Comment by cf1241290841

2 years ago

As its about a 37c3 presentation here a comment from Fefe¹ in German https://blog.fefe.de/?ts=9b729398

According to him the exploit chain was likely worth in the region of a 8-digit dollar value.

¹ https://en.wikipedia.org/wiki/Felix_von_Leitner

I guess somebody is going to get fired.

9 comments

cf1241290841

Reply
saagarjha  2 years ago

Why? Having exploits “burned” is part of the business.

  • cf1241290841  2 years ago

    Exploit yes

    Decade old Backdoors no

    • _kbh_  2 years ago

      > Decade old Backdoors no

      I really doubt it's a backdoor after reading the blog post and this thread chain from a prolific M1 MacBook hacker (macran) I think it was just an unused or very rarely used feature that was left enabled by accident.

      https://social.treehouse.systems/@marcan/111655847458820583

      Some choice quotes.

      First, yeah, the dbgwrap stuff makes perfect sense. I knew about it for the main CPUs, makes perfect sense it'd exist for the ASCs too. Someone had a lightbulb moment. We might even be able to use some of those tricks for debugging stuff ourselves :)

      Second, that "hash" is almost certainly not a hash. It's an ECC code*. I bet this is a cache RAM debug register, and it's writing directly to the raw cache memory array, including the ECC bits, so it has to manually calculate them (yes, caches in Apple SoCs have ECC, I know at least AMCC does and there's no reason to think GPU/ASC caches wouldn't too). The "sbox" is just the order of the input bits to the ECC generator, and the algorithm is a textbook ECC code. I don't know why it's somewhat interestingly shuffled like that, but I bet there's a hardware reason (I think for some of these things they'll even let the hardware synthesis shuffle the bits to whatever happens to be physically optimal, and that's why you won't find the same table anywhere else).

      5 replies →