1. 24
  1.  

  2. 4
    • probably worth (a) million(s) (of) bucks
    • unpatchable
    • done w USB before any security mechanisms in place
    • reboot removes exploit (“tethered”)
    • this is what Graykey etc. base their business model off of (er, idk)
    • gives JTAG interface (it’s like a shell for the CPU)
    • claims of custom firmware to bypass iCloud lock are already out there (and will probably become public eventually now that this exists publicly)
    • run windows (or anything) on your iPhone
    1. 1

      For Windows, it’s a bit more complex because it doesn’t support interrupt controllers outside of a standard GIC for the ARMv8 port, so some patching will be required.

      I’m in the process of getting a basic Linux port running since a while though.

      For GrayKey and such, this allows them to image and then restore back the keys when the SEP thrashes them from NAND after the input attempts are exceeded, making it possible to continue bruteforcing.

      1. 1

        Does apple have a custom interrupt controller?? o_0

        1. 2

          Yes, they use a custom AIC interrupt controller instead of the ARM GIC unlike pretty much everyone else now.

          Also, their CPUs since the A10 only implement EL1 and EL0, no EL2 or EL3 anywhere in them (+ a metric ton of custom registers, from KTRR through APRR, and WKdm compression extensions even and more + AMX on A13 onwards)

          Also about non-standard interrupt controllers and Windows, forgot to talk about the Raspberry Pi exception, which was a very special case that didn’t happen twice.

      2. 1

        Did I mention that it can bypass iCloud locked devices? (To turn them on with a custom/stock OS, not to break into another person’s OS, see SEP comment in other comment branch “below”)

        1. 2

          Thank you for pointing that out, I’ve merged rdfzrz in to ntmalf.

        2. 1

          The exploit is probably worth a million dollars.

          1. 1

            I haven’t had much time to investigate, but I’m interested in whether it will be a boon to companies like GrayShift (the makers of the GrayKey device that can decrypt plugged-in iOS devices through brute force). If you can access DFU mode and apply this jailbreak without a passcode, could it be used to sidestep disk encryption and force the device to give up its secrets (or at least make brute-forcing easier)? Could you dump the storage contents for offline brute-force attacks? How much does the use of the Secure Enclave stop these issues?

            1. 2

              SEP stops it completely. Encryption applied to files on device not broken by bypassing BootROM - another exploit is needed to do what you’re thinking of. And GrayShift already had or has a zero day like this one, so I don’t think it’ll make much difference.

              Course major corollary is that this will enable a huge more amnt of research so it could help towards finding those second exploits

              1. 1

                But also if a method to crack SEP is found then it can be silently applied by anyone with possession of your phone, because of the BootROM exploit

              2. 1

                Maybe the 10 year mobile dark ages will soon be over. This, the Librem 5, and the PinePhone are timed perfectly.

                1. 5

                  Full end-user usable or even power-user usable stack is hella far from uh existing

                  From a software standpoint: What phone could possibly compete in an actual market (not FOSS zealot enclave)?

                  Librem has problems

                  1. 2

                    I am making a prediction. Look at the market 10 years ago when there still was a BootROM exploit, Jailbreaking was pretty popular. Look back at the market 30 years ago when Linux was first released, it also had problems.

                2. 1

                  I linked this because it’s the developer of the exploit explaining their motivations (on page 3). Understandable if it gets merged into ntmalf though.

                  1. 1

                    Thank you for posting this follow-up interview. I did merge it, hlngzo, in to ntmalf as you surmise.