Blackbird Exploit - Revision history

Ilikeiphone123: link AP

2022-09-14T08:42:21Z

link AP

Ilikeiphone123: Added more detail to the attack and fixed my previous attempt at describing this exploit.

2022-09-14T08:14:24Z

Added more detail to the attack and fixed my previous attempt at describing this exploit.

LeoI07: Fixed links to A10 and T2; "chips"

2022-09-14T00:45:50Z

Fixed links to A10 and T2; "chips"

LeoI07: Source: Clarity#0625 on Discord (https://discord.com/channels/624739448927682611/740700630376775793/1019371653681123338). Also fixed the stub template.

2022-09-14T00:43:42Z

Source: Clarity#0625 on Discord (https://discord.com/channels/624739448927682611/740700630376775793/1019371653681123338). Also fixed the stub template.

Ilikeiphone123: created the blackbird exploit page, marking as stub because the exploit could be explained in more detail.

2022-02-07T08:37:33Z

created the blackbird exploit page, marking as stub because the exploit could be explained in more detail.

New page

{{lowercase}}
The '''blackbird exploit''' is a [[Secure Enclave Processor|SEP]] [[bootrom]] exploit, which is currently known to be able to run unsigned code on the SEP of devices with processors running either a [[A8]], [[A9]], [[A10]], or [[T2]]. This is a tethered exploit, and can only function in combination with [[checkm8 Exploit|checkm8]].

The blackbird exploit is known to be able to load an arbitrary SEP OS on the [[A8]] and [[A9]] processors, and perform a replay attack on the [[A10]] and [[T2]] processors.

[[checkra1n]] is currently the only known tool capable of using the blackbird exploit, and only for the [[A10]] and [[T2]] processors.

== References ==
* [https://raw.githubusercontent.com/windknown/presentations/master/Attack_Secure_Boot_of_SEP.pdf Attack Secure Boot of SEP]

[[Category:Exploits]]
[[Category:Bootrom Exploits]]

{{stub}}

@@ Line 1: / Line 1: @@
 {{lowercase}}
-The '''blackbird exploit''' is a [[Secure Enclave Processor|SEP]] [[bootrom]] exploit that is currently known to be capable of executing unsigned code on the SEPs of devices with [[A8]], [[A9]], [[T8010|A10]], or [[T8012|T2]] chips, or any of it's variants. This exploit can only function in combination with an AP [[bootrom]] exploit such as [[checkm8 Exploit|checkm8]] or an [[iBoot (Bootloader)|iBoot]] exploit, as the SEP needs to be in SEPROM for the exploit to work.
+The '''blackbird exploit''' is a [[Secure Enclave Processor|SEP]] [[bootrom]] exploit that is currently known to be capable of executing unsigned code on the SEPs of devices with [[A8]], [[A9]], [[T8010|A10]], or [[T8012|T2]] chips, or any of it's variants. This exploit can only function in combination with an [[Application Processor|AP]] [[bootrom]] exploit such as [[checkm8 Exploit|checkm8]] or an [[iBoot (Bootloader)|iBoot]] exploit, as the SEP needs to be in SEPROM for the exploit to work.
 The exploit takes advantage of a bug in the reading of the TZ0/TZ1 registers that the attacker controls, wherein the SEP reads the register as a 32-bit unsigned integer, but then immediately shifts the bits to the right 12 times, making any bit set beyond the 20th bit invisible to the SEP. This is in contrast to AMCC (Apple’s Memory Cache Controller) which seems to cast the 32-bit register to a 64-bit value when reading the registers before shifting the bits, meaning that it is able to see the bits that are invisible to SEP. As AMCC attempts to protect the address range specified by the TZ0 and TZ1 registers, the SEP reads and writes to a different address than what AMCC sees, allowing the attacker to read and write to the TZ0 and TZ1 memory addresses which are usually supposed to be invisible to the attacker.

@@ Line 1: / Line 1: @@
 {{lowercase}}
-The '''blackbird exploit''' is a [[Secure Enclave Processor|SEP]] [[bootrom]] exploit that is currently known to be capable of executing unsigned code on the SEP's of devices with [[A8]], [[A9]], [[A10]], or [[T2]] chips. This exploit can only function in combination with [[checkm8 Exploit|checkm8]] or an [[iBoot (Bootloader)|iBoot]] exploit.
+The '''blackbird exploit''' is a [[Secure Enclave Processor|SEP]] [[bootrom]] exploit that is currently known to be capable of executing unsigned code on the SEP's of devices with [[A8]], [[A9]], [[T8010|A10]], or [[T8012|T2]] chips. This exploit can only function in combination with [[checkm8 Exploit|checkm8]] or an [[iBoot (Bootloader)|iBoot]] exploit.
-[[checkra1n]] is currently the only known tool capable of using the blackbird exploit, and only for the [[A10]] and [[T2]] processors.
+[[checkra1n]] is currently the only known tool capable of using the blackbird exploit, and only for the [[T8010|A10]] and [[T8012|T2]] chips.
 == References ==

@@ Line 1: / Line 1: @@
 {{lowercase}}
-The '''blackbird exploit''' is a [[Secure Enclave Processor|SEP]] [[bootrom]] exploit, which is currently known to be able to run unsigned code on the SEP of devices with processors running either a [[A8]], [[A9]], [[A10]], or [[T2]]. This is a tethered exploit, and can only function in combination with [[checkm8 Exploit|checkm8]].
+The '''blackbird exploit''' is a [[Secure Enclave Processor|SEP]] [[bootrom]] exploit that is currently known to be capable of executing unsigned code on the SEP's of devices with [[A8]], [[A9]], [[A10]], or [[T2]] chips. This exploit can only function in combination with [[checkm8 Exploit|checkm8]] or an [[iBoot (Bootloader)|iBoot]] exploit.
 [[checkra1n]] is currently the only known tool capable of using the blackbird exploit, and only for the [[A10]] and [[T2]] processors.
@@ Line 12: / Line 10: @@
 [[Category:Bootrom Exploits]]
-{{stub}}
+{{stub|exploit}}