当前位置:首页 > 报告详情

杀手锏:破解苹果新款 USB-C 控制器.pdf

上传人: 竿*** 编号:981600 2025-11-29 223页 41.08MB

1、ACE up the SleeveHacking into Apples new USB-C controllerhextree.iowhoamiThomas Roth aka stacksmashing Security researcher-Hardware&Firmware Co-founder at hextree.io Twitter:ghidraninja YouTube:stacksmashinghextree.ioThanksSiguza Oly(Thunderbolt Patcher)AsahiLinux Team Carlo Maragno Jiska,Fabian&Car

2、oCarlo Maragno Marc Zyngier(maz)T8012 Dev Team aunali1 h0m3us3r mrarm Rick Markhextree.ioThe backstoryhextree.iohextree.iohextree.ioChargingUSBVideo&AudioThe obvious stuffhextree.ioChargingUSBVideo&AudioThe cool stuffJTAGUARTSDQThe obvious stuffhextree.ioThe cool stuffJTAGUARTSDQTamarin Cablehextree

3、.iohextree.ioThe cool stuff?hextree.iohextree.iohextree.iohextree.iohextree.ioUSB-PD NegotiationVDMhextree.ioUSB-PD NegotiationVDMUSB-C Port Controllerhextree.iohextree.ioConfiguration Channelhextree.ioConfiguration ChannelAll handled by the USB-C Port(Micro)controllerhextree.ioPhoto by h0m3us3rThan

4、ks T8012 Dev Team!hextree.iohextree.ioVDMVendor Defined Messageshextree.ioVDMVendor Defined Messageshextree.ioVDMVendor Defined Messageshextree.ioVDMVendor Defined Messageshextree.iohextree.ioSerial RXSerial TXhextree.ioSerial RXSerial TXVDM action 0 x306hextree.iohextree.iohextree.ioType-C Port Con

5、trollerhextree.ioType-C Port ControllerACEhextree.ioType-C Port ControllerACEACE2ACE3hextree.ioType-C Port ControllerACESystem on Chiphextree.ioType-C Port ControllerACESystem on ChipUSB&Thunderbolthextree.ioType-C Port ControllerACESystem on ChipUSB&ThunderboltSerial consolehextree.ioType-C Port Co

6、ntrollerACESystem on ChipUSB&ThunderboltSerial console&more!hextree.ioBut how can we send VDM?hextree.ioHow can we send VDM?macvdmtool Back-left port of MacBook Pro to get serial etc Central Scrutinizer Hardware tool to get serial console on MacBookhextree.ioTamarin-CAllows bi-directional access to

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要探讨了Apple USB-C控制器ACE2和ACE3的安全研究。以下是关键点: 1. **ACE2分析**:发现ACE2包含“privileged”命令,可通过MEMr/MEMw/MEMm访问,用于与I2C通信。 2. **SPI Flash**:ACE2的SPI Flash不包含完整固件,但包含对ROM的“patches”,使得逆向工程变得困难。 3. **ACE3分析**:ACE3在iPhone 15和MacBook Pro M3 Pro & Max中使用,运行完整的USB堆栈,具有访问内部总线的权限。 4. **故障注入**:通过电压、激光、电磁等方法对芯片进行故障注入,以修改运行中的软件行为。 5. **侧信道攻击**:利用侧信道捕获芯片波形,通过精确的时序注入故障,成功修改了ACE3的版本字符串。 6. **内存读写**:通过USBw命令处理程序,实现了对任意内存的读写,从而可以完全转储ACE3的ROM和RAM。
**破解苹果新控制器?** **揭秘iPhone 15芯片漏洞?** **如何黑入USB-C端口控制器?**
客服
商务合作
小程序
服务号
折叠