Professor Hacks iPhone NAND Chip of iPhone 5C to Gain Access

Professor Hacks iPhone NAND Chip of iPhone 5C to Gain Access

September 20, 2016 08:19 EST • Alexandre Vallières-Lagacé • 2 minute read

During the whole FBI vs. Apple battle, there was a solution that was looked into by the FBI. Hacking the NAND chip containing the passcode could be achieved but given the encryption Apple uses, and no real way to do it, it was not looked into (at least from what the official channels tell us). A professor of Cambridge, Dr. Sergei Skorobogatov actually managed to do it with about 100$ worth of parts.

Dr. Skorobogatov has developed a technique where he actually removes the NAND chip from the iPhone 5c, make an image of it on his laptop and then write it back to a bunch of off the shelf compatible NAND chips he bought on eBay. The more copies you have the faster the process goes.

He boots the iPhone with a cloned NAND, tries several combinations of passcode and then locks the iPhone for 15 minutes. He shuts down the phone, replaces the cloned NAND with another cloned NAND and boots it up. Since this was a copy of the original NAND, there is not passcode delay and he can try several other combinations and swap the NAND chip again.

 

This is simple enough that with the right tools you can guess a 4-digit passcode in under 40h, but a 6-digit passcode will take several hundreds of hours. Of course, if we have access to some personal data of the person to whom the device belongs, we could first try most probable passcodes and probably guess it in under a few hours.

The real challenge here was to understand how Apple proprietary bus protocol works and reverse engineer it to be able to read/write to the NAND chip and, of course, desolder the NAND chip! You can read up on the professor’s paper to get all of the details.