Programs are a form of Canary. The Apple Security Research Device 2021 Cohort is nearing our Solstice and we announce srd.cx. A Website for the benefit of the 2021 SRD Cohort and the Public.

The SRD Cohort operates a Bug Tracker, Private Slack Channel, Build Infrastructure providing Code Examples, Cryptex Examples, Loaner Gear, Convenience Targets and more to increase engagement with the SRD.

We may Launch a Public Slack Channel soon.

Quickstart

We have prepared a Post with How-To Instruction for Installing a Cryptex and start finding Bugs!

From man cryptex: A cryptex is a cryptographically-sealed archive which encapsulates a well-defined filesystem hierarchy. The host operating system recognizes the hierarchy of the cryptex and extends itself with the content of that hierarchy.

The name “cryptex” is a portmanteau for “CRYPTographically-sealed EXtension. Thus, cryptexes can be thought of as positionally-independent distribution roots”.

These are the quick start instructions to get up and running with the SRD as found in SRDI at README.md:

## Quick start

0. Install the prerequisites and select your Xcode with `xcode-select(1)`.
1. Plug in your Security Research Device
2. Run `cryptexctl device list`
3. Export the environment variable`CRYPTEXCTL_UDID` and set it to the UDID of your device
4. Run `make install`
5. Get the IP address of your device (Settings -> WiFi)
6. Run `nc ${IP} 7777`, if you see "Hello!" it's all working!
7. Now SSH in! `ssh root@${IP}`

RTFM Success

Total time required to complete prerequesites and get to “Hello!” and do the same with Xcode was about an hour to get up and running with the SRD. As shown below, this is the equivalent of ‘RTFM Success’:

telnet 192.168.3.88 7777
Trying 192.168.3.88...
Connected to 192.168.3.88.
Escape character is '^]'.
Hello! I'm process 223
The environment variable CRYPTEX_MOUNT_PATH  contains: "/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.HZN9U8"

This Website is a SRD Resource to help you start your journey. If you are a ninja please contribute authorative, verified Content & Code to help expand the SRD knowledge base.

Shiny New

Step 1: Turn Off Automatic Updates 🙂

Retail iOS Error after Clicking Update

Contribute your experience for this Cohort and the next to learn from and expand the public knowledge base.

Expect the Expected

Along your route expect to Brick your SRD many times and experience a total loss of Device Confidentiality, Integrity & Availability. Soft Bricking your SRD is a positive sign that you are engaged with the Device exploring the limits of the Device.

What is a SRD?

“The Apple Security Research Device is a specially fused iPhone that allows security researchers to perform research on iOS without having to defeat or disable the platform security features of iPhone. With this device, a researcher can side-load content that runs with platform-equivalent permissions and thus perform research on a platform that more closely models that of production devices.

Restrictions

To avoid having a malicious party attempt to masquerade a research device as a user device to trick a target into using it for everyday usage, the security research device has the following differences:

The security research device starts up only while charging. This can be using a Lightning cable or a Qi-compatible charger. If the device isn’t charging during startup, the device enters Recovery mode. If the user starts charging and restarts the device, it starts up as normal. As soon as XNU starts, the device doesn’t need to be charging to continue operation.

Capabilities

The Security Research Device affords researchers the following abilities that a user device doesn’t: (1) Side-load executable code onto the device with arbitrary entitlements at the same permission level as Apple operating system components, (2) Start services at startup, (3) Persist content across restarts.” You can read the entire article here.

What can it do?

Arbitrary Entitlements = Apple Hammer

SRD = Radio Telecommunications Service (RTS) Device with your Code + Apple Hammer

RTS = Loaded with Bugs

Radio Telecommunication Service Research Device
Apple Security Research Device – Radio Telecommunication Service Research Device

The SRD is an Apple provided Hammer to inspect Code.

The Researcher has the ability to conduct Air Gap and Faraday Cage testing, or Program a hostile SIM Card and interoperate with other Devices via standard Radio Telecommunications Services with the added capability to load executable code onto the device with arbitrary entitlements at the same permission level as Apple operating system components.

A Researcher with access to a Carrier Switch may conduct endless Fuzzing and manual testing using the Public Switched Telephone and SS7 Networks. The SRD is equivalent to a Fixed Radio Telecommunications (Wireless) Service for the purposes of your Research.

SRD configuration example is an NPA-NXX-XXXX via SIM Card via Carrier. Then, a Secondary eSIM from different Carrier is installed. Lastly, the Device is configured with a test iCloud Account and on the cryptex is Custom Code with arbitrary entitlements at the same permission level as Apple operating system components.

How well does Vendor Code handle Call Setup and Tear Down when ‘”DROP TABLES —–“‘ or “<script>confirm(666)</script>;” is delivered from CNAM as the iCLID?

FuzzDB meets Line Information Database (LiDb).

The SRD allows for conducting Research with Code having all the capabilities and permissions as Apple operating system components.

Apple Documentation

What is a Cryptex?

Under the hood after iOS boots is Toybox run under com.apple.security.cryptexd. “The entitlement that grants cryptexd the ability to mount a disk image is honored only by the research kernel cache. The relevant code path isn’t compiled into the release kernel cache”. See our Article Cryptex X86_64 Installation for more details.

The SRDI uses Toybox for a Shell and Dropbear for the SSH implementation to Login via SSH. Datapoint: Google is a co-Maintainer of Toybox. Below is an example Crash Report where there are a number of moving parts, rabbit holes and landmines to explore:

Dropbear Pointer Authentication Failure
Simple-Server Pointer Authentication Failure – or is it something else?

The 2021 SRD Cohort is building a SRD Knowledgebased in the Public Domain

Question & Answer

iBoot build-style = RESEARCH_RELEASE
Not Jailbroken

Is the SRD Jailbroken? The direct answer is NO, the SRD is not Jailbroken.

Root Login

Can you login as root? Yes, you will SSH to the SRD as root. a-Shell, iSH and Blink implement Toybox or Busybox.

Permission Level

Create a workflow starting as a mobile user using Xcode. Consider that the Cryptex will drop you in a Toybox sh shell as root to execute your code on the device with arbitrary entitlements at the same permission level as Apple operating system components.

Entitlements = Hammer

Entitlements = Hammer! Go use a Hammer on everything!

Consider applying the The Principle of Least Privilege (PoLP) [EL0] when conducting your SRD Research and installing your App or Code via Xcode into a standard container while you study your command line permission level and cryptex [EL1]. Researcher code on the device executes with arbitrary entitlements at the same permission level as Apple operating system components.

Debugging Xcode with LLDB as Mobile User
Debugging Xcode with LLDB as Mobile User

The Cohort will cover the use of entitlements in a sperate Post. We will include installing debugserver on the cryptex and connecting back to a Host running LLDB. For additional debugging capabilities the 2021 SRD Cohort wants to get Frida running on the SRD and has made a Request:

    <key>run-unsigned-code</key>
    <true/>

What is special?

The SRD is a Radio Telecommunications Service Device that allows a Researcher to run code with arbitrary entitlements at the same permission level as Apple operating system components.

Workbench

What is an example Work Bench Configuration?

M1 & X86 Mini’s and more powerful PC hardware, JTAG Cables and typical debugging hardware found in a Lab.

Some of the essential Debugging Tools on the workbench are: M1 Mini, X86_64 Pro Laptop, Jailbroken iPhone X, Frida, Wifi-Pineapple, Monitor/Inject Network Cards, Hardware Taps, Hopper, IDA, Breakout Boards, RasPi’s, SIM Cards, POTS Line, Class 5 Switch Access, Twilio, EMF Gear, Thermal Devices, RF/RFI/SDR Tooling. An iPhone 12 Pro, iPad Pro, Homepod & Watch and other Accessories have been very helpful too.

Some of the essential Software Debugging Tools are: Toybox Unstripped, Burp Suite Pro, Proxyman, Wireshark, Paw Cloud, DNS Server, Aircrack-ng, OpenPCAP, Replay Tools, a Cloud Platform for CI/CD, Telemetry, Fuzzing, Crash Reporting and more.

How to Load your Code

Xcode is the easiest method to get your Code onto the SRD. If you want to use SSH and a Terminal to run your Code you will Build a Cryptex File System (man cryptex) which will be mounted like:

/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.%random%

If you like Pictures, this is your CLI | Terminal:

The Cryptex is the Filesystem where your Compiled Code is copied to be run on the SRD via SSH Terminal. If you use Xcode you can just change your Build Target and you will be running your Code just like a normal iPhone. Plug in the SRD, open Xcode, create the default ‘Hello World’ App, Run and Tweet @srdcohort your success.

How to Flash Restore

Updating your SRD is performed with Finder, and the Terminal is used to Load your Cryptex and SSH to the Device. There will be errors that will need to be debugged, here is a Visual Bug Report. Always start with the Unified Logging with cryptectl log stream:

cryptexctl log stream
Filtering the log data using "subsystem == "com.apple.security.cryptexd" OR subsystem == "com.apple.security.cryptexctl" OR subsystem CONTAINS "com.apple.security.libcryptex" OR subsystem == "com.apple.security.libimg4" OR sender CONTAINS "AppleImage4" OR sender CONTAINS "AppleMobileFileIntegrity" OR (sender == "CrashReporterSupport" AND composedMessage LIKE "*corpse data*cryptex*") OR (process == "ReportCrash" AND composedMessage LIKE "*Formulating fatal report for*cryptex") OR (sender == "OSAnalytics" AND composedMessage LIKE "*report request completed: *cryptex*.ips") OR (sender == "CrashReporterSupport" AND composedMessage CONTAINS "Saved crash report for cryptex") OR (process CONTAINS "cryptexctl" AND sender CONTAINS "MobileDevice")"

That will start dumping data to your Terminal as seen below in the example Unified Logging Stream from cryptexctl:

If you have an SRD you already know how brittle the Imaging, Build and Signing Pipelines are. If you are just getting up to speed with your SRD you may be experiencing some Interoperability Issues which should be expected on either Hardware Platform.

You are QA

Debugging issues can consume hours of your time. The picture series below is the culmination of hours of debugging for the Cohort to identify the Tatsu Signing Server Issue that was a pain point during Q1/2021 and to be expected as normal. The point to be made is: The SRD is not a Retail Device, expect to write Code, Debug Issues and perform Quality Assurance. Help build a Platform, and find some Bugs along the way.

The example picture below is on the M1 ARM Platform for Installing a Cryptex with the Command Line, HTTP Request and HTTP Response with the Reject Message:

The example picture below is on the X86_64 Platform for Installing a Cryptex with the Command Line, HTTP Request and HTTP Response with the Success Message.

Takeaway: You may be the first to discover SRD InterOp Issues. Build a Product Defect Report, assume the Reader(s) have no context, send to SRD Team, Rinse, Lather & Repeat.

Shells

Try Compiling and Installing Blink, iSH or a-Shell and experiment with entitlements to understand the SRD and create your new workflow. With an M1 ARM Mini on Beta and an X86_64 Pro Laptop runing mOS11.2.3 it is easy to move between iOS 14.3 and 14.5 and perform Regression Analysis and install Cryptex File Systems and use Xcode.

Blink Shell running on the Apple Security Research Device as seen below:

Blink running on the Apple Security Research Device

The Cohort operates a Private Slack Channel for SRD Onboarding Support and provides detailed instructions for how to Update your Research Image on the SRD with an example-cryptex with the Toybox unstripped binary which you may want for debugging on the command line.

Example Instructions

An example set of Image Update & Cryptex Build Instructions (default) from SRD0009:

!srd0009 | 20E5210c 1451.IPSW Update | 20D91 20C80 Cryptex Install | Verified Workaround | 27 MARCH 2021
!
! srd0009: CopyPasta the defaults below on M1.ARM 20E5210c
!
defaults delete com.apple.AMPDevicesAgent
defaults write com.apple.AMPDevicesAgent ipsw-variant -string 'Research Developer Erase Install (IPSW)'
!
! srd0009: RESTORE 1451.IPSW
!
M1.ARM 20E5210c --->  Finder ---> SRD 1451.IPSW Update ---> X86_64 20D91 20C80 Cryptex Install
!
! srd0009: X86_64 20D91 20C80 Cryptex Install
! srd0009: cd ../example-cryptex/
! srd0009: make install
!
cd ../example-cryptex/
make install
!
! srd0009: Verify the cryptex has been installed on X86_64 20D91 20C80
!
cryptexctl install com.example.cryptex.cptx                                                                                              
! Verified
cryptexctl list                            
com.example.cryptex
  version = srd0009
  device = /dev/disk2s1
  mount point = /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex...
!
!
!srd0009 | 20E5210c 1451.IPSW Update | 20D91 20C80 Cryptex Install | Verified Workaround | 27 MARCH 2021
EOF

Collaboration

The Cohort Platform is being build to deliver stable, reliable GitHub Code Repo, Atlassian Bug Tracker, Slack Channel for Onboarding & Chat, Plesk Windows Hosting, VM Hosting, Loaner Gear and other goodies detailed in #general on the Cohort Slack Channel at srdcx.slack.com.

There is a collaborative effort to Fuzz the Registers of the M1 & iPhone 11. We will Publish our Results of Fuzzing Register Permissions. First, from the position of Side Loading, then within a standard Container.

The next Post begins by Opening your SRD Box and end with a Cryptex Installation and Running the ‘hello.c’ Code found in the SRDI. In the near future we will Publish the equivalent Xcode Project for ‘Hello World’.

#include <stdio.h>
#include <os/log.h>
#include <unistd.h>

int main() {
    pid_t pid = getpid();
	printf("Hello researcher from pid %d!\n", pid);
    os_log_t log = os_log_create("com.example.cryptex", "hello");
    os_log_info(log, "Hello researcher from pid %d!", pid);
	return 0;
}

Come back soon. Site under Development.

Industry Participation

SRD0009
SRD0009

The 2021 SRD Cohort works Independently & Collaboratively to improve the Security of Apple Products & Services.