Usbliter8: an A12/A13 SecureROM Exploit
ps.tc120 points by givinguflac 6 days ago
120 points by givinguflac 6 days ago
https://www.macrumors.com/2026/06/18/a12-and-a13-chips-facin...
I'm curious what this will lead to, both security wise and jailbreak hobbyist wise. I saw this overview: https://www.reddit.com/r/jailbreak/comments/1ua58xd/usbliter... which mentions that it won't let an attacker gain full access to iOS on a passworded device without another exploit: > BPR, or Boot Process Register, was a feature implemented in iOS 14 in order to additionally secure devices from bootROM based attacks. Crucially, it restricts data access when a device is booted directly from DFU mode, which is required by both checkm8 and usbliter8. In iOS 14 and 15, this manifested as the requirement to disable your passcode when jailbreaking A11 devices with checkra1n/palera1n, and is the reason why A11 devices must be first erased if they previously had a passcode before jailbreaking with palera1n. A10 devices were not affected by this as they had a SEP exploit, known as blackbird, which prevented this issue from arising. We do not have a SEP exploit for A11 and newer. This is awesome news! It isn't a jailbreak in and of itself, but it is the first step. Right now we only have a reliable jailbreak (checkm8) for up to iOS 18 (and that's only thanks to one iPad model). Some app developers are pretty aggressive about dropping support for older iOS versions. This affects iPhone XR, XS, 11, SE 2nd gen, and a smattering of iPads. Many of these devices got the iOS 27 beta and will likely see future iOS versions for at least another year or two. Edit: here's the affected iPads: * iPad Pro 11" (gen 1-2) * iPad Pro 12.9" (gen 3-4) * iPad mini (gen 5) * iPad Air (gen 3) * iPad (gen 8-9) Also great new for Cellebrite? Reboot your phone after the feds have it before you unlock it again Once the feds have the phone, they aren't going to allow him to touch it, much less reboot it. They have to reboot it to use a bootloader exploit. Reboot it again after you get it back to erase whatever they did. I first thought of SecuROM, a CD/DVD copy protection scheme applied to computer game discs: https://en.wikipedia.org/wiki/SecuROM That's what I thought as well. I read the headline and was surprised that SecuROM was still around and was confused what it had to do with Apple... until I saw your comment. Time for my annual check, and yep, gamecopyworld.com is still kickin' with roughly the same theme since 1998 A DRM scheme that often failed to work and had a limit to the amount of installs. Ohhhh this is interesting!!!!! I really miss the glory days of jailbreaking, it just unlocked so many handy, fun, and cool stuff. From running webservers to speeding up the terribly slow animations. ...or adding system-wide Copy and Paste when the iPhone first launched without it... Since this can only underflow and some written bits are not attacker-chosen, does this not imply that the patchable part of the software could reliably detect this just in time and panic on suspected USB DMA corruption? Where is the catch? The exploit grants arbitrary code execution, it can just fix up the telltale signs of the USB DMA corruption before jumping to an updatable part of the boot flow supposedly an unfixable vulnerability possibly affecting several iPhone models. should be more relevant than 4 points imho. > The DesignWare USB controller stores up to three consecutive Setup packets in memory. > Upon receiving a fourth Setup transaction, the DMA base address gets reset to its starting position before writing, akin to a ring buffer mechanism. > After writing each received packet, the controller increments DOEPDMA by the size of data written. The reset operation is implemented by decrementing DOEPDMA by 24. > The core issue arises because the controller also accepts smaller packets (though always stores in 4-byte chunks). > Since the pointer increment does not match the fixed decrement amount, we end up with a buffer underflow primitive in 12-byte steps. so the problem is directly in the hardware, not in driver what kind of defense would work against such bugs? ==== wait, am I understanding it right that DMA access was given directly to the stack?? The DMA buffer points to the heap. The USB controller has access to it, but it only increments it and decrements. By sending multiple packets that are smaller than typical, we can trick the USB controller to decrement the base pointer by more than it should, getting to underflow. It so happens that on A12, the DMA buffer is after the USB task stack, so getting it to decrement by enough will get it to point to the task stack, where we can then write to LR and control where some function on the stack will eventually return to. On most modern Apple SoCs, including these two, there's an IOMMU dedicated to the USB complex (called the USB DART, perhaps DMA Address Remapping Table). However, Boot ROM on these two chips does not program it; Apple probably felt that it was an unnecessary technical risk to do so. The Boot ROM code was well-verified and unlikely to contain bugs like buffer overflows. But nobody expected a hardware bug :) Imagine four balls on the edge of a cliff. Say a direct copy of the ball nearest the cliff is sent to the back of the line of balls and takes the place of the first ball. The formerly first ball becomes the second, the second becomes the third, and the fourth falls off the cliff. DOEPDMA works the same way.
ndiddy - 2 hours ago
nfriedly - 4 days ago
jojobas - 2 hours ago
inigyou - 2 hours ago
matheusmoreira - an hour ago
inigyou - an hour ago
nayuki - 6 hours ago
d3Xt3r - 4 hours ago
Scoundreller - 3 hours ago
Velocifyer - 5 hours ago
thenthenthen - 5 days ago
wowczarek - 5 hours ago
edelbitter - 4 days ago
auguzanellato - 4 days ago
raffael_de - 5 days ago
NooneAtAll3 - 5 days ago
Graziano_M - 3 hours ago
summa_tech - 5 hours ago
Lammy - 4 hours ago