This is awesome news! It isn't a jailbreak in and of itself, but it is the first step.
Right now we only have a reliable jailbreak (checkm8) for up to iOS 18 (and that's only thanks to one iPad model). Some app developers are pretty aggressive about dropping support for older iOS versions.
This affects iPhone XR, XS, 11, SE 2nd gen, and a smattering of iPads. Many of these devices got the iOS 27 beta and will likely see future iOS versions for at least another year or two.
Sounds like it’s a low level hardware/firmware hole that can’t be patched.
djfergus
Ohhhh this is interesting!!!!! I really miss the glory days of jailbreaking, it just unlocked so many handy, fun, and cool stuff. From running webservers to speeding up the terribly slow animations.
thenthenthen
Imagine four balls on the edge of a cliff.
Say a direct copy of the ball nearest the cliff is sent to the back of the line of balls and takes the place of the first ball. The formerly first ball becomes the second, the second becomes the third, and the fourth falls off the cliff.
DOEPDMA works the same way.
Lammy
Since this can only underflow and some written bits are not attacker-chosen, does this not imply that the patchable part of the software could reliably detect this just in time and panic on suspected USB DMA corruption? Where is the catch?
edelbitter
supposedly an unfixable vulnerability possibly affecting several iPhone models. should be more relevant than 4 points imho.
raffael_de
> The DesignWare USB controller stores up to three consecutive Setup packets in memory.
> Upon receiving a fourth Setup transaction, the DMA base address gets reset to its starting position before writing, akin to a ring buffer mechanism.
> After writing each received packet, the controller increments DOEPDMA by the size of data written. The reset operation is implemented by decrementing DOEPDMA by 24.
> The core issue arises because the controller also accepts smaller packets (though always stores in 4-byte chunks).
> Since the pointer increment does not match the fixed decrement amount, we end up with a buffer underflow primitive in 12-byte steps.
so the problem is directly in the hardware, not in driver
what kind of defense would work against such bugs?
====
wait, am I understanding it right that DMA access was given directly to the stack??
comments (8)
Right now we only have a reliable jailbreak (checkm8) for up to iOS 18 (and that's only thanks to one iPad model). Some app developers are pretty aggressive about dropping support for older iOS versions.
This affects iPhone XR, XS, 11, SE 2nd gen, and a smattering of iPads. Many of these devices got the iOS 27 beta and will likely see future iOS versions for at least another year or two.
Edit: here's the affected iPads:
* iPad Pro 11" (gen 1-2)
* iPad Pro 12.9" (gen 3-4)
* iPad mini (gen 5)
* iPad Air (gen 3)
* iPad (gen 8-9)
nfriedly
nayuki
djfergus
thenthenthen
Say a direct copy of the ball nearest the cliff is sent to the back of the line of balls and takes the place of the first ball. The formerly first ball becomes the second, the second becomes the third, and the fourth falls off the cliff.
DOEPDMA works the same way.
Lammy
edelbitter
raffael_de
> Upon receiving a fourth Setup transaction, the DMA base address gets reset to its starting position before writing, akin to a ring buffer mechanism.
> After writing each received packet, the controller increments DOEPDMA by the size of data written. The reset operation is implemented by decrementing DOEPDMA by 24.
> The core issue arises because the controller also accepts smaller packets (though always stores in 4-byte chunks).
> Since the pointer increment does not match the fixed decrement amount, we end up with a buffer underflow primitive in 12-byte steps.
so the problem is directly in the hardware, not in driver
what kind of defense would work against such bugs?
====
wait, am I understanding it right that DMA access was given directly to the stack??
NooneAtAll3