Apple devices feature various interesting hardware. Especially in the wireless domain, these chips are exclusively used by Apple – such as their own U1 Ultra-wideband chip as well as well as the most recent generation of Broadcom Wi-Fi and Bluetooth chips. These chips are tightly integrated into the iOS and macOS kernel as well as user-space daemons. While their interfaces are undocumented and proprietary, various user-space shared libraries and daemons expose symbols or debug strings.
In this talk, you will learn how to repurpose daemons to access chips and wireless protocols while keeping most of their functionality intact. This enables various research options, such as analyzing wireless protocol security or firmware access and interaction. To this end, we will walk through various practical examples and use Frida to instrument basic *OS libraries. Since these libraries and methods are used by all *OS components, this approach is universal and can be applied to the non-wireless domain as well.
Specifically, this talk covers Frida instrumentation of Grand Central Dispatcher (GCD) used for threading within a process, Cross-Process Communication (XPC) that enables communication between processes, the IOKit framework responsible for most communication with kernel drivers, as well as Mach messages that represent the concrete communication mechanism for XPC, IOKit, and more.