Hacking Apple's USB-C Controller: From JTAG Access to Code Execution on iPhone 15

Explore a technical conference talk that delves into hacking Apple's new USB-C controller (ACE3) on the iPhone 15 series. Learn about the complex process of gaining code execution access on this proprietary chip through various advanced techniques including reverse-engineering, RF side-channel analysis, and electromagnetic fault-injection. Discover how the ACE3 functions as a full microcontroller running a USB stack with connections to internal device buses, providing access to JTAG, UART, and SPMI interfaces. Understand the enhanced security measures Apple implemented compared to the previous ACE2 controller, including personalized firmware updates, disabled debug interfaces, and validated external flash. Follow along as the presentation demonstrates the methodical approach to bypassing these security features, ultimately enabling ROM dumping and deeper security research into this critical component of Apple devices.