|Vulnerability in SEPROM|
|Software||A8, A9, A10, and T2 series|
|Disclosed||6 August 2020|
|Discovered by||windknown and littlelailo (independently)|
The blackbird exploit is a SEP bootrom exploit that is currently known to be capable of executing unsigned code on the SEPs of devices with A8, A9, A10, or T2 chips, or any of it's variants. This exploit can only function in combination with an AP bootrom exploit such as checkm8 or an iBoot exploit, as the SEP needs to be in SEPROM for the exploit to work.
The exploit takes advantage of a bug in the reading of the TZ0/TZ1 registers that the attacker controls, wherein the SEP reads the register as a 32-bit unsigned integer, but then immediately shifts the bits to the right 12 times, making any bit set beyond the 20th bit invisible to the SEP. This is in contrast to AMCC (Apple’s Memory Cache Controller) which seems to cast the 32-bit register to a 64-bit value when reading the registers before shifting the bits, meaning that it is able to see the bits that are invisible to SEP. As AMCC attempts to protect the address range specified by the TZ0 and TZ1 registers, the SEP reads and writes to a different address than what AMCC sees, allowing the attacker to read and write to the TZ0 and TZ1 memory addresses which are usually supposed to be invisible to the attacker.
The exploit is able to be used in conjunction with a key pinning attack on TZ0 (The memory used by the SEP to store various things such as the SEP firmware) for the A8 to A9X chips, which therefore allows for exploitation without a valid SEP firmware the next time it is exploited so long as the blocks of memory to be replayed are captured on the first exploitation, as the blocks of memory that are replayed will be valid every time if it is decrypted with the same key. However, the A10 and T2 only have a replay attack, as the key is random every time and cannot be changed due to it being located on the stack, making the key pinning attack impossible without another exploit, and therefore the same blocks of memory cannot be used after a reboot. Therefore, these chips require valid SEP firmware every time the device is restarted in order to be exploited.