ARIstoteles -- Dissecting Apple's Baseband Interface

Abstract: Wireless chips and interfaces expose a substantial remote attack surface. As of today, most cellular baseband security research is performed on the Android ecosystem, leaving a huge gap on Apple devices. With iOS jailbreaks, last-generation wireless chips become fairly accessible for performance and security research. Yet, iPhones were never intended to be used as a research platform, and chips and interfaces are undocumented. One protocol to interface with such chips is Apple Remote Invocation (ARI), which interacts with the central phone component CommCenter and multiple user-space daemons, thereby posing a Remote Code Execution (RCE) attack surface. We are the first to reverse-engineer and fuzz-test the ARI interface on iOS. Our Ghidra scripts automatically generate a Wireshark dissector, called ARIstoteles, by parsing closed-source iOS libraries for this undocumented protocol. Moreover, we compare the quality of the dissector to fully-automated approaches based on static trace analysis. Finally, we fuzz the ARI interface based on our reverse-engineering results. The fuzzing results indicate that ARI does not only lack public security research but also has not been well-tested by Apple. By releasing ARIstoteles open-source, we also aim to facilitate similar research in the future.

• The paper introduces ARIstoteles, an automated Wireshark dissector that decodes the proprietary ARI protocol and exposes critical iOS cellular vulnerabilities.
• It employs Ghidra scripts for extracting TLV definitions and reverse engineering the complex bit-level fragmented protocol structure.
• Fuzzing experiments reveal 42 unique crashes, demonstrating how unattended vulnerabilities in Apple’s cellular stack can be identified and patched.

Dissecting Apple's Baseband Interface: An Expert Analysis of "ARIstoteles"

Introduction

"ARIstoteles -- Dissecting Apple's Baseband Interface" (2604.23457) addresses a substantial gap in mobile security research: the lack of public understanding regarding the proprietary Apple Remote Invocation (ARI) protocol used on iOS devices for baseband management. The paper details the reverse engineering and fuzz-testing of ARI, presents ARIstoteles, an automated Wireshark dissector for ARI, and demonstrates the critical vulnerability landscape exposed within Apple's cellular interfaces.

iOS Baseband Security Architecture and ARI

The baseband interface on iOS represents a large attack surface, with cellular chips being optimized for performance rather than security and often lacking common exploit mitigation strategies. The management interface for Intel basebands is ARI, in contrast to Qualcomm’s QMI protocol, both interacting with iOS via CommCenter and other user-space daemons. The undocumented nature of ARI, alongside limited research on iOS cellular daemons compared to Android, highlights the necessity of the work presented.

Figure 1: Simplified baseband packet parsing architecture on iOS 12–14, illustrating CommCenter’s central role and connections to chip-specific shared libraries and various daemons.

Reverse Engineering ARI: Protocol Structure and Challenges

ARI is a historically grown, complex binary protocol carrying high-level commands such as SMS, SIM access, and telephony management. Its header features bit-level fragmentation and non-continuous fields, complicating static analysis and classification. The paper first describes failures of fully-automated heuristic segmentation, which cannot reliably reconstruct ARI fields due to these abnormal structures.

Figure 2: Message type classification results showing multiple clusters, demonstrating the success and limitations of cluster-based traffic analysis on ARI traces.

The authors then advance to using Ghidra scripts for automated parsing of libARI.dylib and libARIServer.dylib, extracting protocol group and TLV definitions, and integrating type information—including mappings from integer codes to human-readable string representations—thus enabling robust dissector generation with minimal manual intervention. The resulting Lua-based Wireshark dissector ARIstoteles can adapt to future protocol changes as new iOS versions are released.

Enhancing Security Research: Fuzzing the ARI Interface

Protocol knowledge extracted from closed-source libraries is leveraged to fuzz CommCenter using Frida and AFL++ instrumentation. Multiple fuzzing strategies are evaluated for speed and coverage, with mutation-based fuzzing on a physical device yielding a throughput up to 17,000 fuzz cases per second. Coverage-guided approaches, while insightful, suffer from inconsistent protocol state and lower yield. The analysis finds 42 unique crashes in CommCenter and ARI-related libraries, with 12 additional daemons affected via XPC communication.

Figure 3: ARIstoteles dissecting an SMS, showcasing parsed field-level information critical for forensic and security tasks.

Figure 4: Crash within reported network cells during a scan, illustrating practical impact and diagnostic capability via the ARIstoteles dissector.

Strong claims are made regarding Apple’s lack of internal fuzz-testing for ARI, supported by the density and severity of discovered vulnerabilities. All replayable crashes were eventually patched by Apple in subsequent iOS updates, pointing to actionable industry responses initiated by the research.

Practical Implications and Theoretical Impact

The ability to reverse-engineer and dissect proprietary protocols such as ARI opens avenues for low-level cellular experimentation on iOS—previously only possible for Bluetooth and Wi-Fi. The ARIstoteles dissector greatly improves observability and debuggability by enabling real-time packet analysis, protocol change tracking across iOS versions, and crash root cause identification even in highly obfuscated binaries.

Moreover, by automating Wireshark dissector generation with Ghidra scripts, the paper sets a precedent for future reverse engineering of other proprietary protocols, supporting the expansion of security research beyond the Android ecosystem. Fuzzing methodology and performance benchmarking inform practical strategies for vulnerability discovery on closed embedded platforms.

Future Directions

This research suggests several trajectories for future work:

• Extending static traffic analysis techniques to handle bit-level fragmented and non-continuous protocol structures, generalizing the approach for similarly complex proprietary interfaces.
• Building comprehensive cellular experimentation frameworks for iOS, enabling rapid prototyping and vulnerability assessment akin to Bluetooth InternalBlue or Wi-Fi Nexmon.
• Applying ARIstoteles and automated dissector generation techniques to other proprietary wireless protocols and daemons, broadening the scope of mobile security research.

Conclusion

By documenting, dissecting, and exposing the ARI protocol, ARIstoteles empowers researchers to analyze and secure previously inaccessible components of the iOS wireless stack. The discovery of numerous untested vulnerabilities emphasizes the importance of rigorous testing—even for proprietary, undocumented interfaces exposed to remote interaction. The open-source release of ARIstoteles, alongside Ghidra extraction scripts, constitutes a significant enabler for ongoing and future research on cellular security, protocol forensics, and automated binary analysis.