BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.cccv.de//RUBQ88 BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-38c3-RUBQ88@cfp.cccv.de DTSTART;TZID=CET:20241227T120000 DTEND;TZID=CET:20241227T124000 DESCRIPTION:With the iPhone 15 & iPhone 15 Pro\, Apple switched their iPhon e to USB-C and introduced a new USB-C controller: The ACE3\, a powerful\, very custom\, TI manufactured chip.\n\nBut the ACE3 does more than just ha ndle USB power delivery: It's a full microcontroller running a full USB st ack connected to some of the internal busses of the device\, and is respon sible for providing access to JTAG of the application processor\, the inte rnal SPMI bus\, etc.\n\nWe start by investigating the previous variant of the ACE3: The ACE2. It's based on a known chip\, and using a combination o f a hardware vulnerability in MacBooks and a custom macOS kernel module we managed to persistently backdoor it - even surviving full-system restores .\n\nOn the ACE3 however\, Apple upped their game: Firmware updates are pe rsonalized to the device\, debug interfaces seem to be disabled\, and the external flash is validated and does not contain all the firmware. However using a combination of reverse-engineering\, RF side-channel analysis and electro-magnetic fault-injection it was possible to gain code-execution o n the ACE3 - allowing dumping of the ROM\, and analysis of the functionali ty.\n\nThis talk will show how to use a combination of hardware\, firmware \, reverse-engineering\, side-channel analysis and fault-injection to gain code-execution on a completely custom chip\, enabling further security re search on an under-explored but security relevant part of Apple devices. I t will also demonstrate attacks on the predecessor of the ACE3. DTSTAMP:20241227T122547Z LOCATION:Saal GLITCH SUMMARY:ACE up the sleeve: Hacking into Apple's new USB-C Controller - stac ksmashing URL:https://fahrplan.events.ccc.de/congress/2024/fahrplan/talk/RUBQ88/ END:VEVENT END:VCALENDAR