Zhuowei ZhangDec 28, 2023
Is register 0x206140008 in the #iOSTriangulation PPL bypass the gfx-asc's l2c_err_sts?
https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/
When I read it, it matches the value I get for l2c_err_sts in the "GFX SError" panic log.

(Unfortunately, dma_ctrl_2 sets bit 60 in that register, which doesn't match any of the documented bits in m1n1 https://github.com/AsahiLinux/m1n1/blob/90eef7223e5da9bdc7ad7f823e7748326ba862d2/src/cpu_regs.h#L461, so no idea if it's really l2c_err_sts or not.)

@oct0xor @marcan
Operation Triangulation: The last (hardware) mystery

Recent iPhone models have additional hardware-based security protection for sensitive regions of the kernel memory. We discovered that to bypass this hardware-based security protection, the attackers used another hardware feature of Apple-designed SoCs.

Kaspersky
Show threadZhuowei ZhangDec 27, 2023
iOS 17.0 developer beta 1-3/public beta 1 also seems to have the KTRR bypass from #iOSTriangulation presented by @oct0xor at #37c3 (CVE-2023-38606)
Apple patched it in iOS 17.0 beta 4 (21A5291h).
Again, this needs kernel r/w to exploit, and only iOS 17.0 developer beta 1 has KFD.
Zhuowei ZhangDec 27, 2023
The KTRR bypass from #iOSTriangulation presented by oct0xor today at #37c3 (CVE-2023-38606) seems to be present in iOS 16.6 beta 1 to beta 4 as well.
(Apple patched it in iOS 16.6 beta 5 - the "DENY" entry in the device tree first shows up in that build)
https://twitter.com/oct0xor/status/1739668628906095056
(I checked this using the 16.6 beta IPSWs for the iPhone 14 Pro: build 20G5070a was the first with "DENY" in the device tree. https://gist.github.com/zhuowei/7ad550c481e76e0b0b505d44fff5e197)
Boris Larin (@oct0xor) on X

All the details about this vuln and much more will be revealed tomorrow by us (me, @bzvr_, @kucher1n) during our talk “Operation Triangulation: What You Get When Attack iPhones of Researchers” at #37c3 (14:45 CET). There will also be a live stream. https://t.co/g5cQLf6za4

X (formerly Twitter)
Tarnkappe.infoJun 2, 2023
📬 Operation Triangulation: iOS-Geräte im Visier einer neu entdeckten Malware
#Malware #Smartphones #0dayExploit #EugeneKaspersky #FSB #iMessage #iOSGeräte #IOSTriangulation #kaspersky #NSA #OperationTriangulation #ZeroClickExploit https://tarnkappe.info/artikel/entertainment/smartphones/operation-triangulation-ios-geraete-im-visier-einer-neu-entdeckten-malware-275842.html
Operation Triangulation: iOS-Geräte im Visier einer neu entdeckten Malware

Die Malware-Kampagne "Operation Triangulation" richtet sich gegen iOS-Geräte in Russland, Israel und China und nutzt Exploits über iMessage.

Tarnkappe.info