Team Pangu demonstrates unpatchable Secure Enclave Processor (SEP) chip vulnerability in iOS


Apple iPhone jailbreaking tool maker, Team Pangu demonstrated an unpatchable SEP vulnerability in iOS at MOSEC 2020

The Team Pangu is a Chinese iOS hacking community that has been developing the Pangu jailbreaking tools. Over the years, Team Pangu has been one of the top jailbreak tool makers for iPhones. Their latest exploit may help Team Pangu build a new jailbreak tool for the newly released Apple iOS 14.

Xu Hao a member of Team Pangu says they have found an “unpatchable” vulnerability on the Secure Enclave Processor (SEP) chip in iPhones. Hao presented his talk – Attack Secure Boot of SEP – on 24th July at MOSEC 2020 in Shanghai, China.

SEP (Secure Enclave Processor) is an independent coprocessor that provides an extra layer of security to Apple iPhones and iPads. The Secure Enclave (not to be confused with the Secure Element) is part of the A7 and newer chips used for data protection, Touch ID, and Face ID.

The purpose of the SEP chip is to handle authentication keys and biometrics data that is sensitive enough to not be handled by the AP. It is isolated with a hardware filter so the AP cannot access it. It shares RAM with the AP, but a portion of the RAM (known as TZ0) is encrypted. The secure enclave itself is a flashable 4MB AKF processor core called the secure enclave processor (SEP) as documented in Apple Patent Application 20130308838. The technology used is similar to ARM’s TrustZone/SecurCore but contains proprietary code for Apple KF cores in general and SEP specifically. It is also responsible for generating the UID key on A9 or newer chips that protects user data at rest.

Team Pangu demonstrated that they could exploit a bug in the memory controller that manipulates the TZ0 register memory. TZ0 refers to a register that controls the range of SEP memory usage. MOSEC made a post on the Chinese microblogging site Weibo explaining how Team Pangu exploited the bug

One of the topics at the finale of today’s meeting is the security research on iOS SEP chips brought by @windknown from the Pangu team. It is also the world’s first topic to disclose security vulnerabilities in iOS SEP chips. For a long time, in order to ensure the security of mobile phone encryption capabilities, Apple has put many key encryption/decryption and secure storage functions in an independent coprocessor (SEP).

Like BOOTROM, SEP chip also has independent SPPROM for loading SEPOS and APP running on SEPOS. However, due to the particularity of ROM, ROM is a system built into the chip and is read-only. So, the corresponding vulnerabilities cannot be upgraded and patched by Apple through software updates. Therefore, we also call these vulnerabilities as hardware vulnerabilities.

Windknown first introduces the architecture of Apple’s SEP hardware and system. The main processor and the co-processor are isolated and need to communicate through a shared memory mechanism. Subsequently, it explained in detail the process of SEPROM initialization, including the realization of the memory isolation mechanism. The memory isolation mechanism is implemented by the TZO mechanism.

The TZ0 register describes the range of SEP memory usage, and AMCC is used to prohibit the main processor from accessing the memory space of TZO. The epic vulnerability announced this time is in SEPROM. By combining the BOOTROM exploit of checkm8, the IO mapping register can be modified to bypass the memory isolation protection. Then cooperate with the race of the main processor to achieve the purpose of modifying any SEPOS and SEP APP. For example, through the restriction of password input in patch sks, to try to lock the screen password without restriction.

Yalu Jailbreak team says that Team Pangu may sell the exploit to Apple if it pays them the right kind of money. Another iPhone jailbreaker, @axi0mX says that the SEP Chip bug is not as severe as it is made to be.

According to Axi0mX, the SEP chip bug can only be triggered if the hacker has physical access to the device and with a BOOTROM exploit like checkm8 or checkra1n. He also adds that the latest iPhones use the new A12/A13 system-on-chip and these chips do not have a BOOTROM exploit. Without a BOOTROM exploit, it’s impossible to know whether this bug exists on those devices. So it is not known whether A13 Bionic chip powered iPhone 11, 11 Pro/Pro Max, and the iPhone SE are vulnerable to this exploit.

He also added that this vulnerability cannot be used to jailbreak via a web browser (JailbreakMe) or with an application (unc0ver) because the value in the TZ0 registry cannot be changed after boot. So, unless someone gets his/her hands on your iPhone and puts it in DFU mode, you are safe.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments