This is a simple “concept” demonstration / simulation of a NAND replay attack on an iOS 9.0 device. I wanted to demonstrate how copying back disk content could allow for unlimited passcode attempts. Here, instead of using a chip programmer to copy certain contents of the NAND, I demonstrate it by copying the data using a jailbreak. For Farook’s phone, the FBI would remove the NAND chip, copy the contents into an image file, try passcodes, and then copy the original content back over onto the chip.
I did this here, only with a jailbreak: I made a copy of two property lists stored on the device, then copied them back and rebooted after five attempts. When doing this on a NAND level, actual blocks of encrypted disk content would be copied back and forth, whereas I’m working with files here. The concept is the same, and serves only to demonstrate that unlimited passcode attempts can be achieved by back-copying disk content. Again, NO JAILBREAK IS NEEDED to do this to Farook’s device, as the FBI would be physically removing the NAND to copy this data.
Other techniques can be used to speed this up. For example, the clock could possibly be fudged by giving the device a data connection and rerouting time requests to a local server. Think IMSI catcher. This could be used to continuously bump the time five or ten minutes so that more passcode attempts could be tried per reboot without as many delays. The NAND chip could also be socketed or reworked in other ways to make switches seamless. Lastly, the same techniques used in IP BOX such as entering pins through the usb, and using a light sensor to detect an unlock, could help to automate this to be more efficient. Overall, I think this puts to bed any notion that the technique “doesn’t work”.
Update: This technique was later proven by another researcher who wrote about it in this paper: http://arxiv.org/pdf/1609.04327v1.pdf