Apple System-on-Chips implement a secure boot mechanism to ensure platform integrity, which is a mandatory prerequisite for guaranteeing user data confidentiality. Fault injection is a well-known technique used to break secure boot by bypassing firmware signature verification, hence allowing the execution of malicious firmware. Laser Fault Injection (LFI) is today the most effective technique to inject faults in SoC but it requires expensive tools and eventually chip preparation that are only accessible to well-equipped laboratories. Moreover, this technique can't be used in the case of stacked components. Electromagnetic Fault Injection (EMFI) technique is a cost-effective alternative which already gave promising results on SoC components. The objective of this internship proposal is to challenge the security of iBoot against EMFI.
The internship is expected to happen in 2025/2026 in Paris, for a 6 month duration. The program will consist in the following steps: Reproduce on an internal SoC, directly accessible from backside, the tests already done internally, using a test program. Improve EMFI setup to increase injection probe resolution and reduce EM pulse duration. Modify progressively the test program parameters to execute it in the same conditions as iBoot. Modify a signed Flash image and bypass the iBoot verification with EMFI. If previous steps successfully performed, try to reproduce the fault injection with the DRAM stacked over the SoC.