Documents
Secure Key Extraction by Physical De-Processing of Apple’s A4 Processor
Mar. 10, 2015
[edit] (SHNF) Secure key extraction by physical de-processing of
Apple?s A4 processor
Presenters: and The Apple A4 processor contains an on-board.
AES key called the Global ID that is believed to be shared across all current
"iDeyices". This GID key is used to un?wrap the keys that the corresponding boot ?rmware code
stored in system non?volatile memory. Currently. the only way to examine boot code is to gain
execution through an ewloitable software security ?aw. However. Apple is quick to address these ?aws
with each new release of ?rmware and hardware.
The Intelligence Community is highly dependent on a very small number of security ?aws. many of
which are public. which Apple eventually patches. This presentation will discuss a method to physically
extract the STD key. If successful. it would enable and analysis of the boot ?rmware for
vulnerabilities. and development of associated exploits across the entire A4?based product?line. which
includes the iPhonetE 4. the iPod touchtE and the iPath.
Apple relies on commercial and proprietary relationships with major integrated circuit
manufacturers to supply the internal hardware for their leading-edge consumer products. Therefore.
design and manufacturing information about the A4 is closely held intellectual property Some reverse?
engineering reports have concluded that the A4 is manufactured by Samsung Ltd. for exclusive use in Apple
products. Their data is compelling. They have shown that the Samsung Cortex A8 pProcessor core layout is
used in the A4. If that is true. then it is possible that other Samsung IF. such as its non-volatile memory
technology. may be used in this chip. Programmable non-volatile memory offers the most design
?exibility. reliability and security to store proprietary critical product information. such as the GID key.
Although. Samsung is a major supplier of ?ash memory chips it also holds IP in the area of
CMDS?compatible. eFuse technology. The eFuse memory is thought to offer more immunity to random data
upset. and a higher level of anti-tamper resistance. Therefore. this type of memory would be ideal as a
secure repository of critical product information on the A4. We will use comparatiye examples of known
Samsung product. versus the A4. in order to determine the type and location of WM. In addition. we will
discuss the progress made to date to determine where the GID key is located recovered by physical de-processing of the chip.
[edit] (SHNF) Secure key extraction by physical de-processing of
Apple?s A4 processor
Presenters: and The Apple A4 processor contains an on-board.
AES key called the Global ID that is believed to be shared across all current
"iDeyices". This GID key is used to un?wrap the keys that the corresponding boot ?rmware code
stored in system non?volatile memory. Currently. the only way to examine boot code is to gain
execution through an ewloitable software security ?aw. However. Apple is quick to address these ?aws
with each new release of ?rmware and hardware.
The Intelligence Community is highly dependent on a very small number of security ?aws. many of
which are public. which Apple eventually patches. This presentation will discuss a method to physically
extract the STD key. If successful. it would enable and analysis of the boot ?rmware for
vulnerabilities. and development of associated exploits across the entire A4?based product?line. which
includes the iPhonetE 4. the iPod touchtE and the iPath.
Apple relies on commercial and proprietary relationships with major integrated circuit
manufacturers to supply the internal hardware for their leading-edge consumer products. Therefore.
design and manufacturing information about the A4 is closely held intellectual property Some reverse?
engineering reports have concluded that the A4 is manufactured by Samsung Ltd. for exclusive use in Apple
products. Their data is compelling. They have shown that the Samsung Cortex A8 pProcessor core layout is
used in the A4. If that is true. then it is possible that other Samsung IF. such as its non-volatile memory
technology. may be used in this chip. Programmable non-volatile memory offers the most design
?exibility. reliability and security to store proprietary critical product information. such as the GID key.
Although. Samsung is a major supplier of ?ash memory chips it also holds IP in the area of
CMDS?compatible. eFuse technology. The eFuse memory is thought to offer more immunity to random data
upset. and a higher level of anti-tamper resistance. Therefore. this type of memory would be ideal as a
secure repository of critical product information on the A4. We will use comparatiye examples of known
Samsung product. versus the A4. in order to determine the type and location of WM. In addition. we will
discuss the progress made to date to determine where the GID key is located recovered by physical de-processing of the chip.