Interesting info on the registers.
But the keys themselves can't be stored exclusively in a register, otherwise when you reset or powered down the phone, the keys would be gone.
Also interesting idea of storing the grid of data using different dopings, but not practical on mass production scale. The problem is that you want each phone to use a different key. Different masks for each phone is totally impractical.
I don't know why they don't like to use eeprom or flash, but they don't. Maybe not reliable enough?
So they use either a fuse array or ROM. Both of which can be "peeled" open. I need to look around and see if I can find a link describing the machine. It's one of those very purpose-built things that is very difficult to obtain and gets you on watch lists you don't want to be on when you buy it. The satellite tv companies really hate them because they can't keep their sat box keys secure because of them. (there's a good case for differential doping... wonder why they don't do it? must be a reason)
http://security.stackexchange.com/questi...ng-a-smart-cardhttp://www.theguardian.com/technology/2002/mar/13/media.citynewssee also "microprobing"
There's an interesting tech war going on between these groups. I recall reading one description of a system where the pirates were opening a card and boring in with a laser. THey had knowledge of how the chip was laid out but not the fuse pattern. So they found how to drill in and cut specific tracks to enable reading of the cells. This led to the manufacturer laying down another layer on top that zigzagged across the entire secured area and ran back, that zigzag track was required to connect a few lines that run the chip, so if you drilled down through it to get at the critical places to cut, you'd disable the chip. It was a giant expensive game of tag they were playing. They had posted pics of scans of those chips, it was really an interesting read, but that's been a few years ago and I didn't store any of it. It may be difficult or impossible to find again. That's the sort of information that gets taken down.
huh. this is pretty good, I think you'll really enjoy it!
http://www.youtube.com/watch?v=tnY7UVyaFiQThat's the sort of technology that CAN break into a smartphone such as the iPhone. You need to have the gear, the technique, and the knowledge of how to apply it. (that last part can be very difficult to obtain... UNLESS you're the company that manufactured it, OR have a badge to flash AT said company)
Anyone that tells me that Apple can't break into their own phone, I am going to have a
very diffcult time believing. Just throwing out a very generic scenario... NSA work with Apple and say, that guy from the video
OK now we have the money, the gear, the technique, and the location of the bits we want. The entire device gets dumped, while on, including ram and flash. (but not registers) He goes to work and gets the bits off the trust chip. (we're going to assume apple doesn't just plain keep this data... who can really say for sure they don't?) Once they have the key from the original, Apple enters the key into a new unit, but in a "not locked" state on a new phone.
Really the key thing here that needs to happen is (A) disabling the wipe option (trivial if you know what you are doing, and not terribly devasatating if you have already dumped it) and (B) defeating any timeout if you're going to haev to guess it. 10^4 is pretty fast to guess if you've disabled the failed-attempt timer. Apple most CERTAINLY has the ability to fab a modified trust chip with those features disabled. Then use the above guy's skills to snatch the key (assuming apple doesn't have it) and then simply program the modded chip with the code and plug in the SSD. Then just run it through a 2 second sweep of all 10k codes and you're in. This assumes cooperation from Apple of course, to make things easier, but if you read the articles I posted, you'll see there are groups that pull this off WITHOUT cooperation from the manufacturers. It just takes time.
