Explore the full stack hack of the AppleTV3 in this conference talk from Nullcon Berlin. Dive into the journey of jailbreaking a device that resisted hacking for 8 years, exploiting 5 different n-day vulnerabilities to achieve full untethered compromise. Learn about the reduced attack surface that protected the AppleTV3 longer than newer, more secure iPhones. Follow the step-by-step process of pwning the device, discussing challenges encountered and methods to overcome them. Gain insights into attacking restricted devices and acquire the knowledge needed to reproduce this exploit chain. Discover the speaker's background in iOS hacking, including contributions to various jailbreaks and creation of downgrading tools. Examine topics such as trust certificates, custom browsers, hardware hacking, memory dumping, codesign bypass, ROP chains, kernel exploits, and persistence techniques. Conclude with a summary and a lighthearted look at funny cat picture screensavers.
Jailbreaking the AppleTV3 - Tales From A Full Stack Hack
Overview
Syllabus
Intro
AppleTV 3nd gen
AppleTV 3 Homescreen
PlexConnect
Trust certificate
ATV3 Custom Browser
Setup
Trailers App
exploit.js: problems
Crashlogs!
Hardware hacking
Dumping memory: problems
Emulating remote
Codesign bypass
ROP chain: problems
ROP chain: solution
stage1.bin
Kernelexploit
Update: Problem: no kernel binary
Postexploit
Post-bootstrap
Persistance
Untether: solution launchd
Summary
Funny cat pictures screensaver!
Taught by
nullcon
