Demystifying the i-Device NVMe NAND

<p><pre><code> &gt; In order to read the NVMe, I therefor developped a PCIe card with a Zero &gt; Insertion Force reader. I brought the JTAG part to 20pin header. The hard &gt; pard in here is the signal integrity of the differential pairs. In order &gt; to do so, I had to use multi layer PCB, and have the impedence match by &gt; knowing the stackup, materials used for prepeg and so on.. </code></pre> Posts like this are very humbling. They serve as a good reminder that no matter how far I&#x27;ve come and how much I&#x27;ve learned, there will always be someone out there who knows vastly more than me like the back of their hand.

The gold is at the bottom:<p><pre><code> The idea here would be to see if it was possible to control the NVMe over jtag in order to ask it to perform a DMA read over the PCIe Bus. In order to do so, the PCI_COMMAND_BUS_MASTER has to be set to 1. We can assume that since the chip is using remote RAM, it is allowed to act as a master over PCIe. Here is a snippet of the probing function of the kernel driver. </code></pre> (code)<p><pre><code> Our goal here is to force the DMA to happen just by controlling the ARM of the NVMe over JTAG, in order to ask it to dump the region we alloc&#x27;d in kernel and see if we get the data out of it. </code></pre> In other words, full root exploit of the phone from the NVMe JTAG pins.

Refreshing to see a deep tech article on HN. I really liked how he debugged the code on the controller

&gt;It looks like to reduce the size needed, the NVMe core uses the host DDR in order to work. Therefor, apple is not strictly following the specification regarding the initialisation.<p>Yikes.

Apple&#x27;s purchase of Anobit is paying dividends!

Has anyone managed to capture the text of this article? It doesn&#x27;t appear to be in a Google cache AFAICT.

Definitely one of the cooler and more in depth posts this year, what a great read.

Very good stuff!