{"guid":"9cbacaba-92e8-452b-8878-be42881f3cd1","title":"KTRW: The journey to build a debuggable iPhone","subtitle":null,"slug":"36c3-10806-ktrw_the_journey_to_build_a_debuggable_iphone","link":"https://fahrplan.events.ccc.de/congress/2019/Fahrplan/events/10806.html","description":"Development-fused iPhones with hardware debugging features like JTAG are out of reach for many security researchers. This talk takes you along my journey to create a similar capability using off-the-shelf iPhones. We'll look at a way to break KTRR, a custom hardware mitigation Apple developed to prevent kernel patches, and use this capability to load a kernel extension that enables full-featured, single-step kernel debugging with LLDB on production iPhones.\n\nThis talk walks through the discovery of hardware debug registers on the iPhone X that enable low-level debugging of a CPU core at any time during its operation. By single-stepping execution of the reset vector, we can modify register state at key points to disable KTRR and remap the kernel as writable. I'll then describe how I used this capability to develop an iOS kext loader and a kernel extension called KTRW that can be used to debug the kernel with LLDB over USB.","original_language":"eng","persons":["Brandon Azad"],"view_count":1411,"promoted":false,"date":"2019-12-28T20:50:00.000+01:00","release_date":"2019-12-29T01:00:00.000+01:00","updated_at":"2026-03-15T15:45:08.148+01:00","tags":["36c3","10806","2019","Security","Main"],"length":3291,"duration":3291,"thumb_url":"https://static.media.ccc.de/media/congress/2019/10806-hd.jpg","poster_url":"https://static.media.ccc.de/media/congress/2019/10806-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/congress/2019/10806-hd.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/congress/2019/10806-hd.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/36c3-10806-ktrw_the_journey_to_build_a_debuggable_iphone","url":"https://api.media.ccc.de/public/events/9cbacaba-92e8-452b-8878-be42881f3cd1","conference_title":"36C3: Resource Exhaustion","conference_url":"https://api.media.ccc.de/public/conferences/36c3","related":[],"recordings":[{"size":null,"length":null,"mime_type":"application/x-subrip","language":"eng","filename":"DRAFT_36c3-10806-eng-deu-rus-KTRW_The_journey_to_build_a_debuggable_iPhone.en_DRAFT.srt","state":"todo","folder":"","high_quality":true,"width":null,"height":null,"updated_at":"2022-01-15T16:42:16.589+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/DRAFT_36c3-10806-eng-deu-rus-KTRW_The_journey_to_build_a_debuggable_iPhone.en_DRAFT.srt","url":"https://api.media.ccc.de/public/recordings/51472","event_url":"https://api.media.ccc.de/public/events/9cbacaba-92e8-452b-8878-be42881f3cd1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":526,"length":3291,"mime_type":"video/webm","language":"eng-deu-rus","filename":"36c3-10806-eng-deu-rus-KTRW_The_journey_to_build_a_debuggable_iPhone_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-29T09:33:15.532+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/webm-hd/36c3-10806-eng-deu-rus-KTRW_The_journey_to_build_a_debuggable_iPhone_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/43011","event_url":"https://api.media.ccc.de/public/events/9cbacaba-92e8-452b-8878-be42881f3cd1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":49,"length":3273,"mime_type":"audio/mpeg","language":"eng","filename":"36c3-10806-eng-KTRW_The_journey_to_build_a_debuggable_iPhone_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2019-12-29T09:30:07.858+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/mp3/36c3-10806-eng-KTRW_The_journey_to_build_a_debuggable_iPhone_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/43006","event_url":"https://api.media.ccc.de/public/events/9cbacaba-92e8-452b-8878-be42881f3cd1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":209,"length":3291,"mime_type":"video/mp4","language":"eng-deu-rus","filename":"36c3-10806-eng-deu-rus-KTRW_The_journey_to_build_a_debuggable_iPhone_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2019-12-29T09:26:26.206+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-sd/36c3-