from Hacker News

Demystifying the i-Device NVMe NAND

by duked on 11/17/16, 5:05 PM with 52 comments

  • by mi100hael on 11/17/16, 5:29 PM

        > In order to read the NVMe, I therefor developped a PCIe card with a Zero
    > Insertion Force reader. I brought the JTAG part to 20pin header. The hard
    > pard in here is the signal integrity of the differential pairs. In order
    > to do so, I had to use multi layer PCB, and have the impedence match by
    > knowing the stackup, materials used for prepeg and so on..
    Posts like this are very humbling. They serve as a good reminder that no matter how far I've come and how much I've learned, there will always be someone out there who knows vastly more than me like the back of their hand.

  • by sounds on 11/17/16, 5:59 PM

    The gold is at the bottom:

      The idea here would be to see if it was possible to control the NVMe
  over jtag in order to ask it to perform a DMA read over the PCIe Bus.
  In order to do so, the PCI_COMMAND_BUS_MASTER has to be set to 1. We
  can assume that since the chip is using remote RAM, it is allowed to
  act as a master over PCIe. Here is a snippet of the probing function
  of the kernel driver.
    (code)

      Our goal here is to force the DMA to happen just by controlling the
  ARM of the NVMe over JTAG, in order to ask it to dump the region we
  alloc'd in kernel and see if we get the data out of it.
    In other words, full root exploit of the phone from the NVMe JTAG pins.

  • by kanwisher on 11/17/16, 5:46 PM

    Refreshing to see a deep tech article on HN. I really liked how he debugged the code on the controller

  • by iuuuuu145 on 11/17/16, 5:43 PM

    >It looks like to reduce the size needed, the NVMe core uses the host DDR in order to work. Therefor, apple is not strictly following the specification regarding the initialisation.

    Yikes.

  • by nimish on 11/17/16, 6:26 PM

    Apple's purchase of Anobit is paying dividends!

  • by mmastrac on 11/17/16, 7:44 PM

    Has anyone managed to capture the text of this article? It doesn't appear to be in a Google cache AFAICT.

  • by condescendence on 11/18/16, 4:15 AM

    Definitely one of the cooler and more in depth posts this year, what a great read.

  • by athiercelin on 11/17/16, 6:39 PM

    Very good stuff!