home.social

#iostriangulation — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #iostriangulation, aggregated by home.social.

  1. Is register 0x206140008 in the #iOSTriangulation PPL bypass the gfx-asc's l2c_err_sts?
    https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/
    When I read it, it matches the value I get for l2c_err_sts in the "GFX SError" panic log.

    (Unfortunately, dma_ctrl_2 sets bit 60 in that register, which doesn't match any of the documented bits in m1n1 https://github.com/AsahiLinux/m1n1/blob/90eef7223e5da9bdc7ad7f823e7748326ba862d2/src/cpu_regs.h#L461, so no idea if it's really l2c_err_sts or not.)

    @oct0xor @marcan
  2. iOS 17.0 developer beta 1-3/public beta 1 also seems to have the KTRR bypass from #iOSTriangulation presented by @oct0xor at #37c3 (CVE-2023-38606)
    Apple patched it in iOS 17.0 beta 4 (21A5291h).
    Again, this needs kernel r/w to exploit, and only iOS 17.0 developer beta 1 has KFD.
  3. The KTRR bypass from #iOSTriangulation presented by oct0xor today at #37c3 (CVE-2023-38606) seems to be present in iOS 16.6 beta 1 to beta 4 as well.
    (Apple patched it in iOS 16.6 beta 5 - the "DENY" entry in the device tree first shows up in that build)
    https://twitter.com/oct0xor/status/1739668628906095056
    (I checked this using the 16.6 beta IPSWs for the iPhone 14 Pro: build 20G5070a was the first with "DENY" in the device tree. https://gist.github.com/zhuowei/7ad550c481e76e0b0b505d44fff5e197)