10806-eng-deu-rus-KTRW_The_journey_to_build_a_debuggable_iPhone_sd.mp4","url":"https://api.media.ccc.de/public/recordings/43002","event_url":"https://api.media.ccc.de/public/events/9cbacaba-92e8-452b-8878-be42881f3cd1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":37,"length":3273,"mime_type":"audio/opus","language":"eng","filename":"36c3-10806-eng-KTRW_The_journey_to_build_a_debuggable_iPhone_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2019-12-29T09:23:15.356+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/opus/36c3-10806-eng-KTRW_The_journey_to_build_a_debuggable_iPhone_opus.opus","url":"https://api.media.ccc.de/public/recordings/42997","event_url":"https://api.media.ccc.de/public/events/9cbacaba-92e8-452b-8878-be42881f3cd1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":240,"length":3291,"mime_type":"video/webm","language":"eng-deu-rus","filename":"36c3-10806-eng-deu-rus-KTRW_The_journey_to_build_a_debuggable_iPhone_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2019-12-29T09:23:08.148+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/webm-sd/36c3-10806-eng-deu-rus-KTRW_The_journey_to_build_a_debuggable_iPhone_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/42996","event_url":"https://api.media.ccc.de/public/events/9cbacaba-92e8-452b-8878-be42881f3cd1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":241,"length":3291,"mime_type":"video/mp4","language":"eng-deu-rus","filename":"36c3-10806-eng-deu-rus-KTRW_The_journey_to_build_a_debuggable_iPhone_hd-slides.mp4","state":"new","folder":"slides-h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-29T09:22:46.378+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/slides-h264-hd/36c3-10806-eng-deu-rus-KTRW_The_journey_to_build_a_debuggable_iPhone_hd-slides.mp4","url":"https://api.media.ccc.de/public/recordings/42995","event_url":"https://api.media.ccc.de/public/events/9cbacaba-92e8-452b-8878-be42881f3cd1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":382,"length":3291,"mime_type":"video/mp4","language":"eng-deu-rus","filename":"36c3-10806-eng-deu-rus-KTRW_The_journey_to_build_a_debuggable_iPhone_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-29T06:31:25.151+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-hd/36c3-10806-eng-deu-rus-KTRW_The_journey_to_build_a_debuggable_iPhone_hd.mp4","url":"https://api.media.ccc.de/public/recordings/42742","event_url":"https://api.media.ccc.de/public/events/9cbacaba-92e8-452b-8878-be42881f3cd1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":192,"length":3291,"mime_type":"video/mp4","language":"rus","filename":"36c3-10806-rus-KTRW_The_journey_to_build_a_debuggable_iPhone.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-29T06:30:55.335+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-hd/36c3-10806-rus-KTRW_The_journey_to_build_a_debuggable_iPhone.mp4","url":"https://api.media.ccc.de/public/recordings/42741","event_url":"https://api.media.ccc.de/public/events/9cbacaba-92e8-452b-8878-be42881f3cd1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":192,"length":3291,"mime_type":"video/mp4","language":"deu","filename":"36c3-10806-deu-KTRW_The_journey_to_build_a_debuggable_iPhone.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-29T06:30:38.962+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-hd/36c3-10806-deu-KTRW_The_journey_to_build_a_debuggable_iPhone.mp4","url":"https://api.media.ccc.de/public/recordings/42740","event_url":"https://api.media.ccc.de/public/events/9cbacaba-92e8-452b-8878-be42881f3cd1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"},{"size":192,"length":3291,"mime_type":"video/mp4","language":"eng","filename":"36c3-10806-eng-KTRW_The_journey_to_build_a_debuggable_iPhone.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-12-29T06:30:21.698+01:00","recording_url":"https://cdn.media.ccc.de/congress/2019/h264-hd/36c3-10806-eng-KTRW_The_journey_to_build_a_debuggable_iPhone.mp4","url":"https://api.media.ccc.de/public/recordings/42739","event_url":"https://api.media.ccc.de/public/events/9cbacaba-92e8-452b-8878-be42881f3cd1","conference_url":"https://api.media.ccc.de/public/conferences/36c3"}]